Microsoft Security Operations Analyst Associate SC-200 Practice Question
You are writing a custom advanced hunting query in Microsoft Defender XDR. The query must return all records in the DeviceProcessEvents table where the ProcessCommandLine field contains at least one of the following substrings: "-enc", "-EncodedCommand", or "-e". You want to avoid chaining multiple OR conditions in the WHERE clause. Which Kusto Query Language (KQL) operator should you use to meet this requirement?
The has_any operator tests whether a string or dynamic array field contains at least one value from a list of supplied literals. Using has_any with the three substrings lets the query return events whose ProcessCommandLine includes any of them without writing separate OR comparisons.
contains performs a case-insensitive search for a single substring, so you would need three separate conditions. in compares an entire field value to a list of exact matches, which is unsuitable for searching within a longer command line. matches regex requires a regular expression and is more complex than necessary for this simple list comparison.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the key difference between has_any and contains in KQL?
Open an interactive chat with Bash
What is the DeviceProcessEvents table in Microsoft Defender XDR?
Open an interactive chat with Bash
What types of queries require matches regex in KQL?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage security threats
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .