Exam SC-200 topic 1 question 19 discussion

Policy template type: Activity Policy Filter based on: IP address tag Tested on the MCAS portal. When you select Activity policy only you get to filter from IP address.

Control -> Templates -> Logon from a risky IP address -> Create (activity) policy -> Activities matching any of the following -> IP address | Category | equals | Risky. Answer is Activity policy, IP address. For anyone who thinks it's "Anomaly detection policy", state the exact steps please and say why the steps above are wrong.

Anomaly detection policy and Ip address Tag

Policy template type: Activity Policy Filter based on: IP address tag

IP Address Tag is available in both Access and Activity policies. Check it out: https://security.microsoft.com/cloudapps/policy/activity/create https://security.microsoft.com/cloudapps/policy/access/create There are no customizable policies under "Anomaly Detection Policy" to narrow down just to Botnet IPs. The built-in Anomaly Detection Policy called "Activity from suspicious IP addresses" is not customizable.

So I physically tested and I found the filter only in activity policy template

Why are so many people saying Activity Policy? It's wrong. 'Anomaly detection policy' and 'IP address tag' *are* the correct answers. The question asks for a policy to detect connections from a Botnet related IP address, this is done using the 'Activity from suspicious IP addresses' anomaly detection policy. The list of available anomaly detection policies can be found here: https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy

Looks like it is leaning more for 1) Activity Policy and 2) IP address tag. While I want to say Anomaly detection policy for the 1st answer, when I tested it in the lab, it came back with no templates under that category. While Activity Policy came back with a bunch related to logins from risky IP, potential ransomware activity, etc.

Policy template type: Activity Policy Filter based on: IP address tag Activity policies in Cloud App Security are designed to detect specific types of activity in the cloud apps that are being monitored. The "Botnet Network Activity" policy template is a pre-defined policy that is designed to detect and alert on suspicious activity from botnet networks. This policy uses a combination of machine learning and threat intelligence to identify botnet network activity, such as attempts to compromise accounts or access sensitive data. "Access Policy," is a type of policy that is used to control access to specific cloud apps or resources based on specified conditions, such as the location of the user or the type of device being used. "Anomaly detection policy," is a type of policy that is used to detect anomalies in the activity of specific cloud apps or resources based on specified conditions, such as the number of times a resource is accessed or the type of activity that is being performed. Neither of these options is suitable for detecting connections to Microsoft 365 apps that originate from a botnet network.

https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy it is anomaly detection policy and the other "suspicious ip address" actually which is not here. but you can find the response in the link. " Activity from suspicious IP addresses: These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account... "

I'm really confused on this one For anomaly detections says "such as mis-tagged IP addresses" so it doesn't use IPs tagged as malicious, and the filter used according to scenario in filter can only be IP address tag. If we were to choose anomaly detections, the filter should be source, as it originates from a botnet. Activity from suspicious IP addresses This detection identifies that users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account. This detection uses a machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization. https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy

https://docs.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies

There is an exact filter type what is needed under the creation of "Activity policy": "Select a filter --> IP Address --> Select a filter --> Tag --> Select IP address tag --> Botnet" And there is no "Anomaly policy" after pushing the "Create policy" button so all the Anomaly Policies are built-in and not custom ones. Thus: Policy template type: Activity Policy Filter based on: IP address tag

Also, when creating a policy based on the anomaly template, none of the options in the second part of the question are valid options.

I think the answer is in the word 'custom'... The anomaly policies are just built in pols that have no actions associated. An activity policy can be used to the same effect, IP Tag and IP Category can be used. You also need to scope the policy to M365 apps - can you do that on anomaly detection ?

The question says "You need to create a custom template-based policy"...only Anomaly detection policy has template with which we can create policy. Answer "Anomaly detection policy" and "IP address tag" are correct.

The correct answer has to be the following. Policy template type: Activity Policy Filter based on: IP address tag Reason being that you cannot create an anomaly detection policy as it's a built-in policy. Also, you cannot filter the policy based on IP address tags either. Activity Policy and IP address tag has to be the correct selection. If it asked for you to ensure that activity from Botnets were alerted on and it was to be filtered for specific users then yes this policy could be edited to suit that but currently as it stands you cannot create this policy or filter by IP tags.