Exam SC-200 Topic 2 Question 295 Discussion

Actual exam question for Microsoft's SC-200 exam
Question #: 295
Topic #: 2
You need to minimize the effort required to investigate the Microsoft Defender for Identity false positive alerts. What should you review?

Suggested Answer: D Vote an answer

In Microsoft Defender for Identity, false positives can occur due to legitimate administrative activities or benign network behavior. To minimize investigation effort, Microsoft recommends reviewing the Resolution Method field associated with the alert's source computer.
The Resolution Method indicates how Defender for Identity classified or resolved the source computer's identity-whether through secure channel (Kerberos/NTLM), DNS resolution, or other identification techniques. If the method is unreliable (e.g., based on DNS name only), it may cause inaccurate correlations that trigger false positives.
By verifying the Resolution Method, analysts can quickly determine whether an alert was raised due to weak identity mapping or misattribution. Microsoft's official documentation states that reviewing the Resolution Method "helps analysts understand how the entity was resolved and assess whether the detection could be a false positive." Hence, to reduce the time spent on false positives, the most relevant data point to review is the Resolution Method of the source computer

by Sophia at Jun 29, 2026, 05:04 AM

Limited Time Offer

15%

Off

Get Premium SC-200 Questions as Interactive Self Test Engine or PDF

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
0
0
0
10