Free Microsoft SC-200 Security Operations Analyst Actual Exam Questions - Question 12 Discussion

I’m thinking B might not fit since metrics usually track performance counters, not detailed event counts. If we want a timechart by day, wouldn’t a query pulling SecurityEvent data be more straightforward?

Maybe A, since a query directly pulls and visualizes the event counts by day.

A vs B? Metrics track numeric data but don’t usually create detailed timecharts from raw tables like SecurityEvent. A query gives you full control to aggregate and display exactly what’s needed.

D imo, adding links or tabs doesn’t really help with creating visuals or querying data. Since you need to display event counts by day, a group or metric (C or B) wouldn’t directly handle that aggregation and charting. A query is the only way to pull and shape that data properly from SecurityEvent. So even without extra details on existing controls, A fits best for running the needed KQL to get daily counts over the past week.

Makes sense to add a query here since you need to pull data from the SecurityEvent table and aggregate by day. So, I’d pick A.

Maybe A, since metrics and groups can’t break down events daily in a timechart.

A, you need a query to summarize events daily for the timechart.

Probably A here too, since you have to run a KQL query on SecurityEvent to get daily counts. Groups and links won’t create the chart, and metrics don’t usually do this kind of detailed time-series data.

B tbh doesn’t fit here because metrics usually track performance or usage stats, not detailed event counts by day. Querying the table directly is needed to meet the exact requirements.

Maybe A makes the most sense since you need to pull specific data from the SecurityEvent table and visualize it. Metrics or groups don’t directly handle time-based queries like this.

A, need a query to pull event counts by day for the last week.