MS-102 • Practice Test 27
Free MS-102 practice test — 15 questions with explanations. Set 27. No signup required.
Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR Advanced Hunting. The query returns a list of devices where PowerShell or cmd.exe with encoded commands executed more than 5 times in the last 7 days. The security team suspects that one of the devices is compromised due to excessive use of encoded commands. However, a legitimate administrative script uses encoded commands regularly. How can you refine the query to reduce false positives while still detecting potentially malicious activity?
KQL query:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("-EncodedCommand", "-e", "-enc")
| summarize Count = count() by DeviceName, FileName
| where Count > 5