ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 38 discussion

Actual exam question from Microsoft's SC-200
Question #: 38
Topic #: 1
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription.

You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the following requirements:

• Only show emails sent during the last hour.
• Optimize query performance.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by [deleted] at Feb. 24, 2023, 3:21 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
omar_alhajsalem
Highly Voted 1 year, 11 months ago
EmailAttachmentInfo | where Timestamp > ago(1h) | where Subject == "Document Attachment" and FileName == "Document.pdf" | join (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256
upvoted 6 times
Nikki0222
6 months, 1 week ago
Correct
upvoted 1 times
...
Ramye
1 year, 2 months ago
you have to choose 1 option from each box. You seem to have chosen 2 options from the bottom box.
upvoted 2 times
...
...
Pradeep064
Highly Voted 1 year, 3 months ago
This question seems a bit unusual, and I'm wondering if it's still relevant. The reason being, the "EmailAttachmentInfo" schema doesn't appear to include a "Subject" column, and the question suggests filtering based on this "Subject" column.
upvoted 5 times
...
9802f06
Most Recent 5 days, 2 hours ago
Why the query looks for device file events? Is this relevant in this case?
upvoted 1 times
...
Edindude
2 months, 2 weeks ago
EmailAttachmentInfo | where Timestamp > ago(1h) | where FileName == "Document.pdf" | join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256
upvoted 2 times
...
Adam7777
6 months, 3 weeks ago
I don't know man, It seems like the second table of options is a mistake/typo. you need "join (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256" to appropriately select the relevant rows to apply the time filter on. seems outdated on the current Schema
upvoted 3 times
...
chepeerick
1 year, 6 months ago
this is correct
upvoted 1 times
...
Gurulee
1 year, 7 months ago
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?view=o365-worldwide#optimize-the-join-operator "Apply time filters on both sides—Even if you're not investigating a specific time window, applying time filters on both the left and right tables can reduce the number of records to check and improve join performance."
upvoted 1 times
...
gg7648
2 years, 1 month ago
Wondering is this typo? | where Timestamp < ago (1h) --> show only less than one hour which matches. This satisfy the requirement of “Only show emails sent during the last hour”. This should be the correct one. But Answer: (| where Timestamp > ago (1h)) how come has greater than is correct answer?? This returns more than our of dataset results right? Ref: https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference
upvoted 3 times
ultraRunningCA
2 years, 1 month ago
This is correct, the answer should be 'where timestamp < ago(1h)' to meet the requirement of “Only show emails sent during the last hour” and to "optimise the query" the time filter needs to be applied first, so the Join should be the second option
upvoted 1 times
ultraRunningCA
2 years, 1 month ago
now I'm not so sure... on the page given by mwoodc the answer provided is shown as : *Apply time filters on both sides* — Even if you're not investigating a specific time window, applying time filters on both the left and right tables can reduce the number of records to check and improve join performance. The query below applies Timestamp > ago(1h) to both tables so that it joins only records *from* the past hour: EmailAttachmentInfo | where Timestamp > ago(1h) | where Subject == "Document Attachment" and FileName == "Document.pdf" | join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256 if you ask bing chat/chatGPT, this is what the query retrieves This KQL query will retrieve information about the email attachments with the subject “Document Attachment” and the file name “Document.pdf” that were sent within the last hour. It will then join this information with the DeviceFileEvents table on the SHA256 hash value which is what the question is asking for...
upvoted 1 times
...
Holii
2 years ago
Wrong. This will search for logs from an hour ago till infinity in the past (until your specified time range). Even plugging this into KQL logs for a test run will throw an error on the statement with a recommendation to change it from < to > Recommendation: The query time filter may not be efficient. The TimeGenerated filter is looking for smaller than rather than larger than. This may result in querying high volume of very old data that is retained in the system. It is recommended to add a minimum TimeGenerated to be evaluated or to specify a time range to this query (see: https://aka.ms/logqueryperf/time).
upvoted 2 times
...
...
teouba
2 years ago
Ago() function subtracts the given timespan from the current UTC time. So if current time is 9.00am, then using ago(1h) means that time goes to 8.00am, so in order to check the timespace 8.00-9.00 you need to use timestamp > ago(1h)
upvoted 11 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago