Free Microsoft SC-401 Actual Exam Questions - Question 11 Discussion

I’m thinking Activity Explorer should show 4 matches because it logs every individual policy match without merging. For the incidents report, it usually groups matches by user and content within a timeframe, so if File3 triggered two policies but they got merged into one incident, that explains seeing 3 incidents instead of 4. The question doesn’t specify changing the default merging behavior, so it makes sense the incidents report reflects merged entries while Activity Explorer keeps them separate.

I’m with the idea that Activity Explorer will list each match separately, so that’s 4 matches total—one for each policy hit on File1, File2, and File3. For the incidents report, since the question doesn’t say anything about merging being turned off, it makes sense that incidents get grouped by file, meaning File3’s two matches count as one incident. That results in 3 incidents overall. So basically, Activity Explorer is more granular, showing every match, while the incidents report summarizes by grouping related matches into single incidents.

Activity explorer should show 4 matches because it logs each policy hit individually, while the incidents report combines those into 3 incidents, one per file, even if multiple policies matched the same file.

I think there are 4 DLP policy matches in Activity explorer because File3 triggers two separate policies, so each match counts individually here. But for incidents, it’s probably 3 because each file only creates one incident even if multiple policies flag it. So File3’s two matches get grouped into a single incident. That’s how I understand the difference between matches and incidents in this scenario—matches are raw detections, but incidents are unique flagged items per file.

Looks like 4 matches but only 3 incidents since File3 triggers two policies.

Need a clearer explanation of how matches relate to incidents in this case.