K0.8 Check My Knowledge
Check my knowledge
Question 1 — Question categories
An analyst needs to determine whether a user account accessed SharePoint files from a new device within 10 minutes of a sign-in from an unusual country. Which two question categories does this involve, and which tables are needed?
Answer: This involves (1) CROSS-TABLE CORRELATION — joining SigninLogs (the unusual sign-in) with OfficeActivity (the SharePoint access) by UserPrincipalName and time proximity. (2) HISTORICAL SCOPE — checking whether the device in DeviceDetail has appeared in the user's sign-in history before. Tables needed: SigninLogs (authentication with location and device) joined with OfficeActivity (file downloads) filtered by time window.
Question 2 — Table selection
Where would you find evidence that an attacker created a new inbox rule to hide emails containing the word "invoice"?
Answer: OfficeActivity — filter by Operation == "New-InboxRule". The OfficeObjectId or Parameters field contains the rule details including the keyword filter and destination folder. This is the email operations table — it records what users DO in their mailbox (rules, sends, forwards), not what emails were delivered (that is EmailEvents).
Question 3 — The 4-operator pattern
Write a query that shows all successful interactive sign-ins to the Azure Portal in the last 24 hours, showing the user, IP address, and time, sorted by most recent first.
Answer:SigninLogs| where TimeGenerated > ago(24h)| where ResultType == "0"| where IsInteractive == true| where AppDisplayName == "Azure Portal"| project TimeGenerated, UserPrincipalName, IPAddress| sort by TimeGenerated desc
This uses all 4 operators: table (SigninLogs), where (4 filters), project (3 columns), sort (newest first). The filters narrow from all sign-ins to only: successful, interactive, Azure Portal.
Question 4 — Data model understanding
An analyst queries DeviceProcessEvents for a user but gets zero results. The user is confirmed to have a Windows laptop enrolled in Intune. What are the two most likely causes?
Answer: (1) The organisation does not have Defender for Endpoint P2 (or Microsoft 365 E5). DeviceProcessEvents requires MDE P2 — without it, endpoint process telemetry is not collected. (2) The data connector between Defender for Endpoint and the Sentinel workspace is not configured. The data exists in Defender but has not been forwarded to the Sentinel workspace. Verify: check Sentinel → Data connectors → "Microsoft Defender for Endpoint" → status. If disconnected: the data is in Defender Advanced Hunting but not in Sentinel.
Question 5 — Investigation planning
A CISO asks: "Were we targeted by the same phishing campaign that hit our industry peer last week? The peer shared the attacker's sending domain: malicious-updates[.]com." Plan the investigation: which table, which fields, and what does a positive result look like?
Answer: Table: EmailEvents (or OfficeActivity if EmailEvents is not available). Filter: where SenderFromDomain == "malicious-updates[.]com" (EmailEvents) or where OfficeObjectId has "malicious-updates.com" (OfficeActivity). Fields to project: TimeGenerated, RecipientEmailAddress (who was targeted), Subject, DeliveryAction (was it delivered or blocked?). A positive result: one or more rows showing emails from this domain were delivered to NE users. Next steps: identify which users received the email, check if they clicked any URLs (join with EmailUrlInfo), and check SigninLogs for those users from new IPs. A zero-result query is also valuable — it confirms NE was NOT targeted by this specific campaign.
How was this module?
Your feedback helps us improve the course. One click is enough — comments are optional.
You're reading the free modules of Mastering KQL
The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.