Question 3 - Microsoft SC-200 Security Operations Analyst Real Exam Questions [Jan 2026 Update]

Q: 3

HOTSPOT You have an Azure subscription that contains a Log Analytics workspace named Workspace1. You configure Azure activity logs and Microsoft Entra ID logs to be forwarded to Workspace1. You need to identify which Azure resources have been queried or modified by risky users. How should you complete the KQL query? To answer, select the appropriate options in the answer area.

Your Answer

Correct Answer:

BOX 1: SIGNINLOGS BOX 2: AZUREACTIVITY BOX 3: CALLER

Explanation

To identify Azure resources queried or modified by risky users, a KQL query must correlate user risk data with resource activity logs. The SigninLogs table from Microsoft Entra ID contains user sign-in details, including risk levels detected by Identity Protection (e.g., RiskLevelAggregated). The AzureActivity table contains the Azure Activity Log, which records management-plane operations on Azure resources. To link a risky user to an action, the query must join the UserPrincipalName from the SigninLogs table with the Caller field from the AzureActivity table, as the Caller field identifies the user who performed the operation.

References

1. Microsoft. (2023). Microsoft Sentinel data connectors. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference.

Details: This document lists SigninLogs as the table for "Microsoft Entra sign-in logs" and AzureActivity as the table for "Azure Activity" logs

confirming the correct tables for the required data sources.

2. Microsoft. (2023). Azure Monitor Logs table reference / SigninLogs. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs.

Details: The schema documentation confirms that SigninLogs contains the UserPrincipalName and RiskLevelAggregated columns

which are essential for identifying risky users.

3. Microsoft. (2023). Azure Monitor Logs table reference / AzureActivity. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity.

Details: The schema documentation confirms that the AzureActivity table contains the Caller column

which "identifies the user or client that initiated the event." This is the correct field for joining with the user identity from SigninLogs.

4. Microsoft. (2024). join operator. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/join-operator.

Details: This official documentation explains how to use the join operator to merge rows of two tables to form a new table by matching values of the specified columns

which is the core operation required by the query.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE