Exam SC-200 topic 1 question 8 discussion

Correct query is DeviceProcessEvents | where Timestamp > ago (24h) //Pivoting for rundll32 | where InitiatingProcessFileName =~ 'rundll32.exe' //Looking for empty command line and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != "" //Looking for schtasks.exe as the created process and FileName in~ ('schtasks.exe') //Disabling system restore and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore' and ProcessCommandLine has 'disable' | project Timestamp, AccountName, ProcessCommandLine, DeviceId, ReportId Given answer is correct. - Create detection rule - Add ReportId and DeviceId to the output. Both fields are supported in DeviceProcessEvents table.(https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide) The sample query can be found here https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-find-ransomware?view=o365-worldwide#turning-off-system-restore

Given answer is CORRECT: According to the link below, DeviceID and ReportID are REQUIRED columns for any custom query. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide#suppress-an-alert-and-create-a-new-suppression-rule

Given answers are correct

Given answer is correct

A = Requirement is to create an alert. Not B = This will hide the the alert. Not C = Avoid filtering custom detections using the Timestamp column. The data used for custom detections is pre-filtered based on the detection frequency. Not D = Random filler answer E = To create a custom detection rule, the query must return the following columns: ->Timestamp—used to set the timestamp for generated alerts ->ReportId—enables lookups for the original records One of the following columns that identify specific devices, users, or mailboxes: -> DeviceId

It is C&E C. Adding | order by Timestamp to the query ensures that the results are ordered by the Timestamp in ascending or descending order, depending on your requirement. This helps you easily identify the most recent events related to the disabling of System Restore. E. Adding DeviceId and ReportId to the output of the query provides additional context about the affected device and the specific report associated with the event. This information is valuable for investigation and tracking purposes. The other options (B and D) are not relevant to the task of creating an alert for detecting the disabling of System Restore by a process. Suppression rules are used to manage and control alert noise, and replacing DeviceProcessEvents with DeviceNetworkEvents changes the source of data, which isn't related to the objective of the question.

I agree with AE

correct

A and E

correct

Create a detection rule: A detection rule is a configuration in Microsoft 365 Defender that specifies the conditions under which an alert should be generated. You can create a detection rule based on the advanced hunting query provided, which will trigger an alert whenever the query returns any results. Add DeviceId and ReportId to the output of the query: In order to include relevant information about the device and alert in the generated alert, you should include the DeviceId and ReportId fields in the output of the query. You can do this by adding DeviceId and ReportId to the list of fields selected by the project operator at the end of the query.

correct

Best answer

Agree with AE

Simples.

AE is correct

Given answer is correct