Microsoft Security Operations Analyst Associate SC-200 Practice Question
Your company uses Microsoft Defender XDR. A legacy line-of-business application repeatedly triggers the built-in alert "Malware detected in memory" on several devices. After investigation, you verify that the executable is benign and security policy requires that the file continue to be scanned and blocked if any new malicious behavior is found. You must stop Microsoft Defender XDR from raising this specific alert for that executable while ensuring all other malware detections-including any new alerts for the same file-remain active. Which action should you take in the Microsoft Defender portal?
Configure a scheduled custom detection rule whose query excludes events generated by the executable.
Add an indicator of compromise for the executable's file hash and set the action to "Allow".
Create an alert-suppression rule scoped to the alert title and the executable's file hash or path.
Disable the malware protection engine for the affected devices in Microsoft Defender for Endpoint settings.
Create an alert-suppression rule from one of the existing "Malware detected in memory" alerts. Configure the rule to match the alert title and the file's hash or path so that only future alerts with the same title and matching file details are suppressed. This prevents repetition of the known false-positive alert while allowing Microsoft Defender's protection engines to continue scanning the file and raising other relevant alerts. Custom detection rules can only generate additional alerts, indicator "Allow" actions would suppress all future detections for the file (contrary to the requirement that new malicious activity must still be alerted on), and disabling the malware protection engine would stop all malware detections across the devices, which violates the requirement to keep other alerts active.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an alert-suppression rule in Microsoft Defender XDR?
Open an interactive chat with Bash
Why can't you use an indicator of compromise with an 'Allow' action for this scenario?
Open an interactive chat with Bash
What is the impact of disabling the malware protection engine on devices?
Open an interactive chat with Bash
Microsoft Security Operations Analyst Associate SC-200
Configure protections and detections
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .