ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 5 question 21 discussion

Actual exam question from Microsoft's SC-200
Question #: 21
Topic #: 5
[All SC-200 Questions]

You have a Microsoft 365 E5 subscription.

You have the following KQL query.



You need to use the query to create a Microsoft Defender XDR custom detection rule that can isolate an onboarded device.

How should you modify the query?

  • A. Add the AccountUpn and Timestamp columns to the project operator.
  • B. Add a distinct operator.
  • C. Add a summarize operator.
  • D. Add the DeviceId and Timestamp columns to the project operator.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by Adel614 at April 19, 2025, 6:11 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Adel614
1 month, 3 weeks ago
Selected Answer: D
The correct answer is D. Add the DeviceId and Timestamp columns to the project operator. Here's why: To isolate an onboarded device using a Microsoft Defender XDR custom detection rule, the query must include the DeviceId column, as it uniquely identifies the device to be isolated. Additionally, the Timestamp column is essential for tracking when the activity occurred, ensuring accurate detection and response. By adding these columns to the project operator, the query will provide the necessary details for the detection rule to isolate the device effectively.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel