ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 6 question 26 discussion

Actual exam question from Microsoft's SC-200
Question #: 26
Topic #: 6
[All SC-200 Questions]

HOTSPOT
-

You have a Microsoft Sentinel workspace.

You need to configure the Fusion analytics rule to temporarily suppress incidents generated by a Microsoft Defender connector. The solution must meet the following requirements:

• Minimize impact on the ability to detect multistage attacks.
• Minimize administrative effort.

How should you configure the rule? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Show Suggested Answer Hide Answer
Suggested Answer:
by sapphire at Nov. 11, 2024, 6:48 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sapphire
Highly Voted 6 months, 1 week ago
Incorrect, should be: • Trigger: When incident is created • Actions: Change status
upvoted 13 times
kriver321
5 months, 1 week ago
I agree https://securebyteblog.wordpress.com/2024/08/27/suppressing-defender-for-xdr-incidents-using-automation-rules-in-microsoft-sentinel-a-step-by-step-guide/
upvoted 2 times
...
CDR
5 months, 1 week ago
I disagree; Trigger: when the ALERT is created. Action is correct as per answer: Run Playbook
upvoted 2 times
trut_hz
4 months, 1 week ago
Question mentions incidents getting generated, not alerts.
upvoted 2 times
xRiot007
4 months, 1 week ago
When an incident is generated it's already too late. kriver321 is right. When an alert is generated, you change the status to informational or false positive to supress incident generation.
upvoted 2 times
...
...
...
...
Optimizor_IT
Most Recent 1 month, 2 weeks ago
I have no idea how exam topics got to the trigger "incident updated", when you need to suppress the incident creation. It's like someone there is just randomly selecting answers... IMO HAjouz is right, you need to tie the trigger to the incident since this is about Fusion analytics. • Trigger: When incident is created • Actions: Change status
upvoted 1 times
Openbpo
3 weeks, 3 days ago
for sure its someone randomly selecting answers
upvoted 1 times
...
...
HAjouz
2 months, 3 weeks ago
The question explicitly states "configure the Fusion analytics rule." Fusion is designed to analyze incidents, not individual alerts. Therefore, the trigger must be based on incidents.Trigger: When incident is created Actions: Change status
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel