SC-200 - Perform Threat Hunting - Section 3.1
Detect threats in Microsoft Defender XDR by selecting the right table and writing KQL Advanced Hunting queries.
Write Kusto Query Language (KQL) queries in the Microsoft Defender XDR Advanced Hunting portal, selecting the correct schema table - such as DeviceEvents, DeviceProcessEvents, or identity tables - for each hunting scenario. Apply query operators including joins and aggregations to correlate events across tables and surface indicators of compromise.
identify the appropriate table for a KQL queryKusto Query Language (KQL)Advanced Hunting queriesDeviceEvents, DeviceProcessEvents, and identity tablesquery operators and joins
More in this domain
Back to all Perform Threat Hunting objectives, or the SC-200 cert hub.
Examworthy is not affiliated with or endorsed by Microsoft. Original, blueprint-aligned practice material only.