🔥 3-day streak
Microsoft Security Operations Analyst72 / 190
Question 72 of 190
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you suspect that a malicious executable named 'update_svc.exe' was staged across multiple endpoints before execution. You need a KQL query that returns each distinct device where the file was created, along with the earliest creation time per device, so you can prioritize the first-affected hosts. Which query best meets this requirement?
Reviewed for accuracy · Report an issueNext question