New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Microsoft SC-200 Exam - Topic 10 Question 11 Discussion

Actual exam question for Microsoft's SC-200 exam
Question #: 11
Topic #: 10
[All SC-200 Questions]

You have the following advanced hunting query in Microsoft 365 Defender.

You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer: A, E

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/custom-detection- rules

by Glendora at May 06, 2022, 05:40 PM

Limited Time Offer

25%

Off

Get Premium SC-200 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Fletcher
4 months ago
Agreed, the timestamp ordering is a must for accurate alerts!
upvoted 0 times
...
Chana
4 months ago
Wait, can you really replace DeviceProcessEvents with DeviceNetworkEvents? That sounds off.
upvoted 0 times
...
Frederica
4 months ago
Not sure about the suppression rule though, seems unnecessary.
upvoted 0 times
...
Joanna
5 months ago
I think adding DeviceId and ReportId is also important!
upvoted 0 times
...
Eileen
5 months ago
You definitely need to create a detection rule for this.
upvoted 0 times
...
Dell
5 months ago
I practiced a similar question where we had to modify a query. Adding | order by Timestamp might help us focus on the last 24 hours, right?
upvoted 0 times
...
Steffanie
5 months ago
I'm not entirely sure, but I remember something about suppression rules being used to filter out noise. Is that relevant here?
upvoted 0 times
...
Deandrea
5 months ago
I think we need to create a detection rule to catch when System Restore is disabled. That seems like a key step.
upvoted 0 times
...
Bong
5 months ago
I feel like replacing DeviceProcessEvents with DeviceNetworkEvents doesn't fit this scenario. We need to track process events specifically, not network events.
upvoted 0 times
...
Carin
5 months ago
Hmm, I'm not sure about this one. I was thinking maybe B. Trending, since that could also show popular products. But Collaborative Filtering makes sense too.
upvoted 0 times
...
Lacey
5 months ago
I'm pretty confident that Latency is the correct answer here. The question is specifically asking about the symptom, and that seems to fit the best.
upvoted 0 times
...
Viva
5 months ago
I'm a bit confused by this question. I'm not entirely sure what a "supplier bank header" is or what the mandatory fields would be. I'll have to guess on this one.
upvoted 0 times
...

Save Cancel