Exam MS-102 topic 1 question 200 discussion

D: notification rule Why? I have tried to configure it with an alert policy and have not found a way to find an activity based on an incident. You can find activities in the alert policy like: Common user activities (e.g. document sharing) Common endpoint user activities (e.g. printing) File and folder activities (delete file) File sharing activities (e.g. Share File, Folder Site) Filtering events (e.g. Malicious email detected) Common tenant activities (e.g. Insight generated) and so on. So this is about events/activities by users and not about an event caused by an incident. Just try it out for yourself.

The answer is C. an alert policy. An alert policy is used to send notifications when certain events occur, such as when Microsoft 365 Defender detects a high-severity incident.

should be notification rule when its defender portal

Correct answer is D: In Microsoft 365 Defender, notification rules are used to send alerts via email when specific incidents or events, such as high-severity incidents, are detected. Alert policies in the Microsoft Purview compliance portal can trigger notifications for compliance-related activities. However, in this context, incidents in Microsoft 365 Defender require a notification rule, which is specifically designed for this purpose. https://learn.microsoft.com/en-us/defender-xdr/m365d-notifications-incidents

D. a notification rule In Microsoft 365 Defender, notification rules are specifically designed to alert you when incidents of a certain severity level, such as high-severity incidents, are detected. By creating a notification rule, you can ensure that alerts are sent via email or other channels based on incident criteria, including severity. Here's why the other options are less appropriate: A. Custom detection rule: This is used for defining specific detection logic but doesn’t send notifications based on incident severity. B. Threat policy: These are configurations for how threats are managed, not for notifications. C. Alert policy: While alert policies can trigger alerts, notification rules are specifically tailored to notify administrators when incidents of specified severities occur. Therefore, D. a notification rule is the best choice for ensuring you receive alerts for high-severity incidents in Microsoft 365 Defender.

Its D - tested

The best option for receiving alerts when Microsoft 365 Defender detects high-severity incidents is: C. An alert policy Here's why the other options are not ideal: A. Custom detection rule: Custom detection rules are designed to identify specific security threats that might not be covered by existing rules. They wouldn't trigger alerts for incidents already detected by Microsoft 365 Defender. B. Threat policy: Threat policies define how Microsoft 365 Defender should handle detected threats. They can include actions like blocking emails or quarantining files, but they don't directly trigger alerts. D. Notification rule: Notification rules can be used to define how alerts are delivered (e.g., email, notification center). However, they need an underlying event (like an alert policy) to trigger them. Alert policies in Microsoft 365 Defender allow you to configure specific conditions for triggering alerts. You can define the severity level (e.g., high severity) and other criteria to receive notifications when incidents matching those criteria are detected.

The point is that: A notification rule: Notification rules are used within Microsoft Defender for Endpoint, not Microsoft 365 Defender. They are used to configure notifications for specific events or alerts within Defender for Endpoint, not for alerts from Microsoft 365 Defender as a whole." You can see here: https://learn.microsoft.com/en-us/defender-xdr/configure-email-notifications#create-rules-for-alert-notifications select Settings > Endpoints > General > Email notifications.

https://learn.microsoft.com/en-us/defender-xdr/m365d-notifications-incidents Create a rule for email notifications Follow these steps to create a new rule and customize email notification settings. Go to Microsoft Defender XDR in the navigation pane, select Settings > Microsoft Defender XDR > Incident email notifications. Select Add item. On the Basics page, type the rule name and a description, and then select Next. On the Notification settings page, configure:

politiques d'alerte vous permettent de catégoriser les alertes déclenchées par une politique, d'appliquer cette politique à tous les utilisateurs de votre organisation, de définir un niveau de seuil pour le déclenchement d'une alerte et de décider si vous souhaitez recevoir des notifications par courriel lorsque des alertes sont déclenchées

https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-notifications-incidents?view=o365-worldwide

Notification rule is the answer with severe investigation. D

Looks like both C and D could be used here. Alert policies will allow you get notifications from Defender for high severity incidents, but going with the method D is broader and easier to turn on everything quickly. Another highly ambiguous question. Thanks MSFT.

D is the correct answer

D, this does use the same language for setting up a Rule. “For example, if you only want to be informed about high-severity incidents, select High.” https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-notifications-incidents?view=o365-worldwide

Notification Rule https://www.examtopics.com/discussions/microsoft/view/94056-exam-ms-101-topic-2-question-115-discussion/

notification rule is the correct answer 👌