Which two actions should you perform? Each correct answer presents part of the solution.

Last Updated on November 14, 2021 by Admin

You have the following advanced hunting query in Microsoft 365 Defender.

SC-200 Microsoft Security Operations Analyst Part 01​ Q10 012

SC-200 Microsoft Security Operations Analyst Part 01​ Q10 012

You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

  •  Create a detection rule.
  • Create a suppression rule.
  • Add | order by Timestamp to the query.
  • Replace DeviceProcessEvents with DeviceNetworkEvents.
  • Add DeviceId and ReportId to the output of the query.