You are threat hunting using Azure Sentinel. You have created a query designed to identify a specific event on your domain controller. You need to create several similar queries because you have multiple domain controllers and want to keep each query separate. The solution should minimize administrative effort. 
Which three actions should you perform in sequence to clone a query? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order. 
Create a list in the correct order 
A.Choose Clone query by clicking the ellipsis icon at the end of the row. 
B.On the Hunting page of Azure Sentinel. Select New query. 
C.On the Create Custom query, make your edits then click the Create button. 
D.Select the ellipsis in the line of the query you want to modify, and select Edit query. 
E.On the Hunting page of the Azure Sentinel, find the query you wish to clone.

Answer options:

A.A->C->E
B.D -> C -> A
C.C -> E -> A
D.E -> A -> C

Correct Answer: D 
You should perform the following tasks in order: 
1. On the Hunting page of Azure Sentinel, find the query you wish to clone. 
2. Choose Clone query by clicking the ellipsis icon at the end of the row. 
3. On the Create custom query page, make your edits then click the Create button. 
First, you should find the query you wish to clone. You will do this by navigating to the Hunting page within Azure Sentinel and then looking through the list of queries. This will allow you to ensure the right initial query is cloned in the next step. 
Next, you should choose the Clone query option. This is accessible via the ellipsis at the end of the row for the query you found in step one. This will make a copy of the query you identified in the first step and will take you to the page where you can make changes to that copy. 
Finally, you should make your edits then click the Create button. These edits will be made on the Create custom query page, which is the page you are taken to after selecting Clone query in step two. This will allow you to tweak the copy to your needs. When you click Create, the initial query you copied will still exist in its original state, and a new query with the changes you make in this step will be generated/saved. 
This process would allow you, for example, to alter the IP or hostname in the query to match your other domain controllers (DCs) but keep the rest of the query the same. As mentioned above, it also leaves the original query untouched/as-is. This is a fast, efficient way to make several queries that are related but require minor tweaks to meet the desired outcome. Starting each query from scratch would take much longer and would be more likely to result in human error in the query syntax. 
You should not select New query on the Hunting page of Azure Sentinel. While this option could ultimately be chosen to generate the queries for your other DCs, as mentioned above, you would be starting from scratch. If you only need to change a few minor things in your query, going to New query is a waste of time as the clone option gives you a better starting point. 
You should not select the ellipsis in the line of the query you want to modify, and select Edit query. This would allow you to edit an existing query, but it would not create a copy of it. Any edits made here would alter the original query. With the Clone query option, you leave the original unaltered, while efficiently creating new queries based on it. 
Reference: 

https://docs.microsoft.com/en-us/azure/sentinel/hunting