🔥 3-day streak
Microsoft Security Operations Analyst87 / 190
Question 87 of 190

You are threat hunting in Microsoft Defender XDR Advanced Hunting. A recent threat analytics report indicates attackers are launching PowerShell with Base64-encoded commands to evade detection. You want a KQL query that surfaces processes where PowerShell was invoked with an encoded command argument across all onboarded devices in the last 7 days. Which table should you query and what filter approach is most appropriate?

Reviewed for accuracy · Report an issueNext question