ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 5 discussion

Actual exam question from Microsoft's SC-200
Question #: 5
Topic #: 1
[All SC-200 Questions]

Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Resolve the alert automatically.
  • B. Hide the alert.
  • C. Create a suppression rule scoped to any device.
  • D. Create a suppression rule scoped to a device group.
  • E. Generate the alert.
Show Suggested Answer Hide Answer
Suggested Answer: BDE 🗳️
by PTIN at April 11, 2021, 6:10 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
KingSize
Highly Voted 2 months, 3 weeks ago
You can Hide or Resolve alert and all of those actions you can perform on any device or device groups or single device. But in question there is accounting team so there will be device group. Answer should be ABD
upvoted 55 times
AnonymousJhb
2 years, 8 months ago
D is wrong. This "group" feature is only available in Suppress alerts from Microsoft Defender for Cloud. This question context is for Manage Microsoft Defender for Endpoint alerts. There are two contexts for a suppression rule that you can choose from: -Suppress alert on this device -Suppress alert in my organization
upvoted 6 times
Metasploit
2 months, 2 weeks ago
BDE. This changed. I know, not in the docs(Docs are old and not updated). I had to go to the tech community. https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719
upvoted 8 times
...
BhanuD
2 years ago
Hi, may be the documentation is not updated, the scope is to select organization or user/device/device groups, as they mentioned clearly as accounts department, device group need to be selected
upvoted 3 times
...
...
Ashfaq2
3 years, 6 months ago
Suppression rule can not create based on Device Group
upvoted 5 times
sasasach
1 year, 11 months ago
I checked it in MS defender itself, you can create suppression rule based on device group
upvoted 2 times
...
jethi
3 years, 5 months ago
Suppression rule can be created based on a device group. Verified it on the defender portal itself. Correct answer is BDE
upvoted 35 times
uday1985
7 months, 2 weeks ago
why generating alerts when the ask to suppress
upvoted 1 times
xRiot007
1 week, 1 day ago
Because you want to see the alert for insights. Suppressing an alert means that the alert will get generated, but the underlying action will not be executed.
upvoted 1 times
...
...
...
...
AlaReAla
3 years, 2 months ago
it cannot be A as we need to hide, not resolve (so it should be B). I suppose it can to D, and E is anyhow the right option. So in all, ans should be BDE.
upvoted 12 times
...
sadako
2 years, 8 months ago
Shortcut for easier reference: Hide alert Create supression rule to device group Generate alert
upvoted 2 times
sadako
2 years, 8 months ago
Sorry i was wrong. Correct shortcut should be: Resolve alert Hide alert Create supression rule to device group
upvoted 3 times
...
...
Load full discussion...
...
PTIN
Highly Voted 3 years, 8 months ago
Given answer BCE is correct. The question states "alerts must be hidden from queue". Automatically resolving is not correct solution as that will still show up in the queue. Hence given answer BCE is correct
upvoted 19 times
Metasploit
2 years, 2 months ago
Not A = Resolved alerts stay in Alerts queue marked as resolved. B = You can hide alerts from the system. C = 1.)Suppress alert on this device or 2.) Suppress alert in my organization (For MS Defender for Endpoint) Not D = Because C E = Because you cannot do either of the other without an alert.
upvoted 1 times
Metasploit
2 months, 2 weeks ago
Correction: BDE This question bugged me. The new alert suppression rules allows for much more. https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719
upvoted 7 times
...
...
...
Nikki0222
Most Recent 1 month, 2 weeks ago
Answer is BDE.
upvoted 1 times
...
Metasploit
2 months, 2 weeks ago
Selected Answer: BDE
NOT A = Resolved alerts stay in Alerts queue marked as resolved. B = You can hide alerts from the system. NOT C = Not best practice. D = Because, Best practice and New alert suppression rules allow for groups and much more(The docs are still old, below is a link for evidence to this claim) https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719 E = Because you cannot do either of the other without an alert.
upvoted 7 times
...
Apocalypse03
2 months, 2 weeks ago
Selected Answer: BDE
Generate the alert. This will trigger the alert for the detected macro in the Word document. Hide the alert. This will prevent the alert from appearing in the Alerts queue. Create a suppression rule scoped to a device group. This will ensure that the rule only applies to the devices of the accounting team, while maintaining the existing security posture for other devices in the company.
upvoted 4 times
...
Lone__Wolf
2 months, 2 weeks ago
Selected Answer: BDE
Here's a brief explanation of each option: E. Generate the alert: You need to generate the alert first so that you can see it in the Alerts queue. B. Hide the alert: After generating the alert, you can hide it if you want to remove it from view. D. Create a suppression rule scoped to a device group: You can also create a suppression rule scoped to a specific device group if you want to only apply it to a specific group of devices. This helps you maintain the existing security posture.
upvoted 11 times
...
EricShon
2 months, 2 weeks ago
Selected Answer: BDE
B. Hide the alert (for immediate, manual action) D. Create a suppression rule scoped to a device group (for a targeted, long-term solution) E. Generate the alert
upvoted 6 times
...
user636
2 months, 2 weeks ago
Selected Answer: BDE
You can either hide or automatically resolve the alert using a suppression rule in MDE. Ref: https://learn.microsoft.com/en-us/defender-endpoint/manage-alerts#suppress-alerts The answer is: A or B (both are correct) D E
upvoted 1 times
...
g_man_rap
2 months, 3 weeks ago
E. Generate the alert. This step is implicit, as the alert needs to be generated and identified as a false positive before any suppression or hiding actions can be taken. D. Create a suppression rule scoped to a device group. After identifying the alert as a false positive, you create a suppression rule scoped to the specific device group (e.g., the accounting team's devices) to prevent similar alerts from showing up in the future. B. Hide the alert. Finally, you hide the current false positive alert from the queue to reduce noise, keeping the Alerts queue focused on relevant security incidents.
upvoted 1 times
...
4b097e5
5 months, 2 weeks ago
BDE is correct answer
upvoted 2 times
...
chepeerick
1 year, 1 month ago
Selected Answer: BDE
B and D and E
upvoted 2 times
...
Unlikely
1 year, 2 months ago
My 2 cents. BCE. A false positive is a false positive, regardless of which group of users causes it more often. The question states that a specific group uses the document more often than the others, not that this is a FP only when that specific group opens the document. So, more than one group of users in the company can open that document and generate the FP: hence, it makes no sense to suppress the FP for one specific group.
upvoted 1 times
...
BMG6
1 year, 3 months ago
BDE No (task is to HIDE) A. Resolve the alert automatically. B. Hide the alert. No (task is for Accounting Computers) C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.
upvoted 2 times
...
Abujumaa
1 year, 3 months ago
Selected Answer: BCE
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide
upvoted 1 times
...
mali1969
1 year, 3 months ago
We can perform three actions to hide false positives in the Alerts queue, while maintaining the existing security posture: Create a suppression rule scoped to a device group Hide the alert Resolve the alert automatically These actions will allow you to suppress alerts that are known to be harmless for a specific group of devices, such as the accounting team’s devices, and remove them from the Alerts queue without affecting other alerts or devices
upvoted 1 times
...
donathon
1 year, 4 months ago
Selected Answer: BDE
BDE Make sense
upvoted 2 times
...
Yurri
1 year, 4 months ago
Selected Answer: ABD
A, B, D.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago