Question 401 of 975

Quick Answer

The answer is a custom detection rule using advanced hunting. This is correct because Microsoft Defender XDR’s advanced hunting feature lets you write a Kusto Query Language (KQL) query against the `DeviceNetworkEvents` table, schedule it to run hourly, and set a threshold to create an incident when the count of communications with a malicious IP exceeds 10 in a 24-hour window. On the MS-102 exam, this scenario tests your understanding of how custom detection rules differ from built-in analytics rules or automated investigation playbooks—a common trap is confusing scheduled queries with real-time alert rules. Remember that any rule requiring a specific time interval and a numeric threshold must be a custom detection rule built on a scheduled advanced hunting query. Memory tip: “If it’s timed and counted, KQL is mounted.”

MS-102 Practice Question: Manage security and threats by using Microsoft Defender XDR

This MS-102 practice question tests your understanding of manage security and threats by using microsoft defender xdr. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: custom detection rules in Defender XDR use Kusto Query Language (KQL).. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a device communicates with a new, unclassified IP address flagged by Microsoft threat intelligence as potentially malicious. The rule must run every hour and create an incident if the count of such communications exceeds 10 in a 24-hour window. Which type of rule should the analyst create?

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

custom detection rule using advanced hunting

A custom detection rule using advanced hunting is the correct choice because Microsoft Defender XDR allows you to create custom detection rules based on Kusto Query Language (KQL) queries that run on a scheduled interval (e.g., every hour). This rule can query the `DeviceNetworkEvents` table to identify communications with IP addresses flagged as malicious by Microsoft threat intelligence, aggregate the count over a 24-hour sliding window, and trigger an incident when the threshold of 10 is exceeded. This directly meets the requirement for a scheduled, threshold-based detection within Defender XDR.

Key principle: Custom detection rules in Defender XDR use Kusto Query Language (KQL).

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • custom detection rule using advanced hunting

    Why this is correct

    Defender XDR custom detections use advanced hunting queries that can be scheduled and trigger incidents when thresholds are exceeded.

    Related concept

    Custom detection rules in Defender XDR use Kusto Query Language (KQL).

  • scheduled alert rule in Microsoft Sentinel

    Why it's wrong here

    Microsoft Sentinel is a SIEM separate from Defender XDR; while it can do similar things, the question specifies within Defender XDR.

  • An incident creation rule in Microsoft Defender for Cloud Apps

    Why it's wrong here

    Defender for Cloud Apps focuses on SaaS application activity, not network communications from devices.

  • custom remediation action rule

    Why it's wrong here

    Remediation actions are taken after detection, not the detection itself.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse the scope of Microsoft Defender XDR custom detections with Microsoft Sentinel scheduled alert rules, assuming any scheduled query must be in Sentinel, but Defender XDR's advanced hunting custom detections natively support scheduled queries and incident creation without requiring Sentinel.

Trap categories for this question

  • Similar concept trap

    Microsoft Sentinel is a SIEM separate from Defender XDR; while it can do similar things, the question specifies within Defender XDR.

Detailed technical explanation

How to think about this question

Under the hood, custom detection rules in Defender XDR leverage the same advanced hunting schema and KQL engine used for manual hunting, but they are executed as scheduled queries with a configurable frequency (e.g., every 1 hour). The rule can use the `make-series` or `summarize` operator to count events over a 24-hour lookback period, and the `| where Timestamp > ago(24h)` filter ensures a sliding window. A real-world scenario might involve detecting C2 beaconing where a device contacts a newly observed malicious IP every few minutes; the rule would aggregate those events and only create an incident when the cumulative count exceeds 10, reducing noise from single, isolated connections.

KKey Concepts to Remember

  • Custom detection rules in Defender XDR use Kusto Query Language (KQL).
  • They leverage advanced hunting data from endpoints, identities, and cloud apps.
  • Rules can be scheduled to run at specific intervals (e.g., hourly).
  • Thresholds can be set to trigger incidents based on event counts over a time window.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Custom detection rules in Defender XDR use Kusto Query Language (KQL).

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Review custom detection rules in Defender XDR use Kusto Query Language (KQL)., then practise related MS-102 questions on the same topic to reinforce the concept.

Related practice questions

Related MS-102 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free MS-102 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this MS-102 question test?

Manage security and threats by using Microsoft Defender XDR — This question tests Manage security and threats by using Microsoft Defender XDR — Custom detection rules in Defender XDR use Kusto Query Language (KQL)..

What is the correct answer to this question?

The correct answer is: custom detection rule using advanced hunting — A custom detection rule using advanced hunting is the correct choice because Microsoft Defender XDR allows you to create custom detection rules based on Kusto Query Language (KQL) queries that run on a scheduled interval (e.g., every hour). This rule can query the `DeviceNetworkEvents` table to identify communications with IP addresses flagged as malicious by Microsoft threat intelligence, aggregate the count over a 24-hour sliding window, and trigger an incident when the threshold of 10 is exceeded. This directly meets the requirement for a scheduled, threshold-based detection within Defender XDR.

What should I do if I get this MS-102 question wrong?

Review custom detection rules in Defender XDR use Kusto Query Language (KQL)., then practise related MS-102 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Custom detection rules in Defender XDR use Kusto Query Language (KQL).

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This MS-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MS-102 exam.