exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam

Exam SC-200 topic 1 question 21 discussion

Actual exam question from Microsoft's SC-200
Question #: 21
Topic #: 1
[All SC-200 Questions]

You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses.
You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.
You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Configure automatic data enrichment.
  • B. Add the IP addresses to the corporate address range category.
  • C. Increase the sensitivity level of the impossible travel anomaly detection policy.
  • D. Add the IP addresses to the other address range category and add a tag.
  • E. Create an activity policy that has an exclusion for the IP addresses.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
JohnAvlakiotis
Highly Voted 3 years, 5 months ago
This answer looks wrong and since there is no reference link to support it I challenge it. To me the correct answer is B,E.
upvoted 43 times
JohnAvlakiotis
3 years, 5 months ago
Apologies, the answer provided is correct. I just know checked the site myself and the options exist, you add the IP address range and a tag and then you check to override the data enrichment by providing a location that goes along with that IP range. So, A & D stand correct.
upvoted 52 times
BtwIdonno
4 months, 3 weeks ago
Do you mean A & B are the right options?
upvoted 2 times
...
Neela
2 years, 11 months ago
https://docs.microsoft.com/en-us/defender-cloud-apps/api-data-enrichment
upvoted 8 times
AVN1711
10 months, 2 weeks ago
https://learn.microsoft.com/en-us/defender-cloud-apps/api-data-enrichment
upvoted 1 times
...
...
...
zaqwsx
3 years, 5 months ago
For me also BE add Ip to corporate or exclude IP address from alert
upvoted 5 times
...
AlaReAla
3 years, 5 months ago
I echo your thoughts, I can get a few hints to support your answer at below location: https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
upvoted 2 times
a9e34f5
11 months, 1 week ago
It is clearly B and E. It is evident here in the Microsoft Learn documentation in the link that you provided AlaReAla. "This detection uses a machine learning algorithm that ignores obvious B-TP conditions, such as when the IP addresses on both sides of the travel are considered safe, the travel is trusted and excluded from triggering the Impossible travel detection. For example, both sides are considered safe if they are tagged as corporate. However, if the IP address of only one side of the travel is considered safe, the detection is triggered as normal." which about 20 percent down on the page under Impossible Travel. I hope this helps.
upvoted 1 times
...
Startkabels
3 years, 5 months ago
At least B makes sense as the question reads a custom policy based on a custom IP range is in place. So false positive alerts that are generated by activity from the offices would be solved by adding their IP ranges in the custom IP range used in the policy..
upvoted 3 times
Startkabels
3 years, 4 months ago
https://docs.microsoft.com/en-us/cloud-app-security/ip-tags
upvoted 3 times
...
...
...
...
stromnessian
Highly Voted 3 years ago
Selected Answer: AB
A - this seems correct, as if you override the automatic detection of location for company IP address ranges, you can prevent the impossible travel alerts. B - This makes sense as you need to define your corporate address ranges so that they are not seen as risky. C - Increasing the sensitivity of the impossible travel detection would create more alerts. D - Why would you set the IP addresses to the "Other" category when there is a "Corporate" category that fits the description? E - Creating a new policy when there is already an existing one that you need to reduce the alerts from, would not reduce the number of alerts.
upvoted 40 times
Whatsamattr81
2 years, 7 months ago
Best answer IMHO. Stop (it says configure, it should say untick) the enrichment (for the impossible travel) add the addresses of your US offices, part of your company, to the corporate range.
upvoted 5 times
...
...
midou11
Most Recent 2 days, 19 hours ago
Here the answer AB youtube AD chatgpt BE can someone tell me what the correct answer because now I am confused.
upvoted 1 times
...
Nikki0222
4 months, 3 weeks ago
AB correct
upvoted 2 times
...
Thezuland1098
5 months, 1 week ago
Selected Answer: AB
Without Data Enrichment we cant use the categories A. The Data Enrichment API enables you to manage identifiable IP address ranges, such as your physical office IP addresses. IP address ranges allow you to tag, categorize, and customize the way logs and alerts are displayed and investigated. B. Add the IP addresses to the corporate address range category. This action allows you to define the IP address ranges that belong to your organization and exclude them from anomaly detection policies such as impossible travel or sign-ins from risky IP addresses.
upvoted 2 times
...
shannon_c0le1
8 months, 3 weeks ago
Selected Answer: AB
A and B
upvoted 1 times
...
Avaris
9 months ago
Selected Answer: AB
A and B is correct
upvoted 1 times
...
Avaris
9 months ago
Selected Answer: AB
defo A, B
upvoted 1 times
...
DChilds
10 months, 3 weeks ago
This question was in the exam 27/04/2024.
upvoted 2 times
...
Ramye
1 year ago
Selected Answer: AB
Based on the below information published here: https://learn.microsoft.com/en-us/defender-cloud-apps/ip-tags#create-an-ip-address-range Corporate: These IPs should be all the public IP addresses of your internal network, your branch offices, and your Wi-Fi roaming addresses.
upvoted 1 times
...
chepeerick
1 year, 4 months ago
correct A and D
upvoted 2 times
...
prkhrkmr
1 year, 5 months ago
Only B seems to be the correct option as you can see the explanations of the difference "categories" here: https://learn.microsoft.com/en-us/defender-cloud-apps/ip-tags#create-an-ip-address-range
upvoted 2 times
...
prkhrkmr
1 year, 5 months ago
Selected Answer: BC
B & C seem to be the only "available" configuration settings. C. Impossible Travel: https://security.microsoft.com/cloudapps/policy/anomaly/60253687a702c5eb0e8d86ca Apart from increasing or decreasing Sensitivity (or excluding certain users), there is no other filter available. The answer option C should be corrected to "Decrease the sensitivity" and then it is the right answer ;-) B. Logon from Risky IP: https://security.microsoft.com/cloudapps/policy/activity/create?template=5b3116e1996fe317b4a1b25e This looks at "Risky" category IP addresses only, so if the offices IPs are added to "Corporate" category or "Other" category, they go automatically out of scope for this policy. So even option D. can be considered a correct answer. A. is irrelevant as "User enrichment" is the only "enrichment" related setting found: https://security.microsoft.com/cloudapps/settings?tabid=discovery-userEnrichment E. is unnecessary as explained in B. above
upvoted 2 times
...
Gurulee
1 year, 5 months ago
Selected Answer: AB
A, B appear to be the best answers.
upvoted 1 times
...
mali1969
1 year, 6 months ago
Selected Answer: BE
To prevent alerts for legitimate sign-ins from known locations, you need to perform the following two actions: B. Add the IP addresses to the corporate address range category. This action allows you to define the IP address ranges that belong to your organization and exclude them from anomaly detection policies such as impossible travel or sign-ins from risky IP addresses. You can add the IP addresses of your company’s United States-based offices to the corporate address range category in the Microsoft 365 Defender portal, under Cloud Apps, E. Create an activity policy that has an exclusion for the IP addresses. This action allows you to create a custom alert based on user activities and apply filters or exclusions to refine the results
upvoted 2 times
...
donathon
1 year, 6 months ago
C: No way to adjust D: Doesn't make sense E: Not possible to exclude the IP totally
upvoted 1 times
...
Oryx360
1 year, 6 months ago
Yes B & E is correct
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago