SC-200 Exam QuestionsBrowse all questions from this exam
Go to Exam

SC-200 Exam - Question 287

You have a Microsoft 365 E5 subscription.

You have the following KQL query.

Exam SC-200 Question 287

You need to use the query to create a Microsoft Defender XDR custom detection rule that can isolate an onboarded device.

How should you modify the query?

Show Answer
Correct Answer:

Discussion

1 comment
Sign in to comment
Adel614Option: D
Apr 19, 2025

The correct answer is D. Add the DeviceId and Timestamp columns to the project operator. Here's why: To isolate an onboarded device using a Microsoft Defender XDR custom detection rule, the query must include the DeviceId column, as it uniquely identifies the device to be isolated. Additionally, the Timestamp column is essential for tracking when the activity occurred, ensuring accurate detection and response. By adding these columns to the project operator, the query will provide the necessary details for the detection rule to isolate the device effectively.