ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 29 discussion

Actual exam question from Microsoft's SC-200
Question #: 29
Topic #: 1
[All SC-200 Questions]

You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.
What should you use?

  • A. a file policy in Microsoft Defender for Cloud Apps
  • B. an access review policy
  • C. an alert policy in Microsoft Defender for Office 365
  • D. an insider risk policy
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by espnadmin at Aug. 31, 2022, 6:17 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Metasploit
Highly Voted 2 years, 1 month ago
Selected Answer: D
D: Insider risk policy. Data theft by departing users: https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide#data-theft-by-departing-users When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area.
upvoted 29 times
Bhuru
1 month ago
D is also the answer on Microsoft practise test as well.
upvoted 2 times
...
...
espnadmin
Highly Voted 2 years, 3 months ago
D. an insider risk policy
upvoted 20 times
RafaAbel
2 years, 3 months ago
I agree due to the context, this guy was leaving the company then being monitored by insider risk policy
upvoted 4 times
uday1985
1 year, 7 months ago
requires an alert.. stop assuming : An insider risk policy is used to monitor and detect risky behavior by employees within an organization. This policy can help identify and prevent insider threats such as data theft, sabotage, and espionage.
upvoted 3 times
Chris2pher
11 months, 3 weeks ago
Then how will it create an alert if the user has already been deleted?
upvoted 1 times
Ramye
10 months, 2 weeks ago
It says you to be notified prior to the acct was deleted “You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.“
upvoted 1 times
...
...
...
...
mimguy
1 year, 5 months ago
It says 'You need to be notified'. The insider risk policy will detect and the alert policy will notify. It's got to be C.
upvoted 2 times
...
...
HAjouz
Most Recent 3 days, 19 hours ago
Selected Answer: A
A. a file policy in Microsoft Defender for Cloud Apps This option allows you to create policies that can monitor and alert you on specific activities, such as downloading a large number of documents, which is crucial for identifying potential data exfiltration before user accounts are deleted.a file policy in Microsoft Defender for Cloud Apps is specifically designed to monitor and control file activities, including downloads, across your cloud environment. insider risk can be used to monitor and alert on risky activities, it is more comprehensive and typically used for ongoing monitoring of insider threats rather than specific scenarios like monitoring document downloads before account deletion.
upvoted 1 times
...
Nikki0222
1 month, 3 weeks ago
D correct
upvoted 1 times
...
Jacob_Plummer
4 months, 1 week ago
This exact question nearly word for word is on the microsoft practice exam for the SC-200 and the answer they give is "a Microsoft Purview insider risk management policy"
upvoted 2 times
...
Avaris
5 months, 4 weeks ago
Selected Answer: A
File policy focus on SP while alert policy focus on emails so its A and defo not user risk as this is related to the use's risk posture.
upvoted 2 times
...
emartiy
6 months, 1 week ago
Selected Answer: C
To be notified if deleted users downloaded numerous documents from SharePoint Online sites before their accounts were deleted, consider the following approach: Configure an Alert Policy in Microsoft Defender for Office 365 (Option C): Set up an alert policy that monitors user activity related to document downloads in SharePoint Online. Customize the policy to trigger alerts when specific thresholds (e.g., numerous downloads) are exceeded. Ensure that the policy covers the relevant time frame (e.g., the month before account deletion). Remember that alert policies allow you to proactively monitor and respond to security-related events, including user activity in SharePoint Online. 😊 1
upvoted 2 times
...
emartiy
6 months, 1 week ago
Selected Answer: D
What the question say.. .What the selected answer and justification say.. They two are far away from each other :)) It say to method detect insider risk.. So what the policy be? :) Thanks.. If you read all units or prepation for this exam. You also will anderstand what I mean in my first sentence :)
upvoted 1 times
...
Zak_Zakaria
7 months, 2 weeks ago
Also, I thought the answer would be an insider risk policy, but I'm now more convinced that it's A as explained by Copilot, I think he's right, and here is why: -Insider Risk policy is for active users not deleted ones as mentioned in the question, and no way to set deleted users as insider risk. -For option C: idem, we can't set alerts for deleted users who are not anymore in the company, and even if we can (technically), it won't serve anything as long as the user is not active anymore to trigger the alert. -But option A: is more likely correct since we can trigger the deletion of files and fine-tune to filter for users recently deleted and their activity in the last month. I think it makes more sense, and maybe Copilot is right :).
upvoted 1 times
...
Baz10
9 months, 2 weeks ago
Anyone got any clarity on this question? I thought it was D but answer claims C. GPT says A lmao
upvoted 1 times
Durden871
9 months ago
Yeah, ChatGPT is weird, but good call out to suggest it. Always forget its existence. When I enter it, it talks about editing SharePoint auditing in the compliance center and configure policies. Doesn't mention Cloud Apps. If I ask it directly what does Insider Risk Managemtn in 365 does: nalyzes user activities, communications, and interactions within Microsoft 365 services (such as Exchange Online, SharePoint Online, OneDrive for Business, Teams, etc.) to identify patterns indicative of insider threats. It then talks about sending alerts and messaging when there's a suspicion of insider threats.
upvoted 1 times
Durden871
9 months ago
Of Course I kept playing with it and confused myself more: "need to be notified if the deleted users downloaded numerous documents from SharePoint Online" Navigate to Alert Policies: Within the Compliance Center, locate the "Alert policies" section. This is where you can create and manage alert policies for various security and compliance purposes. Create a New Alert Policy: Click on "Create policy" or a similar option to start creating a new alert policy.
upvoted 1 times
Durden871
9 months ago
Then again. The answer given is create a policy in Compliance Center, not Defender. If you ask it directly: User "Can insider risk management be used to alert if deleted users had downloaded thousands of sharepoint files" While IRM provides robust capabilities for identifying suspicious activities and behaviors, such as data exfiltration attempts or unusual access patterns, it may not directly offer a specific alert condition for detecting if deleted users had downloaded thousands of SharePoint files. While IRM may not offer a predefined alert condition specifically for tracking file downloads by deleted users, you can leverage its flexibility to create custom alert policies that meet your organization's specific monitoring and security requirements. So it really sounds like there's no correct answer listed. It's an alert policy created in the compliance center, not Defender. To be fair, the answer given also stated, "as of 2022".
upvoted 1 times
...
...
...
...
kostask
10 months ago
Selected Answer: D
For sye Insider risk policy
upvoted 1 times
...
MentalG
10 months, 3 weeks ago
Definitely insider risk policy
upvoted 1 times
...
Chris2pher
12 months ago
weird question. It says notified, then the user was already deleted. and the monitoring was from the previous month. "notified" should not be the word it should be "report"
upvoted 1 times
...
MentalG
1 year, 1 month ago
Selected Answer: D
Insider risk policy gives you this ability
upvoted 1 times
...
chepeerick
1 year, 1 month ago
seem to be correct
upvoted 1 times
...
jamclash
1 year, 2 months ago
in exam 9/20/23
upvoted 1 times
oddsol
1 year, 2 months ago
And what was the correct solution? C?
upvoted 1 times
...
...
mali1969
1 year, 3 months ago
Selected Answer: C
Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered. Default alert policies include: Unusual external user file activity - Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a High severity setting. Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies
upvoted 1 times
Durden871
9 months ago
But it says "Defender" not "Compliance". So while this is likely the answer, it's still wrong.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago