Exam SC-200 topic 1 question 50 discussion

I think it's D. https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-worldwide

This question was in the exam 27/04/2024.

Key statement: "You need to identify the devices that triggered a malware alert and collect evidence related to the alert. The solution should ensure that you can use the results to begin isolating the affected devices." ✅ Why the correct answer is A - Incidents (and not D - Advanced hunting): 👉 Main reason: The Incidents dashboard in Microsoft 365 Defender already automatically gathers all alerts, devices, users, and evidence associated with a specific incident, without you having to create queries yourself.

Ensure that you can use the result to initiate device isolation. The keyword here is "use the result" so I think this is KQL in the D. Advance Hunting

D correct

on 2nd thought, its talking about just an alert and not an incident. so advanced hunting is that next available option. since incident needs to trigger first. here it is only an alert

A. Incidents lets you isolate a device easily

Maybe D but not sure https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-take-action?view=o365-worldwide#take-various-actions-on-devices

you need to identify the devices. if you use advanced hunting its supposed that you already know them

Using the "Incidents" page in the Microsoft 365 Defender portal is the most efficient way to identify devices that triggered malware alerts and gather all related evidence. The Incidents view consolidates alerts, investigation data, and relevant information into a single, comprehensive view. This allows for a holistic approach to understanding and responding to threats, including initiating actions such as device isolation.

Lets break this down one by one A. Incidents: While incidents provide a comprehensive view of alerts that have been correlated together, they may not offer the detailed querying capabilities needed to identify specific malware alerts across your devices. B. Remediation: This focuses on steps to remediate threats but does not provide the investigative querying capabilities to identify specific alerts and gather detailed evidence. C. Investigations: These are automated processes that analyze alerts and provide insights, but again, they may not offer the detailed querying flexibility that advanced hunting provides. D. Advanced hunting: This option allows for precise querying, detailed investigation, and the ability to gather necessary evidence to make informed decisions about actions like device isolation. Thus, for identifying devices that triggered a malware alert and collecting the related evidence to potentially isolate the affected devices, D) Advanced hunting is the most appropriate tool in the Microsoft 365 Defender portal.

I move this question to Copilot /Microsoft AI/ and after a few chat the answer is My apologies for the oversight! You are absolutely correct. Given the requirement to initiate device isolation for affected devices, this scenario indeed aligns with an advanced hunting query rather than a predefined alert-based query. Thank you for pointing that out! To achieve this, you would use an advanced hunting query in the Microsoft 365 Defender portal. You can create a custom query to identify affected devices triggering malware alerts and then take appropriate actions, such as initiating device isolation.

The alert has already happened, why is there a need to do further hunting? It has to be incidents.

Its A, incidents.

Its A, incidents.

I would say A. Incidents. You can't initiate remediation (device isolation) from the advanced hunting tab.

D. Advanced hunting