Question 315 of 969
Evaluate GRC and security operations strategieshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to enable the "Include suppressed alerts" option within the Microsoft 365 Defender data connector in Microsoft Sentinel. This setting forces Sentinel to ingest all alerts from Microsoft 365 Defender, including those suppressed by rule sets in the Defender portal, thereby satisfying the requirement to forward high-severity alerts without altering the suppression rules needed for operational efficiency. On the Microsoft Cybersecurity Architect exam, this scenario tests your understanding of the data connector’s advanced configuration options, often appearing as a trap where candidates mistakenly try to modify Defender’s suppression rules or create separate analytics rules. A common memory tip is to think of the connector as a filter: by default, it respects Defender’s suppression, but toggling the "include suppressed alerts" checkbox overrides that filter at the ingestion layer. Remember the phrase "connector override, not rule change" to avoid the trap of adjusting Defender’s operational settings.

SC-100 Practice Question: Evaluate GRC and security operations strategies

This SC-100 practice question tests your understanding of evaluate grc and security operations strategies. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Contoso Ltd. is a multinational organization with a hybrid environment consisting of on-premises Active Directory and Azure AD (now Microsoft Entra ID). They use Microsoft Defender for Cloud Apps, Microsoft Sentinel, and Microsoft 365 Defender. The security operations team has noticed that several high-severity alerts from Microsoft 365 Defender are not being forwarded to Microsoft Sentinel, causing delayed response. The team has confirmed that the data connector between Microsoft 365 Defender and Sentinel is enabled and appears healthy. However, only low-severity alerts appear in Sentinel. Further investigation reveals that the Microsoft 365 Defender portal has a configured rule set that suppresses high-severity alerts for certain users deemed low risk. The security operations manager wants to ensure all high-severity alerts are sent to Sentinel without changing the suppression rules in Microsoft 365 Defender, as those rules are required for operational efficiency. What should the team do to ensure high-severity alerts are ingested into Sentinel?

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

In the Microsoft 365 Defender data connector in Sentinel, enable the option to include suppressed alerts.

Option B is correct because the Microsoft 365 Defender data connector in Microsoft Sentinel includes a configuration setting to 'Include suppressed alerts.' Enabling this option forces Sentinel to ingest all alerts from Microsoft 365 Defender, including those that are suppressed by rule sets in the Defender portal. This satisfies the requirement to forward high-severity alerts without modifying the suppression rules that the operations team relies on for operational efficiency.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Modify the suppression rules in Microsoft 365 Defender to not suppress high-severity alerts.

    Why it's wrong here

    The manager explicitly wants to keep the suppression rules unchanged.

  • In the Microsoft 365 Defender data connector in Sentinel, enable the option to include suppressed alerts.

    Why this is correct

    The connector has a setting to include suppressed alerts, which will forward all alerts regardless of suppression status.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use the Microsoft Graph Security API connector in Sentinel to ingest alerts instead.

    Why it's wrong here

    This would duplicate data and may still have suppression issues; the existing connector can be configured correctly.

  • Create a separate Logic App to fetch high-severity alerts from Microsoft 365 Defender API and send them to Sentinel.

    Why it's wrong here

    This would create duplicate data and is not necessary; the connector can be configured to include suppressed alerts.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates assume suppressed alerts are permanently hidden and cannot be ingested, leading them to choose either modifying the suppression rules (Option A) or building a custom workaround (Option D), when in fact the Sentinel connector has a specific toggle to include suppressed alerts.

Detailed technical explanation

How to think about this question

Under the hood, the Microsoft 365 Defender connector uses the Microsoft 365 Defender API (formerly Microsoft Graph Security API) to pull alerts, and the 'Include suppressed alerts' checkbox sets a parameter in the API call to retrieve alerts regardless of their suppression state. In a real-world scenario, suppression rules are often used to reduce noise from low-risk users or known false positives, but security operations centers (SOCs) may still want to see all high-severity alerts in Sentinel for correlation with other data sources and for long-term analysis. The connector's built-in option avoids the need for custom Logic Apps or API scripting, ensuring a supported and maintainable solution.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SC-100 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Practice this exam

Start a free SC-100 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-100 question test?

Evaluate GRC and security operations strategies — This question tests Evaluate GRC and security operations strategies — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: In the Microsoft 365 Defender data connector in Sentinel, enable the option to include suppressed alerts. — Option B is correct because the Microsoft 365 Defender data connector in Microsoft Sentinel includes a configuration setting to 'Include suppressed alerts.' Enabling this option forces Sentinel to ingest all alerts from Microsoft 365 Defender, including those that are suppressed by rule sets in the Defender portal. This satisfies the requirement to forward high-severity alerts without modifying the suppression rules that the operations team relies on for operational efficiency.

What should I do if I get this SC-100 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-100 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-100 exam.