Exam MS-101 topic 2 question 9 discussion

The important thing is you need create fileter or not Topic4 Question #29 ASK:You want to display Microsoft Defender ATP alert events ***you don't need create filter**** ANS:B:Automated investigations Topic2 Qutstion#8 ASK:You need to create a filtered view that displays which Microsoft Defender ATP alert ****you need create ***** ANS:D:Advanced hunting Advanced hunting can create query and filter For example: DeviceAlertEvents | where Severity == "high" | where Timestamp > ago(7d)

As I see, the answer should be D. Advanced Hunting. You can query anything there like in the Azure Log Analytics. Automated Investigations can give the 7day (1 week) view, but do not show severity. Please correct me if I am wrong here.

B - You need Automated investigations to see alerts

I'm going with Automated Investigation. The link Exam Topics provides a video. Starting at the 2 minute mark, the video even mentions "filtering" days, computer names, etc. within the Automated Investigation app: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide At 2:12 "...and of course, filter the list..."

Likely outdated question since this view is available under alerts: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide

as per ms doc

as other user are telling... D

D advanced Hunting

The answer is B – Automated Investigations, as per the link below (last updated March 25, 2022) https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide

2 mins in to video in https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide has the answer. The answer is B

There is no correct answer here. Updated docs: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide

This is a tough one, and I think that the question answers are out of date. Automated Investigations doesn't seem to be an option in the admin portal anymore (as of 2/20/2022). I'm going with D. Advanced Hunting.

Should most surely be, D. Advanced hunting allows you to create a query that proccesses 30 days of raw data and outputs the info asked for. Automated investigations handles itself by starting a scan once alerted and remidiates the issue at hand.

"D. Advanced hunting". I cant find that filter in Automated investigations blade.

D: Advanced hunting Question sed "You need to create" Automated investigations can only filter Advanced hunting can create query and filter For example: DeviceAlertEvents | where Severity == "high" | where Timestamp > ago(7d) That's why Correct Answer : D

I think B. Automated investigations is correct because it is asking for a filtered view from something like the Alert Queue rather than creating a query to look for the data then filter

Automated Investigations is correct. https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide.