Exam SC-200 Topic 1 Question 55 Discussion

Actual exam question for Microsoft's SC-200 exam
Question #: 55
Topic #: 1
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You have an Azure subscription that contains a Log Analytics workspace named Workspace1.
You forward all logs to Workspace1.
You need to identify all the applications and security principals that made requests to modify Microsoft Entra groups during the previous 24 hours.
How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Suggested Answer:


Explanation:
Box 1: MicrosoftGraphActivityLogs
Access Microsoft Graph activity logs
Azure Monitor Logs query examples
If you send Microsoft Graph activity logs to a Log Analytics workspace, you can query the logs using Kusto Query Language (KQL).
Box 2: PUT
Requests to modify.
Sending a PUT request will update or replace existing data on the server. POST , on the other hand, is a safe method because it does not modify the state of the server. Sending a POST request will create new data on the server, but it will not modify any existing data.
Reference:
https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview
https://www.keycdn.com/support/put-vs-post
https://learn.microsoft.com/en-us/azure/azure-
monitor/reference/tables/enrichedmicrosoft365auditlogs

by Sandra at Jul 13, 2026, 06:14 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10