SC-200 Certification Practice Question #251

Question

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You discover a malicious process that was initiated by a file named File1.exe on a device named Device1.

You need to create a KQL query that will identify when File1.exe was created. The solution must meet the following requirements:

•	Return the FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine columns.
•	Minimize the volume of data returned.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Accepted Answer

The goal is "when File1.exe was *created*," and the `where ActionType == "FileCreated"` clause plus FileName/InitiatingProcess* columns map directly to the **DeviceFileEvents** table (file creation/modification events from Defender for Endpoint). To "minimize the volume of data returned" while keeping FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine, **project-keep** retains exactly those columns and drops everything else. The 10-👍 Highly Voted answer agrees on both boxes, and MS Learn confirms both the table schema and the project-keep semantics. The lone DeviceEvents dissent is outweighed.

More SC-200 practice questions