ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 7 question 3 discussion

Actual exam question from Microsoft's SC-200
Question #: 3
Topic #: 7
[All SC-200 Questions]

DRAG DROP
-

You have a Microsoft Sentinel workspace named SW1.

In SW1, you enable User and Entity Behavior Analytics (UEBA).

You need to use KQL to perform the following tasks:

• View the entity data that has fields for each type of entity.
• Assess the quality of rules by analyzing how well a rule performs.

Which table should you use in KQL for each task? To answer, drag the appropriate tables to the correct tasks. Each table may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by DChilds at April 27, 2024, 2:15 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DChilds
Highly Voted 11 months, 3 weeks ago
This question was in the exam 27/04/2024. BehaviorAnalytics and Anomalies.
upvoted 19 times
CDR
4 months ago
Another perla. The CORRECT table for assessing rule quality is BehaviorAnalyticsRuleStats. But of course, that isn't even an option. So we go with Anomalies.
upvoted 1 times
...
...
Optimizor_IT
Most Recent 3 days, 7 hours ago
I would say it is BehaviorAnalytics for both.
upvoted 1 times
...
g_man_rap
8 months ago
Correct Answers: View entity data: BehaviorAnalytics Assess rule quality: Anomalies
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago