- A
custom detection rule using advanced hunting
Defender XDR custom detections use advanced hunting queries that can be scheduled and trigger incidents when thresholds are exceeded.
- B
scheduled alert rule in Microsoft Sentinel
Why wrong: Microsoft Sentinel is a SIEM separate from Defender XDR; while it can do similar things, the question specifies within Defender XDR.
- C
An incident creation rule in Microsoft Defender for Cloud Apps
Why wrong: Defender for Cloud Apps focuses on SaaS application activity, not network communications from devices.
- D
custom remediation action rule
Why wrong: Remediation actions are taken after detection, not the detection itself.
Quick Answer
The answer is a custom detection rule using advanced hunting. This is correct because Microsoft Defender XDR’s advanced hunting feature lets you write a Kusto Query Language (KQL) query against the `DeviceNetworkEvents` table, schedule it to run hourly, and set a threshold to create an incident when the count of communications with a malicious IP exceeds 10 in a 24-hour window. On the MS-102 exam, this scenario tests your understanding of how custom detection rules differ from built-in analytics rules or automated investigation playbooks—a common trap is confusing scheduled queries with real-time alert rules. Remember that any rule requiring a specific time interval and a numeric threshold must be a custom detection rule built on a scheduled advanced hunting query. Memory tip: “If it’s timed and counted, KQL is mounted.”
MS-102 Practice Question: Manage security and threats by using Microsoft Defender XDR
This MS-102 practice question tests your understanding of manage security and threats by using microsoft defender xdr. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: custom detection rules in Defender XDR use Kusto Query Language (KQL).. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a device communicates with a new, unclassified IP address flagged by Microsoft threat intelligence as potentially malicious. The rule must run every hour and create an incident if the count of such communications exceeds 10 in a 24-hour window. Which type of rule should the analyst create?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
custom detection rule using advanced hunting
A custom detection rule using advanced hunting is the correct choice because Microsoft Defender XDR allows you to create custom detection rules based on Kusto Query Language (KQL) queries that run on a scheduled interval (e.g., every hour). This rule can query the `DeviceNetworkEvents` table to identify communications with IP addresses flagged as malicious by Microsoft threat intelligence, aggregate the count over a 24-hour sliding window, and trigger an incident when the threshold of 10 is exceeded. This directly meets the requirement for a scheduled, threshold-based detection within Defender XDR.
Key principle: Custom detection rules in Defender XDR use Kusto Query Language (KQL).
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
custom detection rule using advanced hunting
Why this is correct
Defender XDR custom detections use advanced hunting queries that can be scheduled and trigger incidents when thresholds are exceeded.
Related concept
Custom detection rules in Defender XDR use Kusto Query Language (KQL).
- ✗
scheduled alert rule in Microsoft Sentinel
Why it's wrong here
Microsoft Sentinel is a SIEM separate from Defender XDR; while it can do similar things, the question specifies within Defender XDR.
- ✗
An incident creation rule in Microsoft Defender for Cloud Apps
Why it's wrong here
Defender for Cloud Apps focuses on SaaS application activity, not network communications from devices.
- ✗
custom remediation action rule
Why it's wrong here
Remediation actions are taken after detection, not the detection itself.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse the scope of Microsoft Defender XDR custom detections with Microsoft Sentinel scheduled alert rules, assuming any scheduled query must be in Sentinel, but Defender XDR's advanced hunting custom detections natively support scheduled queries and incident creation without requiring Sentinel.
Trap categories for this question
Similar concept trap
Microsoft Sentinel is a SIEM separate from Defender XDR; while it can do similar things, the question specifies within Defender XDR.
Detailed technical explanation
How to think about this question
Under the hood, custom detection rules in Defender XDR leverage the same advanced hunting schema and KQL engine used for manual hunting, but they are executed as scheduled queries with a configurable frequency (e.g., every 1 hour). The rule can use the `make-series` or `summarize` operator to count events over a 24-hour lookback period, and the `| where Timestamp > ago(24h)` filter ensures a sliding window. A real-world scenario might involve detecting C2 beaconing where a device contacts a newly observed malicious IP every few minutes; the rule would aggregate those events and only create an incident when the cumulative count exceeds 10, reducing noise from single, isolated connections.
KKey Concepts to Remember
- Custom detection rules in Defender XDR use Kusto Query Language (KQL).
- They leverage advanced hunting data from endpoints, identities, and cloud apps.
- Rules can be scheduled to run at specific intervals (e.g., hourly).
- Thresholds can be set to trigger incidents based on event counts over a time window.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Custom detection rules in Defender XDR use Kusto Query Language (KQL).
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
What to study next
Got this wrong? Here's your next step.
Review custom detection rules in Defender XDR use Kusto Query Language (KQL)., then practise related MS-102 questions on the same topic to reinforce the concept.
- →
Manage security and threats by using Microsoft Defender XDR — study guide chapter
Learn the concepts, then practise the questions
- →
Manage security and threats by using Microsoft Defender XDR practice questions
Targeted practice on this topic area only
- →
All MS-102 questions
975 questions across all exam domains
- →
Microsoft 365 Administrator MS-102 study guide
Full concept coverage aligned to exam objectives
- →
MS-102 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related MS-102 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Deploy and manage a Microsoft 365 tenant practice questions
Practise MS-102 questions linked to Deploy and manage a Microsoft 365 tenant.
Implement and manage Microsoft Entra identity and access practice questions
Practise MS-102 questions linked to Implement and manage Microsoft Entra identity and access.
Manage security and threats by using Microsoft Defender XDR practice questions
Practise MS-102 questions linked to Manage security and threats by using Microsoft Defender XDR.
Manage compliance by using Microsoft Purview practice questions
Practise MS-102 questions linked to Manage compliance by using Microsoft Purview.
Manage users, groups, licensing, and support practice questions
Practise MS-102 questions linked to Manage users, groups, licensing, and support.
Implement and manage identity and access in Microsoft Entra ID practice questions
Practise MS-102 questions linked to Implement and manage identity and access in Microsoft Entra ID.
MS-102 fundamentals practice questions
Practise MS-102 questions linked to MS-102 fundamentals.
MS-102 scenario practice questions
Practise MS-102 questions linked to MS-102 scenario.
MS-102 troubleshooting practice questions
Practise MS-102 questions linked to MS-102 troubleshooting.
Practice this exam
Start a free MS-102 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this MS-102 question test?
Manage security and threats by using Microsoft Defender XDR — This question tests Manage security and threats by using Microsoft Defender XDR — Custom detection rules in Defender XDR use Kusto Query Language (KQL)..
What is the correct answer to this question?
The correct answer is: custom detection rule using advanced hunting — A custom detection rule using advanced hunting is the correct choice because Microsoft Defender XDR allows you to create custom detection rules based on Kusto Query Language (KQL) queries that run on a scheduled interval (e.g., every hour). This rule can query the `DeviceNetworkEvents` table to identify communications with IP addresses flagged as malicious by Microsoft threat intelligence, aggregate the count over a 24-hour sliding window, and trigger an incident when the threshold of 10 is exceeded. This directly meets the requirement for a scheduled, threshold-based detection within Defender XDR.
What should I do if I get this MS-102 question wrong?
Review custom detection rules in Defender XDR use Kusto Query Language (KQL)., then practise related MS-102 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Custom detection rules in Defender XDR use Kusto Query Language (KQL).
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This MS-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MS-102 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.