Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

You are creating a custom detection rule in Microsoft Defender XDR to raise an alert when more than three PowerShell processes on the same device run a base-64 encoded command within one hour. You have written and validated the following Advanced Hunting query:

DeviceProcessEvents
| where ProcessCommandLine has "-EncodedCommand"
| summarize EventCount = count() by DeviceId, bin(Timestamp, 1h)
| where EventCount > 3

After pasting the query into the rule wizard, which additional configuration must you set so that the alert groups the matching process events by device and displays the EventCount value produced by the summarize clause?

  • Enable the Trigger alert only when threshold is reached option and set the threshold to 3.

  • Enter DeviceId in the Aggregation column setting.

  • Set Group by entity to Device ID.

  • Change the query schedule to Every 5 minutes with a 1-hour look-back window.

Microsoft Security Operations Analyst Associate SC-200
Configure protections and detections
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot