Exam MS-500 topic 4 question 35 discussion

Answer: Policy1 will be triggered after 45 minutes Policy1 will be triggered within 45 minutes Explanation: 1 user -> 5 mins 60/5 = 12 10th copy, t=50 mins -------------------------------- 3 users -> 10 mins t=0 -> 3 activites t=10 -> 6 activites in total t=20 -> 9 activites in total t=30 -> 12 activites in total -> Alert is triggered

When you go to create an alert like this, you options say: More than or equal to # activities During the last # minutes The key being "during the last # minutes". So it is assessing the trailing 60 minutes (each minute perhaps). So this pretty much nullifies the given answers of 60 minutes. If it were a report, I could see it happening after 60 minutes, but that would make useless alert wouldn't it! The other thing is that the choices in the first question says will be triggered 'AFTER' # minutes. So clearly is has to be "Policy1 will be triggered after 45 minutes" On the second question, notice on the 20 and 45 it says will be triggered 'WITHIN' # minutes. The 60 says 'AFTER'. We know it could not be within 20 minutes. 10 activities would take 30 minutes, so therefore the answer has to be 'within 45 minutes'. Simple process of elimination.

At first i was on board with the after 45 min and within 45 min crowd, but after consulting with my friend chatGPT, i believe the given answers are correct. "theoretically, if the file is copied 7 times within the last 3 minutes of the first 60-minute window, and then 7 more times within the first 3 minutes of the next 60-minute window, the alert policy may not be triggered. This is because the policy counts the number of file copies made within a 60-minute window, and it may not detect that the threshold has been exceeded if the copies are made at the boundaries of the windows. To avoid this scenario, you may consider adjusting the window size or threshold to ensure that the alert policy covers the necessary timeframe and captures the appropriate number of file copies. You may also want to consider setting up multiple alert policies with different windows and thresholds to provide more granular coverage."

After 45 Within 45 Alert policy settings An alert policy consists of a set of rules and conditions that define the user or admin activity that generates an alert, a list of users who trigger the alert if they perform the activity, and a threshold that defines how many times the activity has to occur before an alert is triggered.

Given answers are correct. You guys are overthinking it, it is NOT a math exam to calculate how many 5mins in 1 hour! The question is testing your knowledge about the Window of 1 hour. Did you know that Alert Policies in Microsoft Purview can be "Scheduled in minutes" which can be set under "During the last X minutes"? In this question, this alert policy will be checked every 1 hour to see if the Threshold was met. If met (More than or equal to 10 activities), then the alert policy will be triggered. So the correct answers will be 60mins for both answers because the threshold was exceeded within the 1 hour. Done.

Policy1 will be triggered after 45 minutes Policy1 will be triggered within 45 minutes

Given answers are correct. Explanation: 1st 1 user -> 5 mins 60/5 = 12 10th copy, t=50 mins So threshold for policy is met at 50th minute -------------------------------- 2nd 3 users -> 10 mins t=0 -> 3 activites t=10 -> 6 activites in total t=20 -> 9 activites in total t=30 -> 12 activites in total -> Alert is triggered So threshold for policy is met at 30th minute But....The policy is set to trigger alert after 60 minutes if the threshold is met, even if the action does occur within the 60 minutes. This will limit the number of notifications to a reasonable number.

"Window" has been changed to "during the last", which I think is clearer. I understand that as the policy looks at the last 60 minutes and sees if the number of matched activities meets the threshold. https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide Based on my understanding Policy1 is triggered in both cases after 60 minutes.

I believe no policy will be trigered, because: File is not updated, it is copied, which will not trigger alert

Answer for question 1 is Policy will be triggered AFTER 45 min Logic: Answer 1 Answer 1 Time User 1 Total Activity 0:00 1 1 0:05 1 2 0:10 1 3 0:15 1 4 0:20 1 5 0:25 1 6 0:30 1 7 0:35 1 8 0:40 1 9 0:45 1 10 Answer for question 2 is Policy will be triggered WITHIN 45 min Logic: Answer 2 Time User 1 User 2 User 3 Total activitty 0:00 1 1 1 3 0:10 1 1 1 6 0:20 1 1 1 9 0:30 1 1 1 12

Interesting discussion. To me, the given answers are right. Both will trigger after 60 minutes. The policy is set to trigger after 60 minutes if the threshold is met. In both cases, within the 60 minutes window, they exceeded the threshold and so the trigger will happen at then 60 minutes window. This is more of the time trigger than the number of activity trigger. The question is , within one the one hour has the copying met or exceeded the threshold, if yes, trigger. Otherwise, no trigger.

Both answers are wrong to me too. As above folks did the maths.... Policy1 will be triggered after 45 minutes when 10th Policy1 will be triggered within 45 minutes (as there isn't after 30min)

docs.microsoft When the alert is triggered - You can configure a setting that defines how often an activity can occur before an alert is triggered. This allows you to set up a policy to generate an alert every time an activity matches the policy conditions, when a certain threshold is exceeded, or when the occurrence of the activity the alert is tracking becomes unusual for your organization. https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide#:~:text=How%20alert%20policies%20work,-Here%27s%20a%20quick&text=A%20user%20performs%20an%20activity,in%20the%20Security%20%26%20Compliance%20Center. so the answers should be wrong

Based on the link the image given in Qaestion is "Window = 60 Mins" However once we read the link then it is "During the last 60 Mins" . Thus answer is right there is nothing like Window..this is to create a confusion.

Tested and both given answers are correct!

The key here is Aggregated. It's going to to wait 60 minutes then tell you how many times it hit with a Hit Count. "When events that match the same alert policy occur within the aggregation interval, details about the subsequent event are added to the original alert." https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide

Tested this the alert was created even before it hits the 60 minutes.