Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
To hide false positives in the Alerts queue while maintaining the existing security posture, you need to hide the alert, create a suppression rule scoped to a device group, and generate the alert. Hiding the alert removes it from view without affecting the security settings. Suppressing alerts scoped to a device group ensures that specific devices, such as those used by the accounting team, aren't inundated with false positives. Generating the alert is necessary because without generating it, you cannot hide or create suppression rules for it.
You can Hide or Resolve alert and all of those actions you can perform on any device or device groups or single device. But in question there is accounting team so there will be device group. Answer should be ABD
Totally agree with you!
Suppression rule can not create based on Device Group
Suppression rule can be created based on a device group. Verified it on the defender portal itself. Correct answer is BDE
why generating alerts when the ask to suppress
I checked it in MS defender itself, you can create suppression rule based on device group
it cannot be A as we need to hide, not resolve (so it should be B). I suppose it can to D, and E is anyhow the right option. So in all, ans should be BDE.
D is wrong. This "group" feature is only available in Suppress alerts from Microsoft Defender for Cloud. This question context is for Manage Microsoft Defender for Endpoint alerts. There are two contexts for a suppression rule that you can choose from: -Suppress alert on this device -Suppress alert in my organization
BDE. This changed. I know, not in the docs(Docs are old and not updated). I had to go to the tech community. https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719
Hi, may be the documentation is not updated, the scope is to select organization or user/device/device groups, as they mentioned clearly as accounts department, device group need to be selected
Given answer BCE is correct. The question states "alerts must be hidden from queue". Automatically resolving is not correct solution as that will still show up in the queue. Hence given answer BCE is correct
Not A = Resolved alerts stay in Alerts queue marked as resolved. B = You can hide alerts from the system. C = 1.)Suppress alert on this device or 2.) Suppress alert in my organization (For MS Defender for Endpoint) Not D = Because C E = Because you cannot do either of the other without an alert.
Correction: BDE This question bugged me. The new alert suppression rules allows for much more. https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719
Here's a brief explanation of each option: E. Generate the alert: You need to generate the alert first so that you can see it in the Alerts queue. B. Hide the alert: After generating the alert, you can hide it if you want to remove it from view. D. Create a suppression rule scoped to a device group: You can also create a suppression rule scoped to a specific device group if you want to only apply it to a specific group of devices. This helps you maintain the existing security posture.
B. Hide the alert (for immediate, manual action) D. Create a suppression rule scoped to a device group (for a targeted, long-term solution) E. Generate the alert
On the test July 7 2023
According to the question, I will stick with these
BDE is correct answer
B and D and E
BDE No (task is to HIDE) A. Resolve the alert automatically. B. Hide the alert. No (task is for Accounting Computers) C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.
BDE Make sense
My 2 cents. BCE. A false positive is a false positive, regardless of which group of users causes it more often. The question states that a specific group uses the document more often than the others, not that this is a FP only when that specific group opens the document. So, more than one group of users in the company can open that document and generate the FP: hence, it makes no sense to suppress the FP for one specific group.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide
We can perform three actions to hide false positives in the Alerts queue, while maintaining the existing security posture: Create a suppression rule scoped to a device group Hide the alert Resolve the alert automatically These actions will allow you to suppress alerts that are known to be harmless for a specific group of devices, such as the accounting team’s devices, and remove them from the Alerts queue without affecting other alerts or devices
A, B, D.
Correct Answer 100%
I think BDE is correct, I see many comments about why device group is not correct, but here are my two cents. You as administrator know and are intended to hide the false positives due the activity of the account group, but should be alerted if that document is opened by other devices on the company.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719