Exam SC-200 topic 3 question 52 discussion

The correct answer on SC-200 Practice Assesment from Microsoft is A

https://learn.microsoft.com/en-us/azure/sentinel/false-positives

A is the correct answer - we need to modify the analytics rule itself to avoid generating alerts. An automation rules does not prevent alert generation, instead it can be used to automatically solve alerts.

Lets say the account name is "user123". You need to modify the KQL query in the rule to exclude user123. Something like: SecurityEvents | where EventID == 4625 | where Account != "user123"

Answer is A. Modifying the analytics rule will not let the alert be generated at first place. Automation rule does not stop the alert generation. The alert will be generated & later be closed/handled by the automation rule, depending upon what it is configured as.

Answer is A.

A and D look correct, the key is “Minimize administrative effort” to choose option A

Creating a watchlist containing the involved user is the best way to prevent alert from being generated as the question asks: "You need to prevent additional failed sign-in alerts from being generated for the account" A watchlist is also easy to manage because entries can be added or deleted without modifying the analytics rule. The automation rule plays a role once the alert has already been generated, as the triggers are "When incident is created" and "When alert is created"

D https://learn.microsoft.com/en-us/azure/sentinel/false-positives#add-exceptions-by-using-automation-rules

Super lame that Microsoft would have a question with an arguably subjective answer but based on the verbiage in the doc where it says automation rules are "often created by analysts" they seem to be implying this method takes less administrative effort. https://learn.microsoft.com/en-us/azure/sentinel/false-positives

The level of granularity in modifying analytic rules will always ensure the least administrative effort. It is the more complex of the two available options but it results in the least administration afterwards. Notice administrative effort does not mean least complex approach. Allow advanced boolean expressions and subnet-based exceptions. Let you use watchlists to centralize exception management. Typically require implementation by Security Operations Center (SOC) engineers. Are the most flexible and complete false positive solution, but are more complex. https://learn.microsoft.com/en-us/azure/sentinel/false-positives

Wouldn't creating a watchlist integrated in the analytic rule to exclude this account (and maybe more in the future) be easier to maintain? (less admin effort)

D. Create an automation rule. The key point is that "the solution must minimize administrative effort". so the answer is automation rule per below link which says Analytics rules modifications are more complex. https://learn.microsoft.com/en-us/azure/sentinel/false-positives#false-positive-causes-and-prevention

"Being generated". Create an automation rule, will not prevent the alert to be generated

A. Two methods for avoiding false positives. Automation rules create exceptions without modifying analytics rules. https://learn.microsoft.com/en-us/azure/sentinel/false-positives. Scheduled analytics rules modifications permit more detailed and permanent exceptions.

Analytical rules = Are the most flexible and complete false positive solution, but are more complex Automation Rules = Allow applying exceptions for a limited time. For example, maintenance work might trigger false positives that outside the maintenance timeframe would be true incidents. https://learn.microsoft.com/en-us/azure/sentinel/false-positives

Suppression rule supposed to be implemented, so most likely answer i see here is A