SC-200 • Practice Test 38
Free SC-200 practice test — 15 questions with explanations. Set 38. No signup required.
The exhibit shows a KQL query used in a Microsoft 365 Defender custom detection rule. The query is intended to detect encoded PowerShell commands executed in the last hour. However, the detection rule is not generating any alerts even though the SOC knows that encoded PowerShell commands are being executed. Which modification would most likely fix the detection rule?
Refer to the exhibit. ```kusto DeviceProcessEvents | where Timestamp >= ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-e" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ```