Microsoft Security Operations Analyst — Question 27
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.
Which operator should you use?
Answer options
- A. search *
- B. union kind = inner
- C. join kind = inner
- D. evaluate hint.remote =
Correct answer: B
Explanation
The correct answer is B, 'union kind = inner', because it combines rows from the specified tables while ensuring all entries are included. Options A, C, and D do not achieve the requirement of returning all rows from the tables as they either filter results or do not merge the tables appropriately.