Microsoft Security Operations Analyst — Question 26

You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams.

You have a team named Team1 that has a project named Project1.

You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023.

Which KQL query should you run?

Answer options

• A. (c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10))
• B. AuditLogs - | where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10)) | where FileName contains “Project1”
• C. Project1(c:c)(date=2023-02-01..2023-02-10)
• D. AuditLogs - | where Timestamp > ago(10d) | where FileName contains “Project1”

Correct answer: C

Explanation

The correct answer is C because it correctly uses the KQL syntax to search for files related to Project1 within the specified date range. Option A has the wrong syntax for date filtering, and option B uses the AuditLogs table which is not relevant for this specific search. Option D also uses AuditLogs and does not restrict the query to the required date range.