Microsoft - SC-401: Administering Information Security in Microsoft 365
Sample Questions
Question: 208
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 E5 subscription.
You are implementing insider risk management.
You need to maximize the amount of historical data that is collected when an event is triggered.
What is the maximum number of days that historical data can be collected?Correct answer: CExplanation:
Policy timeframes in Microsoft Purview Insider Risk Management allow you to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates. Depending on the policy template you choose, the following policy timeframes are available:
Activation window: Available for all policy templates, Activation window is the defined number of days that the window activates after a triggering event. The window activates for 1 to 30 days after a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set Activation window to 30 days. Several months have passed since you configured the policy, and a triggering event occurs for one of the users included in the policy. The triggering event activates Activation window and the policy is active for that user for 30 days after the triggering event occurred.
Past activity detection: Available for all policy templates, Past activity detection is the defined number of days that the window activates before a triggering event. For activities in the audit log, the window activates for 0 to 90 days before a triggering event occurs for any user assigned to the policy. For example, you've configured an insider risk management policy and set Past activity detection to 90 days. Several months have passed since you configured the policy, and a triggering event occurs for one of the users included in the policy. The triggering event activates Past activity detection and the policy gathers historic activities for that user for 90 days prior to the triggering event.
References:
Investigate insider risk management activities
Set policy timeframes in insider risk management
Question: 209
Measured Skill: Implement information protection (30–35%)
You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to ensure that all email messages that contain attachments are encrypted automatically by using Microsoft Purview Message Encryption.
What should you create?| A | A mail flow rule |
| B | A sensitivity label |
| C | A data loss prevention (DLP) policy |
| D | An information barrier segment |
Correct answer: AExplanation:
We should configure a mail flow rule as shown below.
Reference: Message encryption
Question: 210
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 E5 subscription that uses Microsoft Purview.
You need to perform a content search for email messages that meet the following requirements:
- Are delivered to both user1@contoso.com and user2@contoso.com
- Are sent from a user account that has a name that starts with the word Compliance
How should you complete the query in the KQL editor?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Recipients:("User1@contoso.com" "User2@contoso.com") AND Sender=Compliance* |
| B | Recipients:("User1@contoso.com" AND "User2@contoso.com") AND Sender=Compliance[*] |
| C | Recipients:("User1@contoso.com" AND "User2@contoso.com") AND Sender=Compliance* |
| D | Recipients:%"User1@contoso.com" "User2@contoso.com"% AND Sender=Compliance[*] |
| E | Recipients:&"User1@contoso.com" "User2@contoso.com"& AND Sender=Compliance[#] |
| F | Recipients:&"User1@contoso.com" "User2@contoso.com"& AND Sender=Compliance# |
Correct answer: CExplanation:
Boolean search operators, such as AND, OR, and NOT, help you define more-precise searches by including or excluding specific words in the search query. Other techniques, such as using property operators (such as >= or ..), quotation marks, parentheses, and wildcards, help you refine a search query. The following table lists the operators that you can use to narrow or broaden search results.
The Boolean operators AND, OR, NOT, and NEAR must be uppercase. A space between two keywords or two property:value expressions is the same as using OR. For example, from:"Sara Davis" subject:reorganization returns all messages sent by Sara Davis or messages that contain the word reorganization in the subject line.
Reference: Keyword queries and search conditions for eDiscovery
Question: 211
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 subscription.
You configure a Microsoft Purview insider risk management policy named Policy1.
You need to ensure that you will receive real-time recommendations on how to configure the indicator thresholds for Policy1. The solution must ensure that the recommendations are based on a user's activity from the past 10 days.
What should you do first?| A | Create an Insider Risk Indicators connector. |
| B | Configure the Insider Risk Management Data sharing settings. |
| C | Create a data loss prevention (DLP) policy. |
| D | Enable insider risk management analytics. |
Correct answer: DExplanation:
When you enable Microsoft Purview Insider Risk Management analytics, you get several important benefits. You can:
- Evaluate potential insider risks in your organization without configuring any insider risk policies.
- Get real-time guidance on configuring indicator threshold settings.
- Generate insider risk severity and user activity summary for the users not part of policies. Share this summary information with Data Loss Prevention, Communication Compliance, and Microsoft Defender.
To receive real-time recommendations on configuring indicator thresholds for your insider risk management policy (Policy1), you must first enable analytics in Microsoft Purview Insider Risk Management. This feature scans user activity and provides guidance on threshold settings, even before any policies are applied.
Reference: Use real-time analytics recommendations to set thresholds
Question: 212
Measured Skill: Manage risks, alerts, and activities (30–35%)
You have a Microsoft 365 subscription.
You create and run a content search from the Microsoft Purview portal.
You need to download the results of the content search.
What should you obtain first?| A | A certificate |
| B | A password |
| C | A pin |
| D | An export key |
Correct answer: DExplanation:
The first step is to prepare the search results for exporting. When you prepare results, they're uploaded to a Microsoft-provided Azure Storage location in the Microsoft cloud. Content from mailboxes and sites is uploaded at a maximum rate of 2 GB per hour.
The exported search results must be downloaded within 14 days after you created the export job. When configuring the export job you are provided an export key which must be pasted in the eDiscovery Export Tool when downloading the results.
Reference: Export Content search results