ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 56 discussion

Actual exam question from Microsoft's SC-200
Question #: 56
Topic #: 1
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to create a detection rule that meets the following requirements:

• Is triggered when a device that has critical software vulnerabilities was active during the last hour
• Limits the number of duplicate results

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by sand5234 at Oct. 3, 2023, 9:04 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ceejay12
Highly Voted 1 year, 8 months ago
1. | distinct DeviceID 2. | project Timestamp, DeviceID, ReportID
upvoted 16 times
Nikki0222
7 months, 3 weeks ago
Correct
upvoted 2 times
...
...
wheeldj
Highly Voted 1 year, 1 month ago
part1: |distinct DeviceID Because DeviceID is required to successfully join the tables and distinct to limit the returns to unique devices part2: |project Timestamp, DeviceID, ReportID Your need Timestamp, DeviceID and ReportID in the return to create a custom detection rule https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?view=o365-worldwide#required-columns-in-the-query-results
upvoted 5 times
...
33c26f0
Most Recent 1 year, 3 months ago
Question says limit duplicates ?
upvoted 1 times
...
chepeerick
1 year, 7 months ago
correct
upvoted 2 times
...
danb67
1 year, 8 months ago
Correct: DeviceID it has to be because DeviceId is available in both tables, CveId is not so that wouldn't work. 2nd is correct also because to create a custom detection rule you need DeviceID and ReportId in the output. And the question isn't asking for a count so summarise would not be correct.
upvoted 4 times
...
sand5234
1 year, 8 months ago
Answer is correct
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel