SC-200 · Question #406
SC-200 Question #406: Real Exam Question with Answer & Explanation
The correct answer is C: the frequency. In Microsoft Defender XDR custom detection rules, the frequency setting controls both how often the rule runs and the lookback period - the time window over which the KQL query searches for matching events. These two values are coupled in the rule configuration: a rule with a 12-
Question
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You have a custom detection rule named Rule1 that generates an alert if more than five antivirus detections are identified on a device. Rule1 has a lookback period of 12 hours. You need to change the lookback period to 48 hours. What should you modify for Rule1?
Options
- Athe scope
- Bthe summarize operator of the KQL query
- Cthe frequency
- Dthe where operator of the KQL query
Explanation
In Microsoft Defender XDR custom detection rules, the frequency setting controls both how often the rule runs and the lookback period - the time window over which the KQL query searches for matching events. These two values are coupled in the rule configuration: a rule with a 12-hour frequency has a 12-hour lookback, and changing the frequency to 48 hours extends the lookback to 48 hours. The scope (A) defines which devices or entities the rule applies to. Modifying the summarize (B) or where (D) operators in the KQL query changes the logic of what is detected, not the time window the rule covers.
Community Discussion
No community discussion yet for this question.