ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 1 question 29 discussion

Actual exam question from Microsoft's SC-200
Question #: 29
Topic #: 1
[All SC-200 Questions]

You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.
What should you use?

  • A. a file policy in Microsoft Defender for Cloud Apps
  • B. an access review policy
  • C. an alert policy in Microsoft Defender for Office 365
  • D. an insider risk policy
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by espnadmin at Aug. 31, 2022, 6:17 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Metasploit
Highly Voted 2 years, 9 months ago
Selected Answer: D
D: Insider risk policy. Data theft by departing users: https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide#data-theft-by-departing-users When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area.
upvoted 29 times
Bhuru
8 months, 1 week ago
D is also the answer on Microsoft practise test as well.
upvoted 3 times
...
...
espnadmin
Highly Voted 2 years, 10 months ago
D. an insider risk policy
upvoted 20 times
RafaAbel
2 years, 10 months ago
I agree due to the context, this guy was leaving the company then being monitored by insider risk policy
upvoted 4 times
uday1985
2 years, 2 months ago
requires an alert.. stop assuming : An insider risk policy is used to monitor and detect risky behavior by employees within an organization. This policy can help identify and prevent insider threats such as data theft, sabotage, and espionage.
upvoted 3 times
Chris2pher
1 year, 6 months ago
Then how will it create an alert if the user has already been deleted?
upvoted 1 times
Ramye
1 year, 5 months ago
It says you to be notified prior to the acct was deleted “You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.“
upvoted 1 times
...
...
...
...
mimguy
2 years ago
It says 'You need to be notified'. The insider risk policy will detect and the alert policy will notify. It's got to be C.
upvoted 2 times
9fd5d85
2 months, 2 weeks ago
No you are worng Defender for Office 365 alert policies These policies live under Email & collaboration > Alert policy and are designed to catch malware, phishing, unusual mailbox behavior, or safe‑attachments decisions. They don’t natively track bulk file downloads in SharePoint or tie alerts to an account‑deletion event, nor do they provide the pre‑departure “data theft” context you need
upvoted 1 times
...
...
...
sdbol
Most Recent 2 months, 1 week ago
Selected Answer: D
This is a classic use case for an insider risk policy, particularly the "Departing employee" template, which monitors for unusual activity in the days or weeks leading up to a user leaving the organization.
upvoted 1 times
...
9fd5d85
2 months, 2 weeks ago
Selected Answer: D
Correct answer is D
upvoted 1 times
...
9fd5d85
2 months, 2 weeks ago
Correct answer is D
upvoted 1 times
...
9fd5d85
2 months, 3 weeks ago
Selected Answer: D
D is the correct answer https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide#data-theft-by-departing-users
upvoted 1 times
...
42_42
3 months ago
Selected Answer: A
"You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online." An insider risk policy is a function of Purview that requires the Microsoft Purview Compliance add-on. The answer here is A.
upvoted 1 times
...
HAjouz
7 months, 1 week ago
Selected Answer: A
A. a file policy in Microsoft Defender for Cloud Apps This option allows you to create policies that can monitor and alert you on specific activities, such as downloading a large number of documents, which is crucial for identifying potential data exfiltration before user accounts are deleted.a file policy in Microsoft Defender for Cloud Apps is specifically designed to monitor and control file activities, including downloads, across your cloud environment. insider risk can be used to monitor and alert on risky activities, it is more comprehensive and typically used for ongoing monitoring of insider threats rather than specific scenarios like monitoring document downloads before account deletion.
upvoted 1 times
...
Nikki0222
9 months ago
D correct
upvoted 2 times
...
Jacob_Plummer
11 months, 2 weeks ago
This exact question nearly word for word is on the microsoft practice exam for the SC-200 and the answer they give is "a Microsoft Purview insider risk management policy"
upvoted 2 times
...
Avaris
1 year, 1 month ago
Selected Answer: A
File policy focus on SP while alert policy focus on emails so its A and defo not user risk as this is related to the use's risk posture.
upvoted 2 times
...
emartiy
1 year, 1 month ago
Selected Answer: C
To be notified if deleted users downloaded numerous documents from SharePoint Online sites before their accounts were deleted, consider the following approach: Configure an Alert Policy in Microsoft Defender for Office 365 (Option C): Set up an alert policy that monitors user activity related to document downloads in SharePoint Online. Customize the policy to trigger alerts when specific thresholds (e.g., numerous downloads) are exceeded. Ensure that the policy covers the relevant time frame (e.g., the month before account deletion). Remember that alert policies allow you to proactively monitor and respond to security-related events, including user activity in SharePoint Online. 😊 1
upvoted 2 times
...
emartiy
1 year, 1 month ago
Selected Answer: D
What the question say.. .What the selected answer and justification say.. They two are far away from each other :)) It say to method detect insider risk.. So what the policy be? :) Thanks.. If you read all units or prepation for this exam. You also will anderstand what I mean in my first sentence :)
upvoted 1 times
...
Zak_Zakaria
1 year, 2 months ago
Also, I thought the answer would be an insider risk policy, but I'm now more convinced that it's A as explained by Copilot, I think he's right, and here is why: -Insider Risk policy is for active users not deleted ones as mentioned in the question, and no way to set deleted users as insider risk. -For option C: idem, we can't set alerts for deleted users who are not anymore in the company, and even if we can (technically), it won't serve anything as long as the user is not active anymore to trigger the alert. -But option A: is more likely correct since we can trigger the deletion of files and fine-tune to filter for users recently deleted and their activity in the last month. I think it makes more sense, and maybe Copilot is right :).
upvoted 1 times
...
Baz10
1 year, 4 months ago
Anyone got any clarity on this question? I thought it was D but answer claims C. GPT says A lmao
upvoted 1 times
Durden871
1 year, 4 months ago
Yeah, ChatGPT is weird, but good call out to suggest it. Always forget its existence. When I enter it, it talks about editing SharePoint auditing in the compliance center and configure policies. Doesn't mention Cloud Apps. If I ask it directly what does Insider Risk Managemtn in 365 does: nalyzes user activities, communications, and interactions within Microsoft 365 services (such as Exchange Online, SharePoint Online, OneDrive for Business, Teams, etc.) to identify patterns indicative of insider threats. It then talks about sending alerts and messaging when there's a suspicion of insider threats.
upvoted 1 times
Durden871
1 year, 4 months ago
Of Course I kept playing with it and confused myself more: "need to be notified if the deleted users downloaded numerous documents from SharePoint Online" Navigate to Alert Policies: Within the Compliance Center, locate the "Alert policies" section. This is where you can create and manage alert policies for various security and compliance purposes. Create a New Alert Policy: Click on "Create policy" or a similar option to start creating a new alert policy.
upvoted 1 times
Durden871
1 year, 4 months ago
Then again. The answer given is create a policy in Compliance Center, not Defender. If you ask it directly: User "Can insider risk management be used to alert if deleted users had downloaded thousands of sharepoint files" While IRM provides robust capabilities for identifying suspicious activities and behaviors, such as data exfiltration attempts or unusual access patterns, it may not directly offer a specific alert condition for detecting if deleted users had downloaded thousands of SharePoint files. While IRM may not offer a predefined alert condition specifically for tracking file downloads by deleted users, you can leverage its flexibility to create custom alert policies that meet your organization's specific monitoring and security requirements. So it really sounds like there's no correct answer listed. It's an alert policy created in the compliance center, not Defender. To be fair, the answer given also stated, "as of 2022".
upvoted 1 times
...
...
...
...
kostask
1 year, 5 months ago
Selected Answer: D
For sye Insider risk policy
upvoted 1 times
...
MentalG
1 year, 5 months ago
Definitely insider risk policy
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel