Microsoft Security Operations Analyst Associate SC-200 Practice Question
You are writing an advanced hunting query in Microsoft Defender XDR to detect interactive launches of PowerShell that use an encoded command. The query must be:
Case-insensitive by default.
Token-aware so that it matches the exact argument "-EncodedCommand" and does not fire on terms such as "NoEncodedCommand".
Which Kusto Query Language (KQL) operator should you use in the filter that inspects the ProcessCommandLine field to meet these requirements?
| where ProcessCommandLine has "-EncodedCommand"
| where ProcessCommandLine contains_cs "-EncodedCommand"
| where ProcessCommandLine contains "-EncodedCommand"
| where ProcessCommandLine matches regex @"-EncodedCommand\b"
The string operator that meets both requirements is has.
All string operators in KQL are case-insensitive unless they include the _cs suffix, so no additional work is needed for case handling.
Unlike contains, the has operator is token-aware: it only returns rows where the specified term appears as a whole token, delimited by white-space, punctuation, or the start/end of the string. Therefore it will match "-EncodedCommand" but not "NoEncodedCommand".
matches regex can be made token-aware but is more expensive and unnecessary here, while contains_cs is case-sensitive and would miss mixed-case variants. Hence, the correct filter is:
| where ProcessCommandLine has "-EncodedCommand"
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Kusto Query Language (KQL)?
Open an interactive chat with Bash
How does the 'has' operator differ from other KQL operators like 'contains'?
Open an interactive chat with Bash
Why is 'matches regex' considered more expensive in KQL queries?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Manage security threats
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .