Question 1,542 of 1,639
Mitigate threats using Microsoft Defender XDRmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct combination is DeviceFileEvents and DeviceInfo, because DeviceFileEvents logs every file creation event—including those with ransomware extensions like .encrypted or .locked—while DeviceInfo supplies essential device metadata such as device name, OS platform, and device group. Joining these two tables on DeviceId lets you correlate file creation events across multiple devices within a short time frame, which is exactly how you build custom detection for ransomware file creation across devices in Microsoft 365 Defender. On the SC-200 exam, this tests your ability to pair an event table with an entity table for cross-device correlation; a common trap is choosing DeviceProcessEvents or DeviceNetworkEvents, which track processes or network traffic, not file creation. Remember the mnemonic “Files + Facts” — DeviceFileEvents for the file actions, DeviceInfo for the device facts.

SC-200 Mitigate threats using Microsoft Defender XDR Practice Question

This SC-200 practice question tests your understanding of mitigate threats using microsoft defender xdr. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify ransomware activity. The rule should trigger when files with specific extensions (e.g., .encrypted, .locked) are created on multiple devices within a short time frame, suggesting a widespread attack. Which combination of advanced hunting tables should be used to obtain both file creation events and device information?

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

DeviceFileEvents and DeviceInfo

Option A is correct because DeviceFileEvents captures file creation events, including the specific extensions like .encrypted and .locked, while DeviceInfo provides device metadata such as device name, OS platform, and device group. Joining these tables on DeviceId allows the analyst to correlate file creation events across multiple devices, enabling detection of widespread ransomware activity within a short time frame.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • DeviceFileEvents and DeviceInfo

    Why this is correct

    Correct. DeviceFileEvents contains file creation (ActionType 'FileCreated') details including SHA256, file name, and folder path. Joining with DeviceInfo provides device metadata like device name and OS. This combination directly supports the requirement.

    Related concept

    Read the scenario before looking for a memorised answer.

  • DeviceProcessEvents and DeviceInfo

    Why it's wrong here

    DeviceProcessEvents tracks process creation events, not file creation. While the ransomware process might create files, the rule specifically targets file creation events, making DeviceFileEvents more appropriate.

  • DeviceFileEvents and DeviceNetworkEvents

    Why it's wrong here

    DeviceNetworkEvents records network connections. While useful for lateral movement detection, it is not needed to identify the creation of encrypted files across devices. The requirement is about files, not network.

  • DeviceFileEvents and DeviceLogonEvents

    Why it's wrong here

    DeviceLogonEvents contains logon activity (success/failure, account). This is not relevant to identifying file creation events across devices. The rule does not require logon information.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may confuse file creation events with process creation events (DeviceProcessEvents) or network events (DeviceNetworkEvents), overlooking that only DeviceFileEvents directly captures the file extension data needed for ransomware detection.

Detailed technical explanation

How to think about this question

Under the hood, DeviceFileEvents uses the Microsoft Defender for Endpoint sensor to monitor file system operations via the Windows kernel-mode filter driver (e.g., MiniFilter), capturing create, modify, rename, and delete actions. The DeviceInfo table is populated from the device's registry and WMI, updated every hour or on significant changes. In a real-world ransomware scenario, joining these tables on DeviceId and filtering by Timestamp within a short window (e.g., 5 minutes) and ActionType == 'FileCreated' can reveal a coordinated encryption wave across endpoints.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Mitigate threats using Microsoft Defender XDR — This question tests Mitigate threats using Microsoft Defender XDR — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: DeviceFileEvents and DeviceInfo — Option A is correct because DeviceFileEvents captures file creation events, including the specific extensions like .encrypted and .locked, while DeviceInfo provides device metadata such as device name, OS platform, and device group. Joining these tables on DeviceId allows the analyst to correlate file creation events across multiple devices, enabling detection of widespread ransomware activity within a short time frame.

What should I do if I get this SC-200 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.