Microsoft Updated SC-200 Exam Questions and Answers by boris

 Table to start from: MicrosoftGraphActivityLogs

 Function to extract the path: parse_url(RequestUri).Path

To find which Azure resources were queried or modified by risky users, you should analyze API calls made to Microsoft Graph (and ARM where applicable) and join them with Identity Protection risk signals. In Log Analytics, MicrosoftGraphActivityLogs records Graph API calls with useful fields for this task, including UserId, RequestUri, RequestMethod, ResponseStatusCode, and RequestId. These fields let you identify what resource endpoint was accessed, how (GET/POST/PATCH/DELETE), and whether the request succeeded.

You then join these API events with AADRiskyUsers on the user identifier ($left.UserId == $right.Id) to restrict results to users currently assessed as risky. To normalize the resource that was targeted, parse the endpoint from the full URL. The correct way is to extract just the path component using parse_url(RequestUri).Path, then clean version segments (e.g., /v1.0/, /beta/) with replace_string/replace_regex to produce a comparable resourcePath. Finally, summarizing with dcount(RequestId) by UserId, RiskState, resourcePath, RequestMethod, and ResponseStatusCode yields a concise mapping of which resources risky users queried or modified.

Therefore, the two correct choices are MicrosoftGraphActivityLogs and parse_url(RequestUri).Path.

For hunting in Microsoft 365 Defender, email attachment metadata is in EmailAttachmentInfo (fields include Timestamp, FileName, SHA256, NetworkMessageId, etc.). To return every email that contains a specific attachment and optimize performance, apply time filters as early as possible and avoid unnecessary joins. Early filtering reduces the dataset to scan and speeds execution.

A performant query that meets “only last hour” and the attachment name requirement is:

EmailAttachmentInfo

| where Timestamp > ago(1h) // filter early for performance

| where Subject == "Document Attachment" and FileName == "Document.pdf"

| where Timestamp > ago(1h) // (idempotent second constraint; harmless)

Using joins (e.g., to DeviceFileEvents on SHA256) is not required to answer the question and would add overhead. The key is to filter on Timestamp and FileName within EmailAttachmentInfo, ensuring only emails from the last hour with Document.pdf are returned while keeping the query efficient.

First dropdown: join

Second dropdown: full

In Microsoft Sentinel and Kusto Query Language (KQL), when you need to combine two tables based on a common field, you use the join operator. In this scenario, both queries pull from the same SecurityEvent table but filter on different Event IDs — 4624 for logon and 4634 for logoff events. To correlate or compare the two results by Account, you need to join them.

The first query returns the number of logon events per account (LogOnCount), while the second returns the number of logoff events per account (LogOffCount). The join key is Account, which exists in both result sets.

To ensure that all accounts — those who may have only logon events or only logoff events — are included in the visualization, you use a full join. A full join combines matching records from both sides and keeps unmatched records from either side, filling missing values with nulls. This ensures that every account with either a logon or a logoff count appears in the results.

Therefore, the correct query completion is:

SecurityEvent

| where EventID == "4624"

| summarize LogOnCount = count() by EventID, Account

| project LogOnCount, Account

| join kind = full (

SecurityEvent

| where EventID == "4634"

| summarize LogOffCount = count() by EventID, Account

| project LogOffCount, Account

) on Account

This query gives a complete view of all accounts and their corresponding logon/logoff counts.

✅ Correct selections:

First box → join

Second box → full

In Copilot for Security promptbooks, inputs are referenced as placeholders wrapped in angle brackets (for example, ). To define an input named IncidentID in a prompt, format it as .