SC-200 Exam Dumps - Microsoft Security Operations Analyst

Below is the completed KQL that meets the requirement (successful sign-ins from multiple countries in the last 3 hours), using the ASIM authent ication schema commonly used in Microsoft Sentinel:

let timeframe = ago(3h);

let threshold = 5;

imAuthentication

| where TimeGenerated > timeframe

| where EventType == " Logon " and EventResult == " Success "

| where isnotempty(SrcGeoCountry)

| summarize

StartTime = min(TimeGenerated),

EndTime = max(TimeGenerated),

Vendors = make_set(EventVendor),

Products = make_set(EventProduct),

NumOfCountries = dcount(SrcGeoCountry)

by TargetUserId, TargetUserPrincipalName, TargetUserType

| where NumOfCountries > threshold

Blade/source: imAuthentication (ASIM parser) normalizes authentication data across sources in Sentinel, letting you query sign-ins consistently.

Filters: EventType == " Logon " and EventResult == " Success " restrict to successful l ogons.

Geo dimension: SrcGeoCountry is the normalized source country field for the sign-in.

Logic: We look back 3 hours , count distinct countries per user with dcount(SrcGeoCountry) , and keep only users exceeding a chosen threshold (e.g., > 5 ).

This delive rs exactly “successful sign-ins from multiple countries during the last three hours,” ready for use in a hunting query or to form a scheduled analytics rule.

Activity from a country/region that could indicate malicious activity. This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or was never visited by any user in the organizatio n. Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This can indicate a credential breach, however, it ' s also possible that the user ' s actual location is masked , for example, by using a VPN.

In Microsoft 365 Defender’s Advanced Hun ting (Kusto Query Language - KQL) , investigators use the DeviceLogonEvents table to search for authentication attempts and filter failed logons. To detect failed sign-ins from specific devices, you begin by applying a where clause that filters only the relevant logon failures and the specific device names you want to investigate.

The correct syntax and logical order—based on Microsoft Security Operations (SecOps) and Microsoft 365 Defender hunting guide —is to first filter ( where ) the Ac tionType to “Logon Failed,” then narrow down the dataset to the target devices ( DeviceName in ( " CFOLaptop " , " CEOLaptop " , " COOLaptop " ) ). This ensures that only failed authentication attempts from those three machines are included.

After filtering, the summarize operator is us ed to group the data by DeviceName and LogonType , counting how many failures occurred per device and logon type. This aggregation step follows Microsoft’s recommended practice for incident hunting, allowing analysts to quickly assess which devices are gene rating unusual authentication failure volumes.

Finally, the project statement selects only the LogonFailures output, simplifying the results for reporting or alerting purposes.

This query structure aligns exactly with Microsoft 365 Defender Advanced Huntin g documentation for detecting failed logins on specific endpoints while maintaining query efficiency and clarity, minimizing administrative overhead during investigations

In Microsoft Sentinel, entity ma pping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph , incidents , and hunting experiences . The Sentinel requirements in the case study specify:

“Add notes to events that represent dat a access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, h ostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentine l documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.