The answer is to identify the top 10 devices with the most suspicious process injection alerts. This is correct because the KQL query uses the `summarize` operator to count alerts by `DeviceName`, then applies `top 10` to rank devices by that count, directly fulfilling the search intent of a KQL query for the top 10 devices with most alerts. On the MS-102 exam, this tests your ability to interpret advanced hunting queries in Microsoft Defender for Endpoint, specifically distinguishing between aggregation and filtering—a common trap is confusing a simple count with severity-based filtering or individual alert listing. Remember, when you see `summarize` followed by `top`, you are looking at a ranked aggregate, not a filtered list. A useful memory tip: "Summarize and top give you the champions, not the details."
MS-102 Practice Question: Manage security and threats by using Microsoft Defender XDR
This MS-102 practice question tests your understanding of manage security and threats by using microsoft defender xdr. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Refer to the exhibit.
```kql
DeviceAlertEvents
| where Timestamp > ago(7d)
| where AlertTitle == "Suspicious process injection"
| summarize AlertCount = count() by DeviceName
| top 10 by AlertCount
```
You run the above KQL query in Microsoft Defender for Endpoint advanced hunting. What is the purpose of this query?
Refer to the exhibit.
```kql
DeviceAlertEvents
| where Timestamp > ago(7d)
| where AlertTitle == "Suspicious process injection"
| summarize AlertCount = count() by DeviceName
| top 10 by AlertCount
```
A
To identify the top 10 devices with the most suspicious process injection alerts
It filters for that alert title and returns top 10.
B
To correlate device alerts with user activities
Why wrong: No correlation with user data.
C
To list all devices with high severity alerts
Why wrong: The query does not filter by severity.
D
To find the top 10 devices with the most alerts of any type
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
To identify the top 10 devices with the most suspicious process injection alerts
Option C is correct. The query summarizes by DeviceName and counts alerts, then returns top 10. Option A is wrong because it does not filter by severity. Option B is wrong because it does not list individual alerts. Option D is wrong because it does not correlate with other data.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
To identify the top 10 devices with the most suspicious process injection alerts
Why this is correct
It filters for that alert title and returns top 10.
Related concept
Read the scenario before looking for a memorised answer.
✗
To correlate device alerts with user activities
Why it's wrong here
No correlation with user data.
✗
To list all devices with high severity alerts
Why it's wrong here
The query does not filter by severity.
✗
To find the top 10 devices with the most alerts of any type
Why it's wrong here
It filters for a specific alert title.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Many certification questions include familiar terms but test a specific constraint. Read the exact wording before choosing an answer that is generally true but wrong for this case.
Detailed technical explanation
How to think about this question
This question should be treated as a scenario, not a definition check. Identify the problem, the constraint and the best action. Then compare each option against those facts.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
Use explanations to understand the rule behind the answer.
TExam Day Tips
→Underline the problem statement mentally.
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this MS-102 question in full detail.
Identify which MS-102 exam domain this question belongs to, then review the specific concept being tested. Practise related questions in that domain and focus on understanding why each wrong answer is tempting — not just why the correct answer is right.
Manage security and threats by using Microsoft Defender XDR — This question tests Manage security and threats by using Microsoft Defender XDR — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: To identify the top 10 devices with the most suspicious process injection alerts — Option C is correct. The query summarizes by DeviceName and counts alerts, then returns top 10. Option A is wrong because it does not filter by severity. Option B is wrong because it does not list individual alerts. Option D is wrong because it does not correlate with other data.
What should I do if I get this MS-102 question wrong?
Identify which MS-102 exam domain this question belongs to, then review the specific concept being tested. Practise related questions in that domain and focus on understanding why each wrong answer is tempting — not just why the correct answer is right.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. You run the above KQL query in Microsoft Defender XDR Advanced Hunting. The query returns no results. What is the most likely reason?
easy
A.The EmailDirection filter should be 'Outbound'.
B.No inbound emails were blocked in the last 30 days.
C.The time range should be 7 days instead of 30 days.
✓ D.The column name SenderDomain does not exist in EmailEvents.
Why D: Option B is correct because the column name is 'SenderMailFromDomain' or 'SenderDomain' might not exist; the correct column in EmailEvents is 'SenderMailFromDomain'. Option A (no inbound emails blocked) is possible but less likely if the environment has filtering. Option C (time range too short) is not the issue. Option D (only outbound emails) would still show inbound if any.
Variation 2. A security analyst runs the above KQL query in Microsoft 365 Defender. The query returns an empty result set. Which is the most likely reason?
medium
A.The time range is too wide and the query times out.
✓ B.No antivirus detection events for files with 'ransomware' or 'encrypt' in the filename occurred in the last 7 days.
C.The 'has_any' operator is used incorrectly; it should be 'contains' for each condition.
D.The DeviceEvents table does not contain antivirus detection events.
Why B: The query uses 'has_any' to match filenames containing 'ransomware' or 'encrypt'. If no detections match those strings, the result is empty. Option B is correct. Option A is wrong because the query uses the correct table. Option C is wrong because the syntax is valid. Option D is wrong because the time range is 7 days, which is typical.
Last reviewed: Jun 21, 2026
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This MS-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MS-102 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.