SC-200 Certification Practice Question #258

Question

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. All endpoint devices are onboarded to Microsoft Defender for Endpoint.

You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1. All Microsoft Defender XDR events are ingested into Workspace1.

You have a Microsoft Entra tenant.

You create a KQL query named query1 that searches device logs for a known vulnerability.

You need to ensure that query1 runs every hour. The solution must minimize administrative effort.

What should you configure?

Accepted Answer

A custom detection rule in Microsoft Defender XDR is built directly from a KQL advanced-hunting query and is scheduled to run at fixed intervals; the available frequencies explicitly include "Every hour," and matches automatically generate alerts/incidents. This maps exactly to the requirement to run query1 every hour with minimal administrative effort — you simply save the existing query as a custom detection rule and pick the hourly frequency. AIR (B) responds to existing alerts, a watchlist (C) is static reference data, and an automation rule (D) only acts on incidents after they are created, so none satisfy "run the KQL query every hour." Suggested Answer, the community vote, and MS Learn all agree on A.

More SC-200 practice questions