SC-200 Certification Practice Question #208

Question

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You have a custom detection rule named Rule1 that generates an alert if more than five antivirus detections are identified on a device. Rule1 has a lookback period of 12 hours.

You need to change the lookback period to 48 hours.

What should you modify for Rule1?

Accepted Answer

For Defender XDR data, the lookback period is a fixed value derived from the rule's frequency setting — it is not set in the KQL query. MS Learn states the mapping explicitly: every 3 hours → 12 h lookback, and every 12 hours → 48 h lookback. Rule1 currently has a 12-hour lookback, which corresponds to the "every 3 hours" frequency; to obtain a 48-hour lookback you change the frequency to "every 12 hours." A WHERE/ago() clause only filters records that are already within the platform-applied lookback window (results outside the lookback are ignored regardless), so it cannot extend the window. This makes the WHERE-operator dissent (D) wrong despite a few votes, and the Suggested Answer, top community vote, and MS Learn all converge on C.

More SC-200 practice questions