Exam SC-200 topic 7 question 13 discussion

Actual exam question from Microsoft's SC-200

Question #: 13
Topic #: 7

HOTSPOT
-

You need to build a KQL query in a Microsoft Sentinel workspace. The query must return the SecurityEvent record for accounts that have the last record with an EventID value of 4624.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer

Suggested Answer:

by chirva at Nov. 13, 2024, 1:49 p.m.

Comments

Submit Cancel

chirva

Highly Voted 5 months, 2 weeks ago

GPT4: SecurityEvent | where EventID == 4624 | summarize arg_max(TimeGenerated, *) by Account

upvoted 8 times

Madzius

3 months, 3 weeks ago

This question was on the test. The answer seems to be good.

upvoted 3 times

...

HAjouz

4 months, 2 weeks ago

Dropdown 1: where EventID == 4624 Dropdown 2: summarize arg_max(TimeGenerated, *) by Account

upvoted 2 times

...

8b70ec7

Most Recent 2 months, 1 week ago

I think the answer should be: Dropdown 1: summarize arg_max(TimeGenerated, *) by Account Dropdown 2: where EventID == 462 My reasoning for the above is this - the questions says to return accounts where the last record was eventid 4624. So first we need to find the last record for each account and then filter for 4624.

upvoted 1 times

8b70ec7

2 months, 1 week ago

Small typo in my 2nd sentence: Dropdown 2: where EventID == 4624

upvoted 1 times

...

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 7 question 13 discussion

Comments

chirva

Madzius

HAjouz

8b70ec7

8b70ec7

SY0-701