ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-101 All Questions

View all questions & answers for the MS-101 exam
Go to Exam

Exam MS-101 topic 2 question 101 discussion

Actual exam question from Microsoft's MS-101
Question #: 101
Topic #: 2
[All MS-101 Questions]

HOTSPOT -
You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.

At 08:00, you create an incident notification rule that has the following configurations:
✑ Name: Notification1
✑ Notification settings
- Notify on alert severity: Low
- Device group scope: All (3)
- Details: First notification per incident
✑ Recipients: [email protected], [email protected]
At 08:02, you create an incident notification rule that has the following configurations:
✑ Name: Notification2
✑ Notification settings
- Notify on alert severity: Low, Medium
- Device group scope: DeviceGroup1, DeviceGroup2
✑ Recipients: [email protected]
In Microsoft 365 Defender, alerts are logged as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
Box 1: No -
Notification it has: First notification per incident
Only notify on first occurrence per incident - Select if you want a notification only on the first alert that matches your other selections. Later updates or alerts related to the incident won't send additional notifications.

Box 2: Yes -

Box 3: No -
Severity of the 8:20 incident is high, so neither of the notification rules will trigger.
Note: Alert severity - Choose the alert severities that will trigger an incident notification. For example, if you only want to be informed about high-severity incidents, select High.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview
by Chris1972 at Sept. 12, 2022, 9:55 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
RenegadeOrange
Highly Voted 2 years, 3 months ago
N, N, N One alert not 2. Already got an alert at 805 Alert high so won't get it.
upvoted 14 times
...
pyramidhead
Highly Voted 2 years, 3 months ago
Y, N, N User1 will receive two incident notifications from "notification1" and "notification2" User2 already received incident notification on device1 from the incident at 8:05 User1 will not receive at 8:20 as the severity is high and doesn'y apply
upvoted 8 times
pyramidhead
2 years, 3 months ago
On the first issue. "notification1" rule will send only the first notification per incident, but there is ANOTHER rule "notification2" where user1 is also a recipient and this rule will send a notification to user1 --> user1 will receive 2 incident notifications
upvoted 3 times
...
...
Amir1909
Most Recent 11 months, 3 weeks ago
Yes No No
upvoted 1 times
...
Learner2022
1 year, 12 months ago
Can anyone please explain why Activity 1 will have different level severity on the same device but different time frame?
upvoted 1 times
...
bac0n
2 years, 1 month ago
I tested this. I made the alert trigger for adding someone to a sharepoint group. I tested it, and I got 2 emails. YNN.
upvoted 6 times
bac0n
2 years, 1 month ago
I made the ALERTS* trigger I should say, I made TWO alerts with identical triggers and when doing the one action, I got two emails.
upvoted 2 times
bac0n
2 years, 1 month ago
Triple comment; stand by; I tested with an Alert policy, not a Defender for Endpoint Email notification like the question is asking. I'll try and test and confirm soon.
upvoted 2 times
bac0n
2 years, 1 month ago
Was able to get a test VM set up on my homelab and onboard it to Defender for Endpoint using script; set up two device groups and added the same machine to each and just made them check for All (I didn't want to do anything unsafe). Downloaded test EICAR_TEST_FILE virus (look it up, it's safe) and I got ONE notification, NOT TWO, for the alert. NNN.
upvoted 15 times
JackeD
1 year, 9 months ago
What a roller coaster! thanks for doing it for us!
upvoted 4 times
...
...
...
...
...
Gloomer
2 years, 3 months ago
Should be No/No/No. User 1 only gets a single copy, User 2 was already notified at 8:05 and per "First notification per incident" does not read the 8:07 because they were already sent one at 8:05. User 3 doesnt get a notification because they are not part of a alert that triggers off high.
upvoted 3 times
Gloomer
2 years, 3 months ago
User 1, not user 3.^^^^^
upvoted 1 times
...
...
lusis987
2 years, 3 months ago
Second answer is No User2 got notification at 8:05, so at 8:07 he's not receiving message
upvoted 1 times
...
situa
2 years, 3 months ago
On the second issue, why is 08:07 the first notification for each incident? Shouldn't it be 08:05?
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago