🔥 3-day streak
Microsoft Security Operations Analyst89 / 190
Question 89 of 190
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you suspect that a legitimate Microsoft Office application was abused to spawn a malicious child process (a macro-based dropper). You need a KQL query that surfaces every process created by winword.exe, outlook.exe, or excel.exe so you can review suspicious command lines. Which approach on the DeviceProcessEvents table best identifies this parent-to-child relationship?
Reviewed for accuracy · Report an issueNext question