SC-200 Certification Practice Question #43

Question

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to create a detection rule that meets the following requirements:

•	Is triggered when a device that has critical software vulnerabilities was active during the last hour
•	Limits the number of duplicate results

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Accepted Answer

The rule must fire on devices with critical vulnerabilities active in the last hour and limit duplicate results. `| distinct DeviceId` deduplicates to one row per device (limiting duplicates) and preserves the DeviceId key needed for the `join kind=inner DeviceInfo on DeviceId`. For the output, a Defender for Endpoint custom detection rule must return `Timestamp`, `DeviceId`, and `ReportId` in the same event, so `| project Timestamp, DeviceId, ReportId` is the only choice that yields exactly those required columns. `summarize count()` would force an unwanted aggregate, and the `distinct` variant for part 2 strips the mandatory Timestamp/ReportId columns. MS Learn and the two highest-voted, well-reasoned comments all converge.

More SC-200 practice questions