SC-200 Certification Practice Question #86

Question

You have an Azure subscription that contains a virtual machine named VM1 and uses Microsoft Defender for Cloud.

Microsoft Defender for Cloud has automatic provisioning configured to use Azure Monitor Agent.

You need to create a custom alert suppression rule that will suppress false positive alerts for suspicious use of PowerShell on VM1.

What should you do first?

Accepted Answer

A Defender for Cloud alert suppression rule can only target an alert type that has already fired at least once on the subscription — MS Learn states plainly that "a suppression rule applies only to alert types that have already been triggered at least once." Therefore, before you can build a custom rule to suppress the false-positive "suspicious use of PowerShell" alert on VM1, you must first cause that alert to be generated by triggering it on VM1 (option C). Exporting alerts to a Log Analytics workspace (A) and adding workflow automation (B) do not make an alert type available for suppression, and Get-MpThreatCatalog (D) enumerates Microsoft Defender Antivirus threat definitions, not Defender for Cloud alerts. The Suggested Answer, an unopposed community vote, the top comment (8 👍), and MS Learn all agree on C.

More SC-200 practice questions