Q: 6
[Dashboards and Reporting]
Which action is being taken with the query below?
dataset = xdr_data
| fields agent_hostname, _time, _product
| comp latest as latest_time by agent_hostname, _product
| join type=inner (dataset = endpoints
| fields endpoint_name, endpoint_status, endpoint_type) as lookup lookup.endpoint_name =
agent_hostname
| filter endpoint_status = ENUM.CONNECTED
| fields agent_hostname, endpoint_status, latest_time, _product
Options
Discussion
Option A had a similar question in exam reports and it matches the query logic.
Seen something like this in official study material, it's tracking latest activity for any endpoint. A
This looks just like a question I saw on a recent exam report, and A was the pick there too.
A is right. C feels like a trick since there's no filter for firewall endpoint_type in the query, so it's just grabbing latest activity for any connected endpoint. Seen similar wording on practice, but open to other thoughts if I'm missing something here.
A , C looks tempting but without filtering on endpoint_type it's really all connected endpoints. Seen similar traps in practice exams.
A
C or D. The query grabs endpoint_type and only keeps connected endpoints, so I'd expect "connected firewall endpoints" (C) to be right if we see firewall types there. Official practice sets cover similar joins, suggest brushing up there. Not 100 percent sure though.
Pretty sure it's A. The query is filtering for connected endpoints, grabbing their latest activity but doesn't limit by endpoint_type so it's not just firewalls. Saw something very similar in an exam report too, so A makes sense to me.
Its A here, I think. The query joins to get endpoint status and filters for CONNECTED only, but there’s no filter on endpoint_type so it’s not just firewalls (which would make it C). So we’re just tracking latest activity of all connected endpoints. Pretty sure but if anyone spots something I missed, let me know.
Looks like it's pulling the latest activity for connected endpoints in general, not just firewalls since there's no endpoint_type filter. A is correct from what I've seen in official guides and practice sets. If anyone's found a resource pointing to C though, let me know.
Be respectful. No spam.
