SC-200 Perform threat hunting • Set 8
SC-200 Perform threat hunting Practice Test 8 — 15 questions with explanations. Free, no signup.
Refer to the exhibit. You are reviewing a KQL query used in a threat hunting campaign. What is the primary purpose of this query?
{
"huntQuery": "let threshold = 5;\nSigninLogs\n| where TimeGenerated > ago(7d)\n| summarize SigninCount = count() by UserPrincipalName, IPAddress, AppDisplayName\n| where SigninCount > threshold\n| join kind=leftouter (\n AADUserRiskEvents\n | where TimeGenerated > ago(7d)\n | summarize RiskCount = count() by UserPrincipalName\n) on UserPrincipalName\n| project UserPrincipalName, IPAddress, AppDisplayName, SigninCount, RiskCount\n| order by SigninCount desc\n"}