Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Microsoft Exam SC-200 Topic 2 Question 77 Discussion

Actual exam question for Microsoft's SC-200 exam
Question #: 77
Topic #: 2
[All SC-200 Questions]

You have a Microsoft 365 subscription. You have the following KQL query.

DeviceEvents

| where ActionType == "AntivirusDetection*

You need to ensure that you can create a Microsoft Defender XDR custom detection rule by using the query.

What should you add to the query?

Show Suggested Answer Hide Answer
Suggested Answer: D

by Dortha at Jul 16, 2024, 03:47 AM

Limited Time Offer

25%

Off

Get Premium SC-200 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Lorean
1 months ago
I'm just going to close my eyes and click on an answer. Hopefully, it's the right one, or at least I'll get partial credit for trying.
upvoted 0 times
...
Cory
1 months ago
This is a tricky one! I'm going to guess option C - 'summarize (Timestamp)=range(Timestamp), count() by DeviceId'. It sounds like it could work, but I'm not 100% sure.
upvoted 0 times
...
Chantell
1 months ago
Wait, what's 'arg_min' and 'arg_max'? I'm a bit confused by the syntax here. Maybe I should ask the instructor for clarification.
upvoted 0 times
Ronny
5 days ago
C) Adding 'summarize (Timestamp)=range(Timestamp), count() by DeviceId' will help you create the Microsoft Defender XDR custom detection rule.
upvoted 0 times
...
Nickie
16 days ago
You can ask the instructor for clarification.
upvoted 0 times
...
Delsie
16 days ago
B) 'arg_min' and 'arg_max' are functions used to find the minimum and maximum values in a column. You can ask the instructor for clarification.
upvoted 0 times
...
Kallie
22 days ago
A) You should add 'summarize (Timestamp, DeviceName)=arg_min(Timestamp, DeviceName), count() by DeviceId' to the query.
upvoted 0 times
...
...
Tonja
2 months ago
Aha, I've seen this kind of query before! I'm going to go with option D - 'summarize (ReportId)=make_set(ReportId), count() by DeviceId'. It seems to be the most relevant for creating a custom detection rule.
upvoted 0 times
Clorinda
3 days ago
Yes, option D makes sense for adding to the query to create the custom detection rule.
upvoted 0 times
...
Lucia
4 days ago
I agree, option D seems to be the most suitable for creating the custom detection rule with Microsoft Defender XDR.
upvoted 0 times
...
Geraldine
13 days ago
I think option D is the right choice too. It looks like it will help create the custom detection rule.
upvoted 0 times
...
...
Thomasena
2 months ago
Hmm, I'm not sure. I think I need to read up more on Microsoft Defender XDR custom detection rules. This query looks a bit complex.
upvoted 0 times
Detra
1 days ago
User1: Let's try adding it and see if it works for the custom detection rule.
upvoted 0 times
...
Thersa
2 days ago
User3: I agree. Adding that to the query will ensure the rule is effective.
upvoted 0 times
...
Marta
22 days ago
User2: That makes sense. It will help create the Microsoft Defender XDR custom detection rule.
upvoted 0 times
...
Von
1 months ago
User1: I think you should add 'summarize (Timestamp)=range(Timestamp), count() by DeviceId' to the query.
upvoted 0 times
...
...
Valene
2 months ago
I'm not sure, but I think D) summarize (ReportId)=make_set(ReportId), count() by DeviceId could also work.
upvoted 0 times
...
Veta
3 months ago
I agree with Trinidad. Adding range(Timestamp) will help create the custom detection rule.
upvoted 0 times
...
Trinidad
3 months ago
I think the correct answer is C) summarize (Timestamp)=range(Timestamp), count() by DeviceId.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77