ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 5 question 17 discussion

Actual exam question from Microsoft's SC-200
Question #: 17
Topic #: 5
[All SC-200 Questions]

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You have a query that contains the following statements.



You need to configure a custom detection rule that will use the query. The solution must minimize how long it takes to be notified about events that match the query.

Which frequency should you select for the rule?

  • A. Every hour
  • B. Continuous (NRT)
  • C. Every 12 hours
  • D. Every 3 hours
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by sapphire at Nov. 11, 2024, 11:58 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Krayzr
2 months, 2 weeks ago
Selected Answer: A
https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules#queries-you-can-run-continuously
upvoted 2 times
...
OneplusOne
2 months, 3 weeks ago
Selected Answer: C
NRT not possible (union) and not logical since the query looks back 24 hours each time it is executed. Every hour or 3 hours would result in many duplicates since it is looking back 24 hours. Every 12 hours seems best.
upvoted 1 times
...
QzLP2P
3 months ago
Selected Answer: A
Some KQL features are not supported in NRT rules, including: - union - join - subqueries - and some scalar functions (like ingestion_time())
upvoted 3 times
...
Adel614
3 months, 4 weeks ago
Selected Answer: A
According to https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules#queries-you-can-run-continuously, “You can run a query continuously as long as: The query references one table only.” Therefore, “B. Continuous (NRT)” cannot be the right answer due to "union DeviceEvents, DeviceProcessEvents". “A. Every hour” is the more possible answer, even though it sound off with the line “| where ingestion_time() > ago(1d)” in the KQL request.
upvoted 3 times
...
sapphire
9 months, 1 week ago
Selected Answer: B
B is Correct - The solution must minimize how long it takes to be notified about events that match the query.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel