DRAG DROP You have a Microsoft 365 E5 subscription that uses Microsoft Purview insider risk management and contains three users named User1, User2, and User3. All insider risk management policies have adaptive protection enabled and the default conditions for insider risk levels configured. The users perform the following activities, which trigger insider risk policy alerts: User1 performs at least one data exfiltration activity that results in a high severity risk score. User2 performs at least three risky user activities within seven days, that each results in a high severity risk score. User3 performs at least bwo data exfiltration activities within seven days, that each results in a high severity risk score. Which insider risk level is assigned to each user? To answer, drag the appropriate levels to the correct users. Each level may be used once, more than once, or not at all. You may need to drag the split bar between panes or seroll to view content. NOTE: Each correct selection is worth one point. 
Q: 10
Drag & Drop
Discussion
User1 minor, User2 elevated, User3 moderate risk level. Seen similar mapping in exam reviews.
Minor risk level (User1), Elevated risk level (User2), Moderate risk level (User3). In the default adaptive protection config, User2's frequency of high-severity activity bumps them to elevated, while just one exfiltration keeps User1 at minor. Policy changes could flip the order but nothing custom in this scenario.
Looks good, it's Minor risk for User1, Elevated for User2, Moderate for User3. That's the mapping I remember from adaptive protection defaults in Insider Risk policies. Not totally certain, but lines up with what MS docs say about single vs repeated high-severity actions.
User1 minor, User2 elevated, User3 moderate. I don’t think User2 is moderate since three high-severity risky activities push it to elevated by default settings. The exfil counts in User3 are the main trap here.
User1 minor, User2 elevated, User3 moderate. That fits the adaptive protection thresholds for activity count and severity in Purview. Pretty sure this matches the docs but open to other logic.
Minor risk level (User1), Elevated (User2), Moderate (User3). Not 100 percent but that's what I remember from the docs.
Minor risk level (User1), Elevated risk level (User2), Moderate risk level (User3). This fits with how adaptive protection uses both incident type and frequency, I think. Open to a different take if someone has labbed this out more recently.
User1: Moderate risk level, User2: Elevated risk level, User3: Minor risk level. I think single high-severity exfiltration bumps User1 up, and since User3 only did two events, theirs feels lower. Might be off on the default config though.
User1: Moderate, User2: Minor, User3: Elevated risk level
User1: Minor, User2: Elevated, User3: Moderate risk level. That's what I've seen in Purview docs for default adaptive protection-single high-severity exfiltration usually just triggers Minor, while frequency bumps up the others. Not 100% sure, but makes sense with how their scoring works.
Be respectful. No spam.
Question 10 of 25
