AZ-500 · Question #207
AZ-500 Question #207: Real Exam Question with Answer & Explanation
The correct answer is C: From the Azure Sentinel workspace, create a Kusto Query Language query.. To find Advanced Threat Protection events for Azure SQL Database within an Azure Sentinel workspace, you must create a Kusto Query Language (KQL) query directly within the Sentinel workspace.
Question
You have an Azure subscription that contains several Azure SQL databases and an Azure Sentinel workspace. You need to create a saved query in the workspace to find events reported by Advanced Threat Protection for Azure SQL Database. What should you do?
Options
- AFrom Azure CLI run the Get-AzOperationalInsightsworkspace cmdlet.
- BFrom the Azure SQL Database query editor, create a Transact-SQL query.
- CFrom the Azure Sentinel workspace, create a Kusto Query Language query.
- DFrom Microsoft SQL Server Management Studio (SSMS), create a Transact-SQL query.
Explanation
To find Advanced Threat Protection events for Azure SQL Database within an Azure Sentinel workspace, you must create a Kusto Query Language (KQL) query directly within the Sentinel workspace.
Common mistakes.
- A. Get-AzOperationalInsightsworkspace is an Azure PowerShell cmdlet used to retrieve workspace properties, not to create or run queries.
- B. The Azure SQL Database query editor is used to run Transact-SQL (T-SQL) queries against the SQL database itself, not to query logs stored in an Azure Sentinel workspace.
- D. SQL Server Management Studio (SSMS) is used for managing and querying SQL Server instances (on-premises or Azure SQL) using Transact-SQL, not for querying logs in Azure Sentinel.
Concept tested. KQL queries in Azure Sentinel
Reference. https://learn.microsoft.com/en-us/azure/sentinel/get-started-queries
Community Discussion
No community discussion yet for this question.