Question 397 of 1,639
Mitigate threats using Microsoft Defender XDRhardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is the query pattern that joins DeviceNetworkEvents with DeviceEvents using a 5-minute time window, because this directly correlates the SMB connection on port 445 from DeviceA to DeviceB with the subsequent ScheduledTaskCreated action on DeviceB. This pattern captures the classic lateral movement technique where an attacker uses SMB to move laterally and then creates a scheduled task for persistence or code execution, making the time-bound join essential for establishing causality. On the SC-200 exam, this tests your ability to correlate cross-device events in Advanced Hunting, and a common trap is forgetting to filter by RemotePort 445 or using a time window that is too broad, which would generate false positives. Remember the memory tip: “SMB knocks, task unlocks” — the network knock on port 445 must be immediately followed by the scheduled task unlock on the target device within five minutes to confirm lateral movement.

SC-200 Mitigate threats using Microsoft Defender XDR Practice Question

This SC-200 practice question tests your understanding of mitigate threats using microsoft defender xdr. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: advanced Hunting uses KQL for querying security data.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An analyst is creating a custom detection rule in Microsoft 365 Defender to detect lateral movement. The rule should trigger when a device (DeviceA) connects to another device (DeviceB) via SMB (port 445) and, within 5 minutes, a scheduled task is created on DeviceB. Which Advanced Hunting query pattern correctly correlates these events across devices?

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Join DeviceNetworkEvents (where RemoteIP is DeviceB's IP and RemotePort 445) with DeviceEvents (where ActionType == 'ScheduledTaskCreated' and DeviceId == DeviceB's ID) using a time window of 5 minutes

Option A is correct because it uses a `join` between `DeviceNetworkEvents` (filtered for SMB traffic on port 445 from DeviceA to DeviceB) and `DeviceEvents` (filtered for `ActionType == 'ScheduledTaskCreated'` on DeviceB) with a 5-minute time window. This directly correlates the network connection with the subsequent scheduled task creation, which is a classic lateral movement pattern (e.g., PsExec or WMI abuse). The time window ensures the events are causally related within the detection rule's scope.

Key principle: Advanced Hunting uses KQL for querying security data.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Join DeviceNetworkEvents (where RemoteIP is DeviceB's IP and RemotePort 445) with DeviceEvents (where ActionType == 'ScheduledTaskCreated' and DeviceId == DeviceB's ID) using a time window of 5 minutes

    Why this is correct

    Correct. This joins the network connection from DeviceA with the scheduled task creation on DeviceB within the specified time window.

    Related concept

    Advanced Hunting uses KQL for querying security data.

  • Use DeviceProcessEvents to find smb.exe on DeviceA, then join with DeviceFileEvents on DeviceB

    Why it's wrong here

    DeviceProcessEvents logs process creation, not network connections; DeviceFileEvents does not contain scheduled task events.

  • Use only DeviceNetworkEvents on DeviceA and DeviceB separately

    Why it's wrong here

    This would not capture the scheduled task creation event.

  • Use EmailEvents and DeviceEvents on DeviceB

    Why it's wrong here

    EmailEvents is used for email delivery events, not network connections.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates might think `DeviceProcessEvents` is needed to capture the SMB connection (Option B), but SMB is a kernel-mode protocol and not logged as a user-mode process, so `DeviceNetworkEvents` is the correct source for network-level correlation.

Detailed technical explanation

How to think about this question

Under the hood, SMB lateral movement often involves tools like PsExec or Impacket, which connect to the ADMIN$ share (port 445) and then create a scheduled task via the Task Scheduler service (triggering `ScheduledTaskCreated` in `DeviceEvents`). The 5-minute time window is critical because attackers often automate this sequence rapidly; a longer window might introduce false positives from unrelated scheduled tasks. In real-world scenarios, defenders can extend this query to include `RemoteIP` and `RemotePort` filtering to reduce noise from legitimate SMB traffic.

KKey Concepts to Remember

  • Advanced Hunting uses KQL for querying security data.
  • The `join` operator correlates events from different tables.
  • Time windows (`within`) are crucial for temporal correlation in `join` operations.
  • DeviceNetworkEvents tracks network connections, DeviceEvents tracks device actions.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Advanced Hunting uses KQL for querying security data.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Review advanced Hunting uses KQL for querying security data., then practise related SC-200 questions on the same topic to reinforce the concept.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Mitigate threats using Microsoft Defender XDR — This question tests Mitigate threats using Microsoft Defender XDR — Advanced Hunting uses KQL for querying security data..

What is the correct answer to this question?

The correct answer is: Join DeviceNetworkEvents (where RemoteIP is DeviceB's IP and RemotePort 445) with DeviceEvents (where ActionType == 'ScheduledTaskCreated' and DeviceId == DeviceB's ID) using a time window of 5 minutes — Option A is correct because it uses a `join` between `DeviceNetworkEvents` (filtered for SMB traffic on port 445 from DeviceA to DeviceB) and `DeviceEvents` (filtered for `ActionType == 'ScheduledTaskCreated'` on DeviceB) with a 5-minute time window. This directly correlates the network connection with the subsequent scheduled task creation, which is a classic lateral movement pattern (e.g., PsExec or WMI abuse). The time window ensures the events are causally related within the detection rule's scope.

What should I do if I get this SC-200 question wrong?

Review advanced Hunting uses KQL for querying security data., then practise related SC-200 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Advanced Hunting uses KQL for querying security data.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.