- A
EmailEvents and DeviceNetworkEvents
EmailEvents contains email delivery data (RecipientEmailAddress, Timestamp), and DeviceNetworkEvents contains network connection data (DeviceName, RemoteIP, Timestamp). Joining these on a common key like recipient email/device identity and time window enables detection of post-click connections.
- B
EmailEvents and DeviceProcessEvents
Why wrong: DeviceProcessEvents contains process creation events, not network connections. While useful for lateral movement detection, it does not capture the network connection to a malicious IP.
- C
EmailPostDeliveryEvents and DeviceNetworkEvents
EmailPostDeliveryEvents includes post-delivery events like ZAP or phishing clicks, but the primary event of email delivery is in EmailEvents. Using EmailPostDeliveryEvents alone may miss the initial delivery event.
- D
EmailAttachmentInfo and DeviceRegistryEvents
Why wrong: EmailAttachmentInfo provides details on email attachments, and DeviceRegistryEvents monitors registry modifications. Neither captures network connections or email delivery events needed for this scenario.
Quick Answer
The correct tables to join are EmailPostDeliveryEvents and DeviceNetworkEvents. This is because the EmailPostDeliveryEvents table captures the final delivery status of an email, including whether it was delivered to the inbox, while the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. By joining these two tables on a common identifier like RecipientObjectId and DeviceId, you can directly correlate the moment a user receives a phishing email with the subsequent network connection to a known malicious IP. On the MS-102 exam, this question tests your ability to map real-world security scenarios to the correct advanced hunting schema, a common trap being to mistakenly use EmailEvents instead of EmailPostDeliveryEvents, which lacks post-delivery action details. A helpful memory tip: think "Post" for the inbox arrival and "Network" for the outbound connection—Post and Network, the pair that links the inbox to the wire.
MS-102 Practice Question: Manage security and threats by using Microsoft Defender XDR
This MS-102 practice question tests your understanding of manage security and threats by using microsoft defender xdr. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: emailEvents table records initial email delivery details.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and then, from their Windows device, establishes a network connection to a known malicious IP address. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the KQL query to capture both the email delivery event and the network connection event?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
EmailEvents and DeviceNetworkEvents
Option A is correct because the rule requires capturing both the phishing email delivery event and the subsequent network connection to a malicious IP. The EmailEvents table records email delivery status (including 'Delivered' to inbox), and the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. Joining these two tables on a common identifier (such as RecipientObjectId and DeviceId) allows the analyst to correlate the email receipt with the network connection event.
Key principle: EmailEvents table records initial email delivery details.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✓
EmailEvents and DeviceNetworkEvents
Why this is correct
EmailEvents contains email delivery data (RecipientEmailAddress, Timestamp), and DeviceNetworkEvents contains network connection data (DeviceName, RemoteIP, Timestamp). Joining these on a common key like recipient email/device identity and time window enables detection of post-click connections.
Related concept
EmailEvents table records initial email delivery details.
- ✗
EmailEvents and DeviceProcessEvents
Why it's wrong here
DeviceProcessEvents contains process creation events, not network connections. While useful for lateral movement detection, it does not capture the network connection to a malicious IP.
- ✓
EmailPostDeliveryEvents and DeviceNetworkEvents
Why this is correct
EmailPostDeliveryEvents includes post-delivery events like ZAP or phishing clicks, but the primary event of email delivery is in EmailEvents. Using EmailPostDeliveryEvents alone may miss the initial delivery event.
Related concept
EmailEvents table records initial email delivery details.
- ✗
EmailAttachmentInfo and DeviceRegistryEvents
Why it's wrong here
EmailAttachmentInfo provides details on email attachments, and DeviceRegistryEvents monitors registry modifications. Neither captures network connections or email delivery events needed for this scenario.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates confuse EmailPostDeliveryEvents (post-delivery actions) with EmailEvents (initial delivery), or assume DeviceProcessEvents can capture network connections when it only records process creation.
Trap categories for this question
Scenario analysis trap
EmailAttachmentInfo provides details on email attachments, and DeviceRegistryEvents monitors registry modifications. Neither captures network connections or email delivery events needed for this scenario.
Detailed technical explanation
How to think about this question
Under the hood, EmailEvents contains the `DeliveryAction` field (e.g., 'Delivered') and `RecipientObjectId`, while DeviceNetworkEvents contains `RemoteIP` and `DeviceId`. The join typically uses `RecipientObjectId` from EmailEvents with the user's `DeviceId` via an intermediate identity table (e.g., IdentityInfo) or by correlating `AccountUpn` with `DeviceName`. In real-world scenarios, analysts often add a time window (e.g., within 1 hour after email delivery) using the `Timestamp` column to reduce false positives from unrelated connections.
KKey Concepts to Remember
- EmailEvents table records initial email delivery details.
- DeviceNetworkEvents table captures all network connections from devices.
- KQL joins are used to correlate events across different tables.
- Correlation often involves user identity and a time window.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
EmailEvents table records initial email delivery details.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
What to study next
Got this wrong? Here's your next step.
Review emailEvents table records initial email delivery details., then practise related MS-102 questions on the same topic to reinforce the concept.
- →
Manage security and threats by using Microsoft Defender XDR — study guide chapter
Learn the concepts, then practise the questions
- →
Manage security and threats by using Microsoft Defender XDR practice questions
Targeted practice on this topic area only
- →
All MS-102 questions
975 questions across all exam domains
- →
Microsoft 365 Administrator MS-102 study guide
Full concept coverage aligned to exam objectives
- →
MS-102 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related MS-102 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Deploy and manage a Microsoft 365 tenant practice questions
Practise MS-102 questions linked to Deploy and manage a Microsoft 365 tenant.
Implement and manage Microsoft Entra identity and access practice questions
Practise MS-102 questions linked to Implement and manage Microsoft Entra identity and access.
Manage security and threats by using Microsoft Defender XDR practice questions
Practise MS-102 questions linked to Manage security and threats by using Microsoft Defender XDR.
Manage compliance by using Microsoft Purview practice questions
Practise MS-102 questions linked to Manage compliance by using Microsoft Purview.
Manage users, groups, licensing, and support practice questions
Practise MS-102 questions linked to Manage users, groups, licensing, and support.
Implement and manage identity and access in Microsoft Entra ID practice questions
Practise MS-102 questions linked to Implement and manage identity and access in Microsoft Entra ID.
MS-102 fundamentals practice questions
Practise MS-102 questions linked to MS-102 fundamentals.
MS-102 scenario practice questions
Practise MS-102 questions linked to MS-102 scenario.
MS-102 troubleshooting practice questions
Practise MS-102 questions linked to MS-102 troubleshooting.
Practice this exam
Start a free MS-102 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this MS-102 question test?
Manage security and threats by using Microsoft Defender XDR — This question tests Manage security and threats by using Microsoft Defender XDR — EmailEvents table records initial email delivery details..
What is the correct answer to this question?
The correct answer is: EmailEvents and DeviceNetworkEvents — Option A is correct because the rule requires capturing both the phishing email delivery event and the subsequent network connection to a malicious IP. The EmailEvents table records email delivery status (including 'Delivered' to inbox), and the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. Joining these two tables on a common identifier (such as RecipientObjectId and DeviceId) allows the analyst to correlate the email receipt with the network connection event.
What should I do if I get this MS-102 question wrong?
Review emailEvents table records initial email delivery details., then practise related MS-102 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
EmailEvents table records initial email delivery details.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This MS-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MS-102 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.