Microsoft Updated SC-401 Exam Questions and Answers by amaia

Information protection scanner: Scans on-premises data, unrelated to forensic evidence.

Claim capacity: Required to enable forensic evidence collection in Insider Risk Management because forensic evidence consumes special storage (capacity units).

Adaptive Protection: Assigns policies dynamically, unrelated to forensic evidence.

Priority user groups: Helps scope users but not the prerequisite step for forensic capture.

Comprehensive Detailed Explanation with References

Step 1 – Review File2 contents

File2 contains 3 IP addresses.

Step 2 – Review DLP rules and priorities

RuleConditionPolicy TipStop Processing?Priority

Rule11 or more IP addressesTip1No0

Rule23 or more IP addressesTip2Yes1

Rule32 or more IP addressesTip3No2

Step 3 – Rule evaluation order

Advanced DLP rules are processed by priority order (lowest number first).

Rule1 (Priority 0) will trigger because File2 has at least 1 IP address.

This applies Tip1.

However, Rule1 has Stop Processing = No, so evaluation continues.

Rule2 (Priority 1) will also trigger because File2 has 3 IP addresses (≥3).

This applies Tip2.

Rule2 has Stop Processing = Yes, so evaluation stops after this.

Rule3 (Priority 2) will not be evaluated because Rule2 stopped processing.

Step 4 – Final outcome

File2 matches Rule1 (Tip1), but since Rule2 fires afterward with Stop Processing = Yes, only Tip2 is applied.

Step 5 – Microsoft Reference

From Microsoft docs: “When a rule is configured to stop processing, subsequent rules are not evaluated and only the policy tip from the last triggered rule with stop processing applies.”