Question 832 of 975

Quick Answer

The correct tables to join are EmailPostDeliveryEvents and DeviceNetworkEvents. This is because the EmailPostDeliveryEvents table captures the final delivery status of an email, including whether it was delivered to the inbox, while the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. By joining these two tables on a common identifier like RecipientObjectId and DeviceId, you can directly correlate the moment a user receives a phishing email with the subsequent network connection to a known malicious IP. On the MS-102 exam, this question tests your ability to map real-world security scenarios to the correct advanced hunting schema, a common trap being to mistakenly use EmailEvents instead of EmailPostDeliveryEvents, which lacks post-delivery action details. A helpful memory tip: think "Post" for the inbox arrival and "Network" for the outbound connection—Post and Network, the pair that links the inbox to the wire.

MS-102 Practice Question: Manage security and threats by using Microsoft Defender XDR

This MS-102 practice question tests your understanding of manage security and threats by using microsoft defender xdr. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: emailEvents table records initial email delivery details.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and then, from their Windows device, establishes a network connection to a known malicious IP address. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the KQL query to capture both the email delivery event and the network connection event?

Question 1mediummulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

EmailEvents and DeviceNetworkEvents

Option A is correct because the rule requires capturing both the phishing email delivery event and the subsequent network connection to a malicious IP. The EmailEvents table records email delivery status (including 'Delivered' to inbox), and the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. Joining these two tables on a common identifier (such as RecipientObjectId and DeviceId) allows the analyst to correlate the email receipt with the network connection event.

Key principle: EmailEvents table records initial email delivery details.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • EmailEvents and DeviceNetworkEvents

    Why this is correct

    EmailEvents contains email delivery data (RecipientEmailAddress, Timestamp), and DeviceNetworkEvents contains network connection data (DeviceName, RemoteIP, Timestamp). Joining these on a common key like recipient email/device identity and time window enables detection of post-click connections.

    Related concept

    EmailEvents table records initial email delivery details.

  • EmailEvents and DeviceProcessEvents

    Why it's wrong here

    DeviceProcessEvents contains process creation events, not network connections. While useful for lateral movement detection, it does not capture the network connection to a malicious IP.

  • EmailPostDeliveryEvents and DeviceNetworkEvents

    Why this is correct

    EmailPostDeliveryEvents includes post-delivery events like ZAP or phishing clicks, but the primary event of email delivery is in EmailEvents. Using EmailPostDeliveryEvents alone may miss the initial delivery event.

    Related concept

    EmailEvents table records initial email delivery details.

  • EmailAttachmentInfo and DeviceRegistryEvents

    Why it's wrong here

    EmailAttachmentInfo provides details on email attachments, and DeviceRegistryEvents monitors registry modifications. Neither captures network connections or email delivery events needed for this scenario.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates confuse EmailPostDeliveryEvents (post-delivery actions) with EmailEvents (initial delivery), or assume DeviceProcessEvents can capture network connections when it only records process creation.

Trap categories for this question

  • Scenario analysis trap

    EmailAttachmentInfo provides details on email attachments, and DeviceRegistryEvents monitors registry modifications. Neither captures network connections or email delivery events needed for this scenario.

Detailed technical explanation

How to think about this question

Under the hood, EmailEvents contains the `DeliveryAction` field (e.g., 'Delivered') and `RecipientObjectId`, while DeviceNetworkEvents contains `RemoteIP` and `DeviceId`. The join typically uses `RecipientObjectId` from EmailEvents with the user's `DeviceId` via an intermediate identity table (e.g., IdentityInfo) or by correlating `AccountUpn` with `DeviceName`. In real-world scenarios, analysts often add a time window (e.g., within 1 hour after email delivery) using the `Timestamp` column to reduce false positives from unrelated connections.

KKey Concepts to Remember

  • EmailEvents table records initial email delivery details.
  • DeviceNetworkEvents table captures all network connections from devices.
  • KQL joins are used to correlate events across different tables.
  • Correlation often involves user identity and a time window.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

EmailEvents table records initial email delivery details.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Review emailEvents table records initial email delivery details., then practise related MS-102 questions on the same topic to reinforce the concept.

Related practice questions

Related MS-102 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free MS-102 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this MS-102 question test?

Manage security and threats by using Microsoft Defender XDR — This question tests Manage security and threats by using Microsoft Defender XDR — EmailEvents table records initial email delivery details..

What is the correct answer to this question?

The correct answer is: EmailEvents and DeviceNetworkEvents — Option A is correct because the rule requires capturing both the phishing email delivery event and the subsequent network connection to a malicious IP. The EmailEvents table records email delivery status (including 'Delivered' to inbox), and the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. Joining these two tables on a common identifier (such as RecipientObjectId and DeviceId) allows the analyst to correlate the email receipt with the network connection event.

What should I do if I get this MS-102 question wrong?

Review emailEvents table records initial email delivery details., then practise related MS-102 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

EmailEvents table records initial email delivery details.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This MS-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MS-102 exam.