Exam SC-200 topic 1 question 5 discussion

You can Hide or Resolve alert and all of those actions you can perform on any device or device groups or single device. But in question there is accounting team so there will be device group. Answer should be ABD

Given answer BCE is correct. The question states "alerts must be hidden from queue". Automatically resolving is not correct solution as that will still show up in the queue. Hence given answer BCE is correct

in Microsoft Defender for Endpoint, alert suppression rules can indeed be applied to specific device groups. When creating a suppression rule, you can define the scope by selecting one or more device groups, individual devices, the entire organization, or specific users. It’s important to note that a device can only belong to one device group at a time. If a device matches the criteria of multiple groups, it will be assigned to the group with the highest priority. Therefore, by properly configuring your device groups and setting the scope of the suppression rules, you can accurately target the affected devices while avoiding the unintended suppression of important alerts on other devices.

(E): For a suppression rule to be created, an alert must exist to base it on. In this context, "generate the alert" implies ensuring that the alert related to the macros is present or triggered. Since the documents are used frequently, these alerts are likely already occurring, but selecting this action ensures there’s an alert to work with as the starting point. B): Once the alert is present, hiding it removes the current instance from the Alerts queue. This directly addresses the requirement to "hide false positive in the Alerts queue," ensuring it no longer appears as an active issue for the security team to review. (D): After hiding the current alert, creating a suppression rule tailored to the accounting team’s device group prevents future similar alerts from appearing in the queue for those devices. This maintains the security posture by keeping alerts active for other devices where the macros might not be legitimate.

BCE We need to remove alert from alert queueu so we can only hide it or create it or block by device in MDE

The correct answers to the question are: B. Hide the alert. D. Create a suppression rule scoped to a device group. E. Generate the alert. Explanation: Hide the alert (B): This action removes the alert from the visible queue, ensuring that false positives do not clutter the view for analysts while keeping existing configurations intact. Create a suppression rule scoped to a device group (D): By scoping suppression to a specific device group (like the accounting team's devices), you avoid false positives from impacting the broader network while maintaining control over specific devices. Generate the alert (E): Ensures that alerts are created initially, enabling you to evaluate and suppress only those that are deemed false positives, maintaining security visibility for true positives.

Answer is BDE.

NOT A = Resolved alerts stay in Alerts queue marked as resolved. B = You can hide alerts from the system. NOT C = Not best practice. D = Because, Best practice and New alert suppression rules allow for groups and much more(The docs are still old, below is a link for evidence to this claim) https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719 E = Because you cannot do either of the other without an alert.

Generate the alert. This will trigger the alert for the detected macro in the Word document. Hide the alert. This will prevent the alert from appearing in the Alerts queue. Create a suppression rule scoped to a device group. This will ensure that the rule only applies to the devices of the accounting team, while maintaining the existing security posture for other devices in the company.

Here's a brief explanation of each option: E. Generate the alert: You need to generate the alert first so that you can see it in the Alerts queue. B. Hide the alert: After generating the alert, you can hide it if you want to remove it from view. D. Create a suppression rule scoped to a device group: You can also create a suppression rule scoped to a specific device group if you want to only apply it to a specific group of devices. This helps you maintain the existing security posture.

B. Hide the alert (for immediate, manual action) D. Create a suppression rule scoped to a device group (for a targeted, long-term solution) E. Generate the alert

You can either hide or automatically resolve the alert using a suppression rule in MDE. Ref: https://learn.microsoft.com/en-us/defender-endpoint/manage-alerts#suppress-alerts The answer is: A or B (both are correct) D E

E. Generate the alert. This step is implicit, as the alert needs to be generated and identified as a false positive before any suppression or hiding actions can be taken. D. Create a suppression rule scoped to a device group. After identifying the alert as a false positive, you create a suppression rule scoped to the specific device group (e.g., the accounting team's devices) to prevent similar alerts from showing up in the future. B. Hide the alert. Finally, you hide the current false positive alert from the queue to reduce noise, keeping the Alerts queue focused on relevant security incidents.

BDE is correct answer

B and D and E

My 2 cents. BCE. A false positive is a false positive, regardless of which group of users causes it more often. The question states that a specific group uses the document more often than the others, not that this is a FP only when that specific group opens the document. So, more than one group of users in the company can open that document and generate the FP: hence, it makes no sense to suppress the FP for one specific group.

BDE No (task is to HIDE) A. Resolve the alert automatically. B. Hide the alert. No (task is for Accounting Computers) C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.