Microsoft Security Operations Analyst — Question 5

You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses.
You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.
You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Answer options

• A. Configure automatic data enrichment.
• B. Add the IP addresses to the corporate address range category.
• C. Increase the sensitivity level of the impossible travel anomaly detection policy.
• D. Add the IP addresses to the other address range category and add a tag.
• E. Create an activity policy that has an exclusion for the IP addresses.

Correct answer: A, B

Explanation

The correct actions to take are A and B because configuring automatic data enrichment helps to enhance the context of alerts, while adding the IP addresses to the corporate address range category informs the system that these are legitimate sign-ins. Increasing the sensitivity level (C) may lead to more false positives, while options D and E do not directly address the need to prevent alerts for known legitimate sign-ins.