You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in. Which anomaly detection policy should you use?
Activity from infrequent country is the correct answer.
First, both "Impossible travel" and "Activity from infrequent country" are detection rule that help prevent breaches from foreign attackers.
The difference between the rule is the type of historical data. "Impossible travel" actually compares between the new location's sign-in with the last known one. So it basically means if someone already logged into a location (corporate network with USA-based IP range) and now he is logged into a China network then it is likely the user is compromised (assume the organization doesn't have any traffic/record/association with China network). Moreover it is based on geographically distant locations within a time period shorter. So in my example China is too far from USA.
"Activity from infrequent country" is a bit different. Instead of comparing with the last known location, it detects if an account is logged in from a country that has never been accessed by any user in the organization. This rule is based on user behavior using entity behavioral analytics and machine learning.
In addition to my explanation:
- Impossible travel often looks into one sign-in attempt from TWO different geo-based location.
- Activity from infrequent country often looks into a location that no one ever used. So basically it just perform a check among all historical locations and does the comparison.
Explanation:
The "Activity from infrequent country" anomaly detection policy generates alerts when a user attempts to sign in from a location (country or region) that has not been previously used by other users in the organization. This is designed to detect potentially suspicious or unauthorized login attempts.
Triggered by anomaly detection rule policy "Activity from infrequent country", this requires 7 days to learn the locations frequently used https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy#activity-from-infrequent-country
Activity from infrequent country
This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization. An alert is triggered when an activity occurs from a location that wasn't recently or never visited by any user in the organization.
This section is not available anymore. Please use the main Exam Page.SC-200 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
teehex
Highly Voted 4 years agoteehex
4 years agopeponokefalos
1 year, 7 months agodandirindan
3 years, 1 month agoTheMCT
Highly Voted 4 years, 2 months agoStartkabels
3 years, 8 months agoprabhjot
3 years, 4 months agohieulecloud
Most Recent 4 months, 2 weeks agomikl
6 months, 3 weeks agonk_exam
7 months, 1 week agoNikki0222
7 months, 3 weeks agoESAJRR
1 year, 7 months agochepeerick
1 year, 7 months agoWedge34
1 year, 8 months agotatendazw
2 years agocyber_mks
2 years, 2 months agoCarlosE
2 years, 4 months agoemmanuelodenyire
2 years, 4 months agosimonseztech
2 years, 9 months agoPandaguo
3 years, 2 months agoTx4free
3 years, 3 months agoubt
3 years, 4 months ago