SC-200 Certification Practice Question #7

Question

You have the following advanced hunting query in Microsoft 365 Defender.

You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Accepted Answer

The goal is to *receive an alert* from an advanced hunting query, which means building a custom detection rule (A). To create a custom detection rule on Defender for Endpoint data, the query must return the required identity columns — for MDE tables those are `Timestamp`, `DeviceId`, and `ReportId` in the same event — so the query's `project` must include `DeviceId` and `ReportId` (E). The official Suggested Answer lists only E, but E alone does not raise an alert, so the community correctly pairs it with A; the dominant 23-vote Most Voted and the two highest-voted comments (48 and 6 👍) all agree on AE, and MS Learn directly confirms the required-columns requirement. Confidence is high but not maxed because the official key shows only E, reflecting the two-part scoring of the question.

More SC-200 practice questions