exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 1 question 1 discussion

Actual exam question from Microsoft's SC-200
Question #: 1
Topic #: 1
[All SC-200 Questions]

DRAG DROP -
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
DigitalNomad
Highly Voted 3 months ago
DeviceLogonEvents | where DeviceName in ("CFOLaptop" , "CEOLaptop" ) and ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName , LogonType This is the correct answer , I tested it .
upvoted 118 times
Nikki0222
2 months ago
This answer is correct
upvoted 1 times
...
CatoFong
2 years, 5 months ago
DigitalNomad is correct.
upvoted 3 times
...
sasasach
1 year, 9 months ago
correct.
upvoted 3 times
...
danb67
1 year, 2 months ago
Me too and correct
upvoted 1 times
...
...
ReffG
Highly Voted 3 years, 4 months ago
I think the third box is answered wrong. ActionType == "LogonFailed" should be the correct answer.
upvoted 21 times
...
mikl
Most Recent 1 month ago
ChatGPT says : DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") | where LogonType == "Failed" | summarize FailedSignInCount = count() by DeviceName
upvoted 1 times
...
Apocalypse03
3 months ago
The correct answer is: DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and ActionType == FailureReason |s summarize LogonFailures=count () by DeviceName, LogonType Here is a brief explanation of how this query works: The DeviceLogonEvents table is selected, which contains logon events for devices. The where clause filters the events to only include those that have a DeviceName of CFOLaptop, CEOLaptop, or COOLaptop, and an ActionType of FailureReason. This effectively filters the events to only include failed logon events from the specified devices. The summarize clause counts the number of events that match the previous criteria, grouping the results by DeviceName and LogonType. The count() function counts the number of events in each group, and the LogonFailures alias is used to label this count in the resulting output.
upvoted 3 times
EricChu
1 year, 12 months ago
How can a reason be an action???? Action type is a reason, did you hear yourself?
upvoted 1 times
...
...
Hawklx
5 months, 1 week ago
Please fix this answer
upvoted 2 times
...
Vamshi_Pasham
9 months ago
In given answer, ActionType should be "LogonFailed".
upvoted 2 times
...
mc250616
1 year, 1 month ago
Hi All, Checked again in real environment. Shown answer is not correct as Failure Reason is not one fo the ActionTypes and no result by this search. Correct Answer is ; -------------- DeviceLogonEvents | where DeviceName in ("CFOLaptop" , "CEOLaptop", "COOLaptop") and ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName , LogonType
upvoted 2 times
...
chepeerick
1 year, 2 months ago
Correct
upvoted 1 times
...
NathanZ
1 year, 5 months ago
Correct answer should be: ActionType="LogonFailed". When running this query, there is no any result returned. DeviceLogonEvents | where ActionType == FailureReason
upvoted 1 times
...
cyber_mks
1 year, 9 months ago
correct Answer is DeviceLogonEvents | where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") and ActionType == FailureReason |s summarize LogonFailures=count () by DeviceName, LogonType
upvoted 1 times
...
gyaansastra
1 year, 11 months ago
Only 3 types of ActionType exist based on the schema. Try yourself with a long time range (e.g below last 14days) DeviceLogonEvents | where TimeGenerated >= ago(14d) | distinct ActionType Result: LogonSuccess LogonFailed LogonAttempted That should clear the doubts that "LogonFailed" is the correct option, not "FailureReason". Strongly suggest going through the official schema and the actual query for validation.
upvoted 6 times
...
BhanuD
2 years, 1 month ago
Under DeviceLogonEvents schema, below are the ActionType values available and FailureReason is the column in the schema that can be fetched ActionType values: LogonAttempted LogonFailed LogonSuccess and hence the answer is ActionType == 'LogonFailed' ; also a string should be mentioned in a single or double quotes
upvoted 2 times
...
arunrider
2 years, 2 months ago
Tested, ActionType == LogonFailed
upvoted 4 times
...
Pandaguo
2 years, 8 months ago
DeviceLogonEvents |where Devicename in ("CFOlaptops", "CEOLaptop") and ActionType == "LogonFailed" |summarize LoginFailures=count() by DeviceName, LogonType
upvoted 3 times
...
oreoale
2 years, 9 months ago
See DeviceLogonEvents options -> https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/devicelogonevents
upvoted 4 times
...
chaska
2 years, 9 months ago
Answer is correct DeviceLogonEvents | where DeviceName in ("CFOLaptop","CEOLaptop","COOLaptop") and ActionType == FailureReason | summarize count() by DeviceName, LogonType,TimeGenerated As far as I know ActionType contains only LogonSuccess, LogonAttempted and empty value. Empty value in same rows in columns ActionType and FailureReason means failed sign-in authentications.
upvoted 3 times
...
Badr_j
2 years, 9 months ago
ActionType == "LogonFailed" is the correct option,
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago