Microsoft Security Operations Analyst (SC-200) (SC-200) practice questions

During an Advanced Hunting investigation in Microsoft Defender XDR, you must reconstruct a suspected malware execution chain on a single workstation by listing every process that was launched, together with its full command line and its initiating parent process, so that you can trace the lineage from the original loader. Which table should the Kusto Query Language (KQL) query target to obtain the parent and child process command lines directly?

// Goal: child process, its command line, and its parent process command line
<Table>
| where DeviceName == "FIN-WKS-014"
| project Timestamp, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

• ADeviceProcessEvents, because it records one row per process creation with the child FileName and ProcessCommandLine alongside the InitiatingProcess fields for the parent, giving the full lineage on the device.check_circle Correct
• BDeviceEvents, because it is the general endpoint event table and therefore records every action a device takes, including each process that is created along with its parent and child command lines.
• CDeviceImageLoadEvents, because the loader and every subsequently launched binary must be mapped into memory, so the image load records reveal the parent and child process command lines for the chain.
• DDeviceFileEvents, because the loader writes the child executables to disk before running them, so the file create and modify records carry the process command lines for each stage of the chain.

Why A is correct: DeviceProcessEvents is purpose-built for process creation telemetry, exposing the spawned process command line and the InitiatingProcess parent fields in the same row, which is exactly what is needed to walk a malware execution chain on one host.

Why B is wrong: DeviceEvents is a catch-all table for miscellaneous security and audit events such as protection toggles and ASR triggers; it does not provide a dedicated row per process creation with both the child and initiating-parent command lines, so the lineage reconstruction would be incomplete.

Why C is wrong: DeviceImageLoadEvents tracks DLL and module loads into a process, not process creation, so it lacks a per-spawn child command line and is the wrong surface for reconstructing parent-to-child execution lineage.

Why D is wrong: DeviceFileEvents captures file create, modify, rename, and delete activity, which is useful for tracking dropped payloads, but it does not record process command lines or parent-child execution, so it cannot reconstruct the run chain on its own.

You are hunting in Microsoft Defender XDR for lateral movement that uses domain credentials, and you need authentication events that Microsoft Defender for Identity collects from domain controllers, including the protocol used and both the source and destination devices for each logon. Which Advanced Hunting table provides these on-premises Active Directory authentication events with the source-to-destination logon detail?

• ASigninLogs, because it is the authoritative authentication table and therefore contains the on-premises domain controller logons together with the logon protocol and the source and destination device for each event.
• BIdentityLogonEvents, because Microsoft Defender for Identity collects authentication events from monitored domain controllers, exposing the logon protocol and the source and destination devices for each on-premises logon.check_circle Correct
• CDeviceLogonEvents, because Microsoft Defender for Endpoint records every interactive and network logon seen on each onboarded device, so it reports the domain controller authentications with their protocol and source and destination hosts.
• DIdentityQueryEvents, because lateral movement relies on directory reconnaissance, so the LDAP, SAMR, and DNS queries it records include the authentication protocol and the source and destination devices for each domain logon.

Why A is wrong: SigninLogs is a Microsoft Entra ID interactive sign-in table surfaced in Log Analytics, not in the Defender Advanced Hunting schema, and it records cloud sign-ins rather than the on-premises domain controller authentications that Defender for Identity collects.

Why B is correct: IdentityLogonEvents is the Advanced Hunting table populated by Microsoft Defender for Identity from monitored domain controllers and Active Directory Federation Services, carrying the LogonType, Protocol, and both DeviceName and target fields needed to trace credential-based lateral movement.

Why C is wrong: DeviceLogonEvents reports logons observed by the endpoint sensor on onboarded devices, which is valuable telemetry, but it is sourced from Defender for Endpoint rather than from domain controllers and may miss authentications on hosts that are not onboarded.

Why D is wrong: IdentityQueryEvents records directory queries such as LDAP and SAMR collected by Defender for Identity, which helps spot reconnaissance, but it does not represent authentication or logon events, so it cannot supply the source-to-destination logon detail required here.

A phishing wave delivered malicious links by email, and you must determine which recipients actually clicked the links in the messages, capturing each click with the URL, the click verdict, and whether Safe Links allowed or blocked it. Which Advanced Hunting table in Microsoft Defender XDR records the user click events on URLs wrapped by Microsoft Defender for Office 365 Safe Links?

• AEmailEvents, because it records the full delivery and post-delivery handling of each message, so it captures every recipient who clicked a link together with the click verdict and the Safe Links block or allow decision.
• BEmailUrlInfo, because it enumerates the URLs found inside each message, so a query against it returns the click time, the click verdict, and the Safe Links allow or block result for every recipient who followed a link.
• CUrlClickEvents, because Microsoft Defender for Office 365 logs each Safe Links click with the wrapped URL, the account that clicked, the click verdict, and whether the click was allowed or blocked.check_circle Correct
• DDeviceNetworkEvents, because Safe Links protection redirects each click through the endpoint network stack, so this table records the click with the destination URL, the click verdict, and the allow or block result.

Why A is wrong: EmailEvents records message-level delivery, detection, and post-delivery actions such as ZAP, which is essential context, but it does not log an individual user clicking a URL or the per-click Safe Links verdict, so it cannot identify who clicked.

Why B is wrong: EmailUrlInfo lists the URLs extracted from messages and is ideal for correlating which mails contained a given link, but it describes the URLs present rather than user click actions, so it carries no click time or per-click Safe Links verdict.

Why C is correct: UrlClickEvents is populated by Safe Links in Defender for Office 365 and records each user click on a protected URL, including the AccountUpn, the Url, the ActionType, and the IsClickedThrough and UrlChain detail, which is exactly the click-level evidence needed.

Why D is wrong: DeviceNetworkEvents records network connections observed by the endpoint sensor and may show traffic to a domain, but it has no concept of an email Safe Links click verdict and would miss clicks made on devices that are not onboarded to Defender for Endpoint.