🔥 3-day streak
Microsoft Security Operations Analyst79 / 190
Question 79 of 190
You are threat hunting in Microsoft Defender XDR Advanced Hunting. Threat analytics reports that an active campaign begins with a malicious Office document that spawns a scripting host, which then downloads a payload roughly 30-90 seconds later. You want a single KQL query that surfaces devices where a Word or Excel process spawned a scripting host (wscript.exe, cscript.exe, or powershell.exe) and correlates it with an outbound network connection from that same scripting host within 2 minutes. Which approach best builds this hunt?
Reviewed for accuracy · Report an issueNext question