MicrosoftMicrosoft
SC-200 · Question #15
SC-200 Question #15: Real Exam Question with Answer & Explanation
The correct answer is A: Create a detection rule.. Create detection rule - Add ReportId and DeviceId to the output Both fields are supported in DeviceProcessEvents table. https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting- deviceprocessevents-table?view=o365-worldwide) https://docs.microsoft.com/en-
Submitted by viktor_hu· Apr 18, 2026Configure protections and detections
Question
You have the following advanced hunting query in Microsoft 365 Defender. You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours. Which two actions should you perform?Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
Options
- ACreate a detection rule.
- BCreate a suppression rule.
- CAdd | order by Timestamp to the query.
- DReplace DeviceProcessEvents with DeviceNetworkEvents.
- EAdd DeviceId and ReportId to the output of the query.
Explanation
- Create detection rule - Add ReportId and DeviceId to the output Both fields are supported in DeviceProcessEvents table. https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting- deviceprocessevents-table?view=o365-worldwide) https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-find- ransomware?view=o365-worldwide#turning-off-system-restore-rules
Topics
#Advanced Hunting#Custom Detection Rules#Microsoft 365 Defender#Alerting
Community Discussion
No community discussion yet for this question.