ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam MS-101 All Questions

View all questions & answers for the MS-101 exam
Go to Exam

Exam MS-101 topic 3 question 79 discussion

Actual exam question from Microsoft's MS-101
Question #: 79
Topic #: 3
[All MS-101 Questions]

HOTSPOT -
You have a data loss prevention (DLP) policy.
You need to increase the likelihood that the DLP policy will apply to data that contains medical terms from the International Classification of Diseases (ICD-9-CM).
The solution must minimize the number of false positives.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
References:
https://docs.microsoft.com/en-us/office365/securitycompliance/data-loss-prevention-policies https://docs.microsoft.com/en-us/office365/securitycompliance/what-the-sensitive-information-types-look-for#international-classification-of-diseases-icd-9-cm
by Jacques2108 at May 8, 2021, 8:44 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
fill27
Highly Voted 3 years, 8 months ago
I had this question on my test and I was able to modify the AND to be an OR in the hot area. I believe the answer is 1 to change the AND to OR & 2 to lift the match accuracy minimum on the medical terms to be higher confidence match (less false positives)
upvoted 23 times
allesglar
3 years, 7 months ago
This does not make any sense at all. The goal is to reduce the false positives. If you apply an OR operator then you will have cases that may have nothing to do with the medical aspect you are looking for.
upvoted 9 times
Bouncy
3 years, 1 month ago
"You need to increase the likelihood that the DLP policy will apply" <-- that's the first goal and the reason for the OR operator, second one is to reduce false positives
upvoted 3 times
Jakub2023
2 years, 1 month ago
Ok, but that means that the positives under the modified settings will include results that don't feature ANY medical terms. That's not reducing false positives by any stretch of the imagination...
upvoted 1 times
...
...
...
...
lucidgreen
Highly Voted 4 years ago
Because the two truth tables are compared with an AND. This means that both options would have to be true. So if there's no SSN but has medical information, you still want to count it. If you change the SSN min instance count to 0, then you would likely only get medical information but you could also get SSNs, but it would still need to include medical information to be true. You would not catch SSN instances. It's unclear if this is desirable. If you change the AND to and OR you would get positives for both instances. So catch instances with either SSN or medical information. To reduce the possibility or a false positive for medical information, you would increase the min match possibility. This would increase the criteria for matching information identified as medical terms and information. Lower it and you would catch more but it would be a less accurate match. So this is the value you want to change here, for sure. I would say that it depends on what the test lets you choose.
upvoted 8 times
lucidgreen
4 years ago
Sorry, if you change the SSN min count to 0, you would get only instances that include either no SSN but still include medical information or SSN instance with medical information. Changing the AND to and OR would mean you would catch SSNs and medical information or SSN information or medical information -- so either or both.
upvoted 7 times
Requi3m
3 years, 11 months ago
Thanks for that, now it makes sense to me. I didn't realize you could set the minimum instance count to 0 as well. So if I understand this correctly, by changing the SSN minimum instance count to 0 you allow this rule to apply to instances where there is no SSN present and at least 1 ICD-9-CM in stead of at least 1 SSN and 1 ICD-9-CM. This would increase the amount of hits to the rule for ICD-9-CM, because it lifts the restriction of an SSN instance also needing to be present.
upvoted 2 times
EsamiTopici
2 years, 4 months ago
Tested in a tenant, you can't set min count to 0.
upvoted 1 times
...
...
...
...
emanresu
Most Recent 2 years, 6 months ago
Answer correct set instance to 0 so PII wouldn't affect emails containing Medical information and increase confidence level to get less false positives https://learn.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-entity-definitions?view=o365-worldwide
upvoted 3 times
EsamiTopici
2 years, 4 months ago
Tested in a tenant, you can't set min count to 0.
upvoted 1 times
...
...
rrrr5r
2 years, 10 months ago
I would set And to OR and Raise min Match accuracy. By set and to OR, PII is no longer relevant -- "increase the likelihood that the DLP policy will apply to data that contains medical terms" Raise match accuracy -- "minimize the number of false positives"
upvoted 1 times
...
Contactfornitish
2 years, 10 months ago
I really don't get it. Why we need to even touch SSN? Why can't Min instance count and Min Match accuracy both be tuned to higher? Reduce false positive means you make rule harder to match in context of what you consider end goal means if you increase instance count or match accuracy hard to match, then you reduce possibility of false positive. How improving SSN helps in the case? Also I don't think min can be 0 Ref: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide#tuning-rules-to-make-them-easier-or-harder-to-match
upvoted 4 times
...
LillyLiver
3 years, 4 months ago
I think I get it now. I couldn't wrap my head around why the SSN mattered in this case. But it does come down to the "AND" in this visual IF statement. So you increase the minimum count on the SSN -AND- increase the minimum accuracy of the medical condition to get better accuracy, because the two are evaluated as one rule. If you change this AND to an OR, and increase the minimum accuracy for the medical rule, you are essentially creating two different rules to match against. So, if the AND can't be changed, then yes, I agree with the given answer. Otherwise I would say to swap the AND for an OR and increase the minimum accuracy for the medical rule.
upvoted 1 times
...
Glorence
3 years, 5 months ago
still valid, it was in my exam last Feb 5, 2022
upvoted 5 times
...
allesglar
3 years, 7 months ago
I would decrease the match accuracy for SSN and increase the one for ICD. By decreasing the accuracy for SSN will increase the likelihood of a match and increasing the matching of ICD will decrease the chance of false positives.
upvoted 2 times
...
Carlo5
3 years, 9 months ago
The solution must minimize the number of false positives. So I think change the instance count to reduce the false positives.
upvoted 1 times
...
donathon
3 years, 11 months ago
Instance count should be 9 and accuracy should be max which is 100. Instance count: Typically, you use less restrictive actions, such as sending user notifications, in a rule with a lower instance count (for example, 1-9). And you use more restrictive actions, such as restricting access to content without allowing user overrides, in a rule with a higher instance count (for example, 10-any) Match accuracy: A pattern that requires less evidence has a lower match accuracy (or confidence level), while a pattern that requires more evidence has a higher match accuracy (or confidence level). To learn more about the actual patterns and confidence levels used by every sensitive information type, see Sensitive information type entity definitions.
upvoted 1 times
...
Brox
4 years, 1 month ago
I think you need to increase the instance count of Disease to more than 1. In the question they are speaking of "terms", not 1 term. "You need to increase the likelihood that the DLP policy will apply to data that contains medical terms". And of course increase the accuracy
upvoted 3 times
...
MiZi
4 years, 1 month ago
I don't get it. Why modify the SSN instance count. Can someone explain, please?
upvoted 3 times
sdabrai
4 years ago
I would change condition to "OR" or reduce SSN min to 0.
upvoted 2 times
ccadenasa
3 years, 7 months ago
Can you change the min count to "0"? I don't think you can. The min count is 1. Tested in my tenant
upvoted 2 times
...
sdabrai
4 years ago
Didnt think that through...change min to 0 so that any messages with medical terms are caught even if they dont have SSN. Changing condition to OR will start catching messages with only SSN as well.
upvoted 5 times
EsamiTopici
2 years, 4 months ago
Tested in a tenant, you can't set min count to 0.
upvoted 1 times
...
...
...
...
Jake1
4 years, 1 month ago
Never mind, I didn't realize the setting was for "Any of these"
upvoted 1 times
...
Jake1
4 years, 1 month ago
What does adjusting the SS number setting have anything to do with Disease terms?
upvoted 2 times
...
Jacques2108
4 years, 2 months ago
Answers are correct. Direct Reference link: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide#tuning-rules-to-make-them-easier-or-harder-to-match
upvoted 7 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel