SC-200 Certification Practice Question #202

Question

You have a Microsoft 365 E5 subscription.

You have the following KQL query.

You need to use the query to create a Microsoft Defender XDR custom detection rule that can isolate an onboarded device.

How should you modify the query?

Accepted Answer

A custom detection rule can only run the **Isolate device** response action when the query results contain the `DeviceId` column, and every Defender for Endpoint detection must also return `Timestamp` (with `ReportId`) so the service can stamp and uniquely identify the alert. The query in the image projects `ReportId, ActionType, DeviceName, InitiatingProcessAccountName` — it already has `ReportId` but is missing both `DeviceId` (needed to target the device for isolation) and `Timestamp` (a mandatory column). Adding those two columns to the `project` operator (option D) makes the rule eligible to isolate the onboarded device. AccountUpn (A) maps a user entity, not a device, and neither `distinct` (B) nor `summarize` (C) supplies the missing device identifier or timestamp.

More SC-200 practice questions