Microsoft Security Operations Analyst Associate SC-200 Practice Question
You need to reduce alert fatigue in Microsoft 365 Defender by preventing repeat alerts that are triggered by the same user account within a short period. An existing alert titled "Suspicious PowerShell activity" is generating multiple alerts for the same user in quick succession. You decide to configure alert suppression directly from one of the alert instances. Which suppression configuration will ensure that any alert with the same title raised for that user account is automatically suppressed if it occurs within the next 24 hours, while still allowing alerts with the same title for other users to appear?
Create an alert suppression rule that matches on Device and set the suppression scope to This device only with a time range of 24 hours.
Create an alert suppression rule that matches on Any entity and set the suppression scope to All entities with a Permanent time range.
Create an alert suppression rule that matches on the User entity and set the suppression scope to This user only with a time range of 24 hours.
Edit the underlying detection rule and clear the Create alert option so no alerts are generated for this detection.
The "Create suppression rule" wizard that opens from an alert in Microsoft 365 Defender lets you suppress future alerts based on several matching conditions, including the alert title and the entities involved. To suppress future occurrences only when the same alert title is raised for the same user and only for a defined period, you must:
Select the User entity as the match condition so suppression applies only when the alert involves that specific user account (alerts for other users are still generated).
Set Suppression scope: This user only, which ties the rule to the specific user entity found in the triggering alert.
Configure Time range: 24 hours so that any identical alert for that user within the next day is automatically suppressed.
Choosing Device as the scope would suppress alerts only when they recur on the same device, not for the same user across devices. Selecting "Any entity" or "Permanent" would be broader than required and could hide important alerts. Disabling alert creation in the detection rule would stop alerts for everyone, not just the repetitive ones from the same user.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is alert suppression in Microsoft 365 Defender?
Open an interactive chat with Bash
How do suppression scopes differ in Microsoft 365 Defender rules?
Open an interactive chat with Bash
Can suppression rules be customized by time range?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Configure protections and detections
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .