Exam SC-200 topic 1 question 14 discussion

The first answer "EmailEvents" is right because only EmailEvents table have the Subject column, but both EmailEvents and EmailAttachmentInfo have the ThreatType table (old MalwareFilterVerdict). The second answer: IdentityLogonEvents, is right, because is the only table that have identity objects related. The third answer: take 20, according to MS "here is no guarantee which records are returned, unless the source data is sorted.", "take and limit are synonyms". I tested by myself, and the only query that return the latest results was: top 20 by Timestamp, because only "top 20" didn't work.

//Define new table for malicious emails let MaliciousEmails=EmailEvents //List emails detected as malware, getting only pertinent columns | where ThreatTypes has "Malware" | project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]); MaliciousEmails | join ( //Merge malicious emails with logon events to find logons by recipients IdentityLogonEvents | project LogonTime = Timestamp, AccountName, DeviceName ) on AccountName //Check only logons within 30 minutes of receipt of an email | where (LogonTime - TimeEmail) between (0min.. 30min) | take 10

Why use take and not top in this scenario? The query in your case doesn't explicitly mention sorting the logon events by a specific column (e.g., timestamp). It simply limits the results to a certain number, so take is appropriate here. If you wanted the 20 most recent logon events, you could use top 20 by LogonTime, which ensures that you are retrieving the most recent events sorted by time.

The output of KQL queries are sorted by descending order of the first column. So take 20 works out here

The answer is correct. Here is an example: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#review-logon-attempts-after-receipt-of-malicious-emails //Define new table for malicious emails let MaliciousEmails=EmailEvents //List emails detected as malware, getting only pertinent columns | where ThreatTypes has "Malware" | project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]); MaliciousEmails | join ( //Merge malicious emails with logon events to find logons by recipients IdentityLogonEvents | project LogonTime = Timestamp, AccountName, DeviceName ) on AccountName //Check only logons within 30 minutes of receipt of an email | where (LogonTime - TimeEmail) between (0min.. 30min) | take 10

EmailEvents is used to filter out the malicious emails. IdentityLogonEvents is used to check for sign-ins by those who received the malicious emails. top 20 ensures that only the most recent 20 sign-in events are returned, which matches the requirement of the task.

EmailEvents, IdentityLogonEvents, take 20 because take operator in kql returns most recents records in event table..

correct, There is no guarantee which records are returned, unless the source data is sorted. If the data is sorted, then the top values will be returned.

EmailEvents, IdentityLogonEvents, take 20

Given Answer is correct, check the following page that has this query under the section "Review logon attempts after receipt of malicious emails" https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#review-logon-attempts-after-receipt-of-malicious-emails

Correct. Take 20 is equal to top 20 by timestamp here.

take 20 is correct if you need to select most recent logins.

Answer is correct, but the solution is incomplete, as the results needs to be sorted before "take" command (most recent logons). "Top" is not an option here as it needs "by" argument to be correct.

Believe given answer to be correct

take operator There is no guarantee which records are returned, unless the source data is sorted. ------------------------ for this query the correct would not use top ? Since they ask for recent records