Microsoft Security Operations Analyst Associate SC-200 Practice Question
You are investigating potential data exfiltration performed by WinRAR. In Microsoft Defender XDR advanced hunting, you must retrieve events where WinRAR created an archive in a user profile folder and subsequently opened an outbound HTTPS connection from the same process instance. Which KQL approach should you use to correlate the two tables and return only matching rows?
Use union to combine DeviceProcessEvents and DeviceNetworkEvents, then filter for WinRAR and port 443.
Use join kind=leftanti between DeviceProcessEvents and DeviceNetworkEvents to identify WinRAR processes without matching network activity.
Use join kind=inner between DeviceProcessEvents (ProcessId) and DeviceNetworkEvents (InitiatingProcessId) on DeviceId so only rows that exist in both tables are returned.
Use summarize arg_max() across both tables grouped by DeviceId to merge the latest process and network events.
The join operator is designed to correlate rows from two tables that share matching keys. Using "join kind=inner" between DeviceProcessEvents (which contains the ProcessId that created the archive) and DeviceNetworkEvents (which records the InitiatingProcessId that opened the network connection) returns only the events that exist in both tables, ensuring the process and network activity are from the same instance of WinRAR. A union merely stacks the two datasets without correlation, summarize arg_max() aggregates data but does not link the separate tables, and join kind=leftanti shows rows that have no match-useful for gap analysis, not for identifying overlapping events.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is KQL and how is it used in Microsoft Defender XDR?
Open an interactive chat with Bash
What does 'join kind=inner' do in KQL, and why is it used for this scenario?
Open an interactive chat with Bash
What is the difference between 'join kind=inner' and 'join kind=leftanti' in KQL?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage security threats
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .