Objectives in this domain

Detect threats in Microsoft Defender XDR by selecting the right table and writing KQL Advanced Hunting queries.
Section 3.1hard
Interpret threat analytics and analyse entity relationships using hunting graphs and Sentinel Graph in Microsoft Defender XDR.
Section 3.2medium
Create and manage Microsoft Sentinel hunting queries, KQL jobs in the Data lake, and Summary rule tables.
Section 3.3medium
Hunt for threats using Notebooks in Microsoft Sentinel, including connection to the Sentinel MCP Server.
Section 3.4hard

Sample question from this domain

Free samplePerform Threat Huntinghard

During an Advanced Hunting investigation in Microsoft Defender XDR, you must reconstruct a suspected malware execution chain on a single workstation by listing every process that was launched, together with its full command line and its initiating parent process, so that you can trace the lineage from the original loader. Which table should the Kusto Query Language (KQL) query target to obtain the parent and child process command lines directly?

// Goal: child process, its command line, and its parent process command line
<Table>
| where DeviceName == "FIN-WKS-014"
| project Timestamp, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine

ADeviceProcessEvents, because it records one row per process creation with the child FileName and ProcessCommandLine alongside the InitiatingProcess fields for the parent, giving the full lineage on the device. Correct
BDeviceEvents, because it is the general endpoint event table and therefore records every action a device takes, including each process that is created along with its parent and child command lines.
CDeviceImageLoadEvents, because the loader and every subsequently launched binary must be mapped into memory, so the image load records reveal the parent and child process command lines for the chain.
DDeviceFileEvents, because the loader writes the child executables to disk before running them, so the file create and modify records carry the process command lines for each stage of the chain.

Use DeviceProcessEvents in Advanced Hunting for process creation telemetry, as it carries both the child and initiating-parent command lines. DeviceProcessEvents is the schema table dedicated to process creation in Microsoft Defender for Endpoint telemetry. Each row pairs the spawned process FileName and ProcessCommandLine with the InitiatingProcessFileName and InitiatingProcessCommandLine of its parent, which lets an analyst pivot up and down the chain from a single table rather than joining across general event tables.

Why A is correct: DeviceProcessEvents is purpose-built for process creation telemetry, exposing the spawned process command line and the InitiatingProcess parent fields in the same row, which is exactly what is needed to walk a malware execution chain on one host.

Why B is wrong: DeviceEvents is a catch-all table for miscellaneous security and audit events such as protection toggles and ASR triggers; it does not provide a dedicated row per process creation with both the child and initiating-parent command lines, so the lineage reconstruction would be incomplete.

Why C is wrong: DeviceImageLoadEvents tracks DLL and module loads into a process, not process creation, so it lacks a per-spawn child command line and is the wrong surface for reconstructing parent-to-child execution lineage.

Why D is wrong: DeviceFileEvents captures file create, modify, rename, and delete activity, which is useful for tracking dropped payloads, but it does not record process command lines or parent-child execution, so it cannot reconstruct the run chain on its own.

Other domains in this exam

Manage a Security Operations Environment41% of the exam
Respond to Security Incidents37% of the exam

See also the SC-200 cert hub, the study guide, and the cheat sheet.