SC-200 topic 1 question 21 (Page 1 of 2)

This answer looks wrong and since there is no reference link to support it I challenge it. To me the correct answer is B,E.

I echo your thoughts, I can get a few hints to support your answer at below location:

https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts

At least B makes sense as the question reads a custom policy based on a custom IP range is in place. So false positive alerts that are generated by activity from the offices would be solved by adding their IP ranges in the custom IP range used in the policy..

Apologies, the answer provided is correct. I just know checked the site myself and the options exist, you add the IP address range and a tag and then you check to override the data enrichment by providing a location that goes along with that IP range.

So, A & D stand correct.

A - this seems correct, as if you override the automatic detection of location for company IP address ranges, you can prevent the impossible travel alerts.
B - This makes sense as you need to define your corporate address ranges so that they are not seen as risky.
C - Increasing the sensitivity of the impossible travel detection would create more alerts.
D - Why would you set the IP addresses to the "Other" category when there is a "Corporate" category that fits the description?
E - Creating a new policy when there is already an existing one that you need to reduce the alerts from, would not reduce the number of alerts.

This question was in the exam 27/04/2024.

correct A and D

B & C seem to be the only "available" configuration settings.

C.
Impossible Travel: https://security.microsoft.com/cloudapps/policy/anomaly/60253687a702c5eb0e8d86ca
Apart from increasing or decreasing Sensitivity (or excluding certain users), there is no other filter available. The answer option C should be corrected to "Decrease the sensitivity" and then it is the right answer ;-)

B.
Logon from Risky IP: https://security.microsoft.com/cloudapps/policy/activity/create?template=5b3116e1996fe317b4a1b25e
This looks at "Risky" category IP addresses only, so if the offices IPs are added to "Corporate" category or "Other" category, they go automatically out of scope for this policy. So even option D. can be considered a correct answer.

A. is irrelevant as "User enrichment" is the only "enrichment" related setting found: https://security.microsoft.com/cloudapps/settings?tabid=discovery-userEnrichment
E. is unnecessary as explained in B. above

To prevent alerts for legitimate sign-ins from known locations, you need to perform the following two actions:

B. Add the IP addresses to the corporate address range category. This action allows you to define the IP address ranges that belong to your organization and exclude them from anomaly detection policies such as impossible travel or sign-ins from risky IP addresses. You can add the IP addresses of your company’s United States-based offices to the corporate address range category in the Microsoft 365 Defender portal, under Cloud Apps,
E. Create an activity policy that has an exclusion for the IP addresses. This action allows you to create a custom alert based on user activities and apply filters or exclusions to refine the results

Yes B & E is correct

On exam - 19 June 2023

I don't think that's the same question. This question isn't referring to switching back and forth between offices. The MS question and answer is stating that users are switching between the two.