Exam SC-200 topic 5 question 16 discussion

I believe Option A is the correct answer. Here’s why: Once you create and run the rule for the first time, it will, by default, check for the last 30 days. This means we can already scan the past 14 days as stated in the question. Now, if we choose Option A, which is a 12-hour interval, it checks every 12 hours and scans back 48 hours. This is less than the 50 hours of the Command and Control (C&C), making it the most balanced option. Therefore, I would choose Option A. https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules

I've been battling with GPT for an hour. My gut says D since every hour with lookback window of 4 would catch the event fast. However, the frequencies with different lookback windows serve different purposes where the 24 hour frequency is ideal for rare or irregular activity. The risk of every hour detection: If you ever had a beacon every 50 hours, and your ingestion delay crept over 4 hours, or logs arrived late, you might miss the one shot — and that's where longer lookback rules shine (despite being slower). So I will choose B since it guarantees the event will be catched within the lookback window of more than 50 hours.

chatgpt

Set detection frequency to “Every hour” in the custom detection rule wizard (Step 2: Rule settings > Frequency). Lookback period = 14 days ensures all devices from the past 14 days are identified. 1-hour frequency minimizes identification time (max delay = 1 hour vs. 50-hour C2 cycle), meeting the “minimize how long” requirement. Why Not Others? A (12 hours): 12-hour delay—too slow for timely C2 response. B (24 hours): 24-hour delay—misses half a day, risking escalation. C (3 hours): 3-hour delay—better, but still triples the wait vs. hourly.

Using a 24-hour detection frequency would certainly work, but it might not be the most efficient choice for your scenario. Here’s why: Communication Pattern: Since the agents communicate once every 50 hours, setting the detection frequency to 24 hours may result in delayed identification of the compromised devices. There's a chance you might miss an entire communication window and only catch it on the next cycle, effectively identifying devices every 72 hours. Balance Between Timeliness and Efficiency: A 12-hour frequency strikes a better balance. It ensures that you have more frequent checks without significantly increasing the load on your system. This means that even if you miss one communication window, you're likely to catch it on the next 12-hour cycle, improving your chances of timely detection. Choosing a 12-hour frequency helps ensure more timely detection and a better understanding of the communication pattern while maintaining efficiency. If you have any more questions or need further assistance, feel free to ask!

Don't have experience with CDR but I think about it this way: Hourly runs: Detects C2 communication at ~51 hours, looking back only 4 hours (fastest results) 3-hour runs: Also detects at ~51 hours but processes 12 hours of data (slower) 12-hour runs: Detects at 60 hours, checking 48 hours of data (slower results) 24-hour runs: Detects at 72 hours, checking 30 days of data (longest delay) The first time the rule is run, it will automatically cover the last 30 days, allowing us to examine the 14-day period as outlined in the question (requirement: Identify all the devices that have communicated during the past 14 days.)

B is correct answer https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules#rule-frequency

B - every 24 hours You need to identify devices that have communicated during the past 14 days, and the agents communicate every 50 hours. Setting the detection frequency to every 24 hours ensures that you capture all relevant communications within a reasonable time frame while minimizing performance impact.

Every 24 hours — runs every 24 hours, checking data from the past 30 days "Match the time filters in your query with the lookback duration. Results outside of the lookback duration are ignored."

Communication Frequency of C2 Agents: The C2 agents communicate once every 50 hours. To effectively catch this communication pattern within the past 14 days, running the detection rule every 24 hours would be sufficient. This frequency allows you to regularly scan for the C2 traffic while balancing the resource usage and performance of your detection system.

Rule frequency When you save a new rule, it runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals, applying a lookback duration based on the frequency you choose: Every 24 hours—runs every 24 hours, checking data from the past 30 days Every 12 hours—runs every 12 hours, checking data from the past 48 hours Every 3 hours—runs every 3 hours, checking data from the past 12 hours Every hour—runs hourly, checking data from the past 4 hours Continuous (NRT)—runs continuously, checking data from events as they're collected and processed in near real-time (NRT), see Continuous (NRT) frequency