Question 1easymultiple choice
Read the full Perform threat hunting explanation →SC-200 Perform threat hunting • Complete Question Bank
Complete SC-200 Perform threat hunting question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. ```kql let threshold = 5; SigninLogs | where TimeGenerated > ago(1h) | where ResultType == "50057" // User account is disabled | summarize FailedAttempts = count() by UserPrincipalName, IPAddress | where FailedAttempts > threshold | project UserPrincipalName, IPAddress, FailedAttempts ```
Refer to the exhibit.
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-e "
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 443
| project Timestamp, DeviceName, RemoteUrl
) on DeviceName, Timestamp
| where Timestamp between (Timestamp1 .. Timestamp1 + 10m)
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Hunt for suspicious PowerShell",
"description": "Detects PowerShell with encoded commands",
"tactics": ["Execution"],
"techniques": ["T1059.001"],
"requiredDataConnectors": [
{ "connectorId": "MicrosoftThreatProtection", "dataTypes": ["DeviceProcessEvents"] }
],
"queryPeriod": "14d",
"queryFrequency": "1d",
"triggerOperator": "gt",
"triggerThreshold": 0,
"query": "DeviceProcessEvents | where FileName == 'powershell.exe' and ProcessCommandLine contains '-enc'",
"suppressionEnabled": false
}
}
```Refer to the exhibit.
```kusto
// KQL query used in a Sentinel hunting query
let TimeWindow = 1h;
let Threshold = 5;
let FailedLogons =
SecurityEvent
| where TimeGenerated > ago(TimeWindow)
| where EventID == 4625
| summarize FailedCount = count() by Account, SourceIP
| where FailedCount > Threshold;
FailedLogons
| join kind=inner (
SecurityEvent
| where TimeGenerated > ago(TimeWindow)
| where EventID == 4624
| summarize LogonCount = count() by Account, SourceIP
) on Account, SourceIP
| where LogonCount > 0
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Hunt for PowerShell Empire",
"description": "Searches for common PowerShell Empire indicators",
"query": "DeviceProcessEvents | where FileName == 'powershell.exe' and ProcessCommandLine contains 'Reflection.Assembly' or ProcessCommandLine contains 'System.Net.WebClient'",
"tactics": ["Execution"],
"techniques": ["T1059.001"],
"inputEntityType": "host",
"requiredDataConnectors": [
{
"connectorId": "MicrosoftThreatProtection"
}
]
}
}Refer to the exhibit. ```kusto // KQL query in Microsoft Sentinel hunting DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort == 445 | summarize TotalConnections = count() by DeviceName, RemoteIP | where TotalConnections > 100 | project DeviceName, RemoteIP, TotalConnections ```
Refer to the exhibit. ```kusto let HuntingTimeRange = 7d; let MaliciousIPs = externaldata(IP:string) ["https://raw.githubusercontent.com/stixproject/.../malicious_ips.csv"] with (format="csv"); DeviceNetworkEvents | where Timestamp > ago(HuntingTimeRange) | where RemoteIP in (MaliciousIPs) | project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName ```
Refer to the exhibit. ```kusto IdentityLogonEvents | where Timestamp > ago(14d) | where AccountUpn endswith "@contoso.com" | summarize LogonCount = count() by AccountUpn, IPAddress, Application | where LogonCount == 1 | project AccountUpn, IPAddress, Application ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Hunt for suspicious PowerShell",
"description": "Detects base64 encoded PowerShell commands.",
"query": "DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine contains '-EncodedCommand'",
"tactics": ["Execution", "DefenseEvasion"],
"techniques": ["T1059.001", "T1027"],
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
}
```Refer to the exhibit. ```powershell $hunt = Get-MpThreat -ThreatID 12345 $hunt | Format-List ```
Refer to the exhibit. ```kusto let TimeRange = 7d; let SuspiciousIPs = materialize( DeviceNetworkEvents | where Timestamp > ago(TimeRange) | where RemoteIPType == "Public" | where RemotePort == 445 | summarize Count = count() by RemoteIP | where Count > 100 ); DeviceNetworkEvents | where Timestamp > ago(TimeRange) | where RemoteIP in (SuspiciousIPs) | summarize ConnectionCount = count() by DeviceName, RemoteIP ```
Refer to the exhibit. ```kusto let T = (DeviceEvents | where ActionType startswith 'ScheduledTask' | where Timestamp > ago(7d) | summarize count() by ActionType, bin(Timestamp,1h)); T | where count_ > 10 | order by Timestamp desc ```
Refer to the exhibit.
```json
{
"properties": {
"query": "(union isfuzzy=true\n (DeviceProcessEvents\n | where FileName == \"rundll32.exe\"\n | where ProcessCommandLine contains \"javascript\"\n ),\n (DeviceNetworkEvents\n | where RemoteIPType == \"Public\"\n | where Protocol == \"HTTP\"\n )\n)",
"queryFrequency": "1h",
"queryPeriod": "1h",
"triggerOperator": "gt",
"triggerThreshold": 1
}
}Refer to the exhibit. ```kusto let baseline = (DeviceLogonEvents | where Timestamp > ago(30d) | summarize LogonCount = count() by AccountUpn, bin(Timestamp,1d) | summarize avg(LogonCount), stdev(LogonCount) by AccountUpn); DeviceLogonEvents | where Timestamp > ago(1d) | summarize DailyCount = count() by AccountUpn | join kind=inner baseline on AccountUpn | where DailyCount > (avg_LogonCount + 2*stdev_LogonCount) ```
Refer to the exhibit.
```kusto
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains @"\Users\" and FolderPath endswith @"\Desktop"
| where FileName matches regex @"^[a-z]{8}\.scr$"
| where isnotempty(SHA256)
| join kind=inner (DeviceNetworkEvents
| where RemoteIPType == "Private"
| where Protocol == "SMB"
) on DeviceId
| project Timestamp, DeviceName, FileName, SHA256, RemoteIP
```Refer to the exhibit.
```kusto
let threshold = 10;
IdentityLogonEvents
| where Timestamp > ago(7d)
| where Application == "Microsoft Entra ID"
| summarize FailedAttempts = countif(LogonType != "Success") by AccountUpn, IPAddress
| where FailedAttempts > threshold
| join kind=inner (IdentityLogonEvents
| where Timestamp > ago(7d)
| where Application == "Microsoft Entra ID" and LogonType == "Success"
| summarize SuccessfulLogons = count() by AccountUpn, IPAddress)
on AccountUpn, IPAddress
| project AccountUpn, IPAddress, FailedAttempts, SuccessfulLogons
```Refer to the exhibit.
```json
{
"displayName": "Suspicious PowerShell Execution",
"description": "Detects PowerShell launching from unusual parent processes",
"query": "DeviceProcessEvents | where FileName == 'powershell.exe' and ParentFileName in~ ('explorer.exe', 'winword.exe', 'excel.exe')",
"tactics": ["Execution"],
"techniques": ["T1059.001"],
"severity": "Medium"
}
```Refer to the exhibit.
```powershell
# PowerShell script to run a custom hunting query in Microsoft Sentinel via REST API
$query = @"
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "javascript"
| summarize Count = count() by DeviceName
| where Count > 5
"@
$workspaceId = "12345678-1234-1234-1234-123456789abc"
$body = @{query = $query} | ConvertTo-Json
Invoke-RestMethod -Uri "https://api.loganalytics.io/v1/workspaces/$workspaceId/query" -Method Post -Body $body -ContentType "application/json"
```Refer to the exhibit. ```kusto DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName == "powershell.exe" | where FileName == "rundll32.exe" | where ProcessCommandLine contains "javascript:" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Solorigate Hunt",
"description": "Hunt for Solorigate activity",
"tactics": ["Persistence", "DefenseEvasion"],
"relevantTechniques": ["T1053", "T1562"],
"query": "DeviceEvents | where Timestamp > ago(7d) | where ActionType == 'DnsQueryResponse' | where RemoteIP in (ipv4_lookup('solorigate_ips', 'RemoteIP'))"
}
}
```Refer to the exhibit. ```kusto let suspiciousIPs = externaldata(IP:string) ["https://raw.githubusercontent.com/threatlist/suspicious-ips.txt"] with(format="csv"); IdentityLogonEvents | where Timestamp > ago(1d) | where IPAddress in (suspiciousIPs) | summarize LogonCount = count() by IPAddress, AccountUpn | where LogonCount > 5 ```
{
"huntQuery": "let threshold = 5;\nSigninLogs\n| where TimeGenerated > ago(7d)\n| summarize SigninCount = count() by UserPrincipalName, IPAddress, AppDisplayName\n| where SigninCount > threshold\n| join kind=leftouter (\n AADUserRiskEvents\n | where TimeGenerated > ago(7d)\n | summarize RiskCount = count() by UserPrincipalName\n) on UserPrincipalName\n| project UserPrincipalName, IPAddress, AppDisplayName, SigninCount, RiskCount\n| order by SigninCount desc\n"}{
"QueryText": "DeviceNetworkEvents | where RemoteIPType == 'Public' and Timestamp > ago(30d) | summarize ConnectionCount = count() by DeviceName, RemoteIP | where ConnectionCount > 100 | join kind=inner (ThreatIntelligenceIndicator | where Active == true) on $left.RemoteIP == $right.NetworkIP",
"QueryDescription": "Hunt for devices making high-volume outbound connections to known threat intelligence IPs"
}{
"QueryText": "DeviceNetworkEvents | where RemotePort == 53 and Timestamp > ago(1d) | summarize count() by DeviceName, RemoteIP | where count_ > 1000",
"QueryDescription": "Hunt for potential DNS amplification attacks from internal devices"
}Refer to the exhibit.
```kusto
// KQL query in Microsoft Sentinel hunting
let TargetUsers = dynamic(["admin@contoso.com", "user1@contoso.com"]);
SigninLogs
| where TimeGenerated > ago(7d)
| where UserPrincipalName in (TargetUsers)
| where RiskLevelDuringSignIn == "medium"
| project TimeGenerated, UserPrincipalName, IPAddress, RiskLevelDuringSignIn
| join kind=leftouter (
AADServicePrincipalSignInLogs
| where TimeGenerated > ago(7d)
| project ServicePrincipalName, IPAddress
) on IPAddress
| summarize Count = count() by UserPrincipalName
| where Count > 5
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Hunt for Midnight Blizzard IOCs",
"description": "This hunting query looks for indicators associated with Midnight Blizzard.",
"tactics": ["InitialAccess", "Persistence"],
"relevantTechniques": ["T1566", "T1098"],
"queryText": "let IOCs = externaldata(...); ...",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
}
```Refer to the exhibit. ```kql let IPs = dynamic(['10.0.0.1', '10.0.0.2']); DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteIP in (IPs) | summarize count() by RemoteIP, DeviceName | where count_ > 5 ```
Refer to the exhibit.
```json
{
"id": "12345678-1234-1234-1234-123456789012",
"displayName": "Unusual Geographically Impossible Travel",
"enabled": true,
"alertRuleTemplateName": null,
"query": "SigninLogs | where TimeGenerated > ago(1d) | summarize make_set(Location) by UserPrincipalName | where array_length(set_Location) > 1",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Medium",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
```Refer to the exhibit. ```kql let TargetUser = 'jdoe@contoso.com'; IdentityLogonEvents | where Timestamp > ago(7d) | where AccountUpn == TargetUser | where Application == 'Azure Portal' | summarize LogonCount = count() by IPAddress, Country | where LogonCount > 10 ```
Refer to the exhibit.
```kusto
// KQL query in Microsoft Sentinel
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "cmd.exe"
| where ProcessCommandLine contains "powershell"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 443
) on DeviceName
```Refer to the exhibit.
```json
{
"displayName": "Hunt for Pass-the-Hash",
"description": "Detects possible PtH using Event ID 4624 with logon type 9 and NTLM authentication.",
"tactics": ["LateralMovement"],
"techniques": ["T1550.002"],
"query": "SecurityEvent\n| where EventID == 4624\n| where LogonType == 9\n| where AuthenticationPackage == 'NTLM'\n| project TimeGenerated, Account, Computer, TargetLogonId",
"triggerOperator": "gt",
"triggerThreshold": 0
}
```Refer to the exhibit. ```kusto // Microsoft Sentinel KQL for hunting suspicious logons let suspiciousAccounts = dynamic(["svc_backup", "sql_sa", "testuser"]); SecurityEvent | where EventID == 4624 | where Account !in (suspiciousAccounts) | where LogonType in (3, 10) | where LogonProcessName == "NtLmSsp" or LogonProcessName == "Kerberos" | summarize LogonCount = count() by Account, Computer | where LogonCount > 10 ```
Refer to the exhibit.
```kusto
// KQL for hunting suspicious PowerShell usage
let RemoteIPs = dynamic(["10.0.0.1", "10.0.0.2"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-EncodedCommand", "-e ", "-enc ")
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in (RemoteIPs)
) on DeviceName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteIP
```Refer to the exhibit.
```json
{
"displayName": "Hunt for Unusual Service Creation",
"description": "Detect abnormal service installations on servers.",
"tactics": ["Persistence", "Execution"],
"techniques": ["T1543.003"],
"query": "DeviceEvents\n| where ActionType == 'ServiceInstalled'\n| extend ServiceName = tostring(AdditionalFields['ServiceName'])\n| extend ServiceImagePath = tostring(AdditionalFields['ServiceImagePath'])\n| where ServiceName startswith 'Legit'\n| project TimeGenerated, DeviceName, ServiceName, ServiceImagePath",
"triggerOperator": "gt",
"triggerThreshold": 0
}
```Refer to the exhibit.
```kql
let TimeRange = 7d;
let TargetProcess = "cmd.exe";
DeviceProcessEvents
| where Timestamp > ago(TimeRange)
| where FileName == TargetProcess
| join kind=inner (
DeviceEvents
| where Timestamp > ago(TimeRange)
| where ActionType == "ProcessCreated"
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName
```Refer to the exhibit.
```json
{
"properties": {
"query": "SecurityAlert\n| where AlertName has_any ('Malware', 'Ransomware')\n| project TimeGenerated, AlertName, CompromisedEntity, ProviderName"
}
}
```Refer to the exhibit.
```kql
let FirstSeen = (DeviceProcessEvents
| where FileName == "powershell.exe"
| summarize min(Timestamp));
DeviceProcessEvents
| where Timestamp between (FirstSeen .. ago(0d))
| where FileName == "cmd.exe"
| join kind=leftsemi (
DeviceProcessEvents
| where FileName == "powershell.exe"
| project DeviceId, ParentProcessFileName
) on DeviceId
| project Timestamp, DeviceName, FileName, ParentProcessFileName
```Refer to the exhibit. ```powershell $table = "DeviceProcessEvents" $query = "DeviceProcessEvents | where FileName == 'reg.exe' | project Timestamp, DeviceName, AccountName" Invoke-AzOperationalInsightsQuery -WorkspaceId $wsId -Query $query ```
Refer to the exhibit.
```json
{
"name": "ThreatHuntRule",
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2023-02-01-preview",
"properties": {
"displayName": "Threat Hunt - Suspicious Process",
"description": "Detects suspicious process execution",
"severity": "Medium",
"enabled": true,
"query": "DeviceProcessEvents | where FileName has_any ('wscript.exe','cscript.exe','mshta.exe')",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": ["Execution"],
"techniques": ["T1059"],
"alertRuleTemplateName": null
}
}Refer to the exhibit.
```powershell
$rules = Get-MpThreatDetection
$rules | Where-Object { $_.ThreatID -eq 2147723152 }
```Refer to the exhibit.
```kusto
let baseline = materialize(
DeviceLogonEvents
| where Timestamp between (ago(30d) .. ago(1d))
| summarize by AccountUpn, RemoteIP
);
DeviceLogonEvents
| where Timestamp > ago(1d)
| where AccountUpn in (baseline | project AccountUpn)
| join kind=leftanti baseline on AccountUpn, RemoteIP
```Refer to the exhibit. ```kusto let timeframe = 7d; let maliciousIPs = externaldata(IP:string) ["https://raw.githubusercontent.com/.../malicious_ips.txt"] with (format="csv"); DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteIP in (maliciousIPs) | summarize count() by DeviceName, RemoteIP ```
Refer to the exhibit.
```json
{
"id": "12345678-1234-1234-1234-123456789abc",
"displayName": "Hunt for C2",
"description": "Look for beaconing patterns",
"queryText": "DeviceNetworkEvents | where Timestamp > ago(1d) | summarize count() by RemoteIP, DeviceName | where count_ > 100",
"tactics": ["CommandAndControl"],
"techniques": ["T1071"]
}
```{
"query": "DeviceProcessEvents | where ProcessCommandLine contains '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"' and InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe') | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine"
}