ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 6 question 16 discussion

Actual exam question from Microsoft's SC-200
Question #: 16
Topic #: 6
[All SC-200 Questions]

You have a Microsoft 365 E5 subscription.

Automated investigation and response (AIR) is enabled in Microsoft Defender for Office 365 and devices use full automation in Microsoft Defender for Endpoint.

You have an incident involving a user that received malware-infected email messages on a managed device.

Which action requires manual remediation of the incident?

  • A. soft deleting the email message
  • B. hard deleting the email message
  • C. isolating the device
  • D. containing the device
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by laddu001 at June 16, 2024, 11:57 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
laddu001
Highly Voted 1 year, 2 months ago
hard deleting the email message
upvoted 7 times
...
exams_certs
Highly Voted 10 months, 3 weeks ago
Corrent. AIR can soft or hard delete email. MDE don't do isolation as automate response - so this is correct. You can't contain device connected to MDE. You can check it here: https://learn.microsoft.com/en-us/defender-office-365/remediate-malicious-email-delivered-office-365 https://learn.microsoft.com/en-us/defender-endpoint/manage-auto-investigation#remediation-actions https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts
upvoted 6 times
The1BelowAll
1 week ago
Device isolation is a manual action unless explicitly configured via automation rules. Defender for Endpoint supports full automation, but device isolation typically requires analyst approval to avoid disrupting legitimate activity. Isolation cuts off network access except to Defender services, which is a high-impact action and not taken automatically by AIR.
upvoted 1 times
...
talosDevbot
10 months, 2 weeks ago
Agreed. You can only contain unmanaged devices
upvoted 2 times
...
...
Onimole
Most Recent 5 months ago
Selected Answer: C
Defender for Endpoint Plan 1 and Microsoft Defender for Business include only the following manual response actions: Run antivirus scan Isolate device Stop and quarantine a file Add an indicator to block or allow a file
upvoted 2 times
...
scfitzp
1 year, 1 month ago
Selected Answer: C
https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts
upvoted 1 times
...
scfitzp
1 year, 1 month ago
https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts Important Defender for Endpoint Plan 1 includes only the following manual response actions: Run antivirus scan Isolate device Stop and quarantine a file Add an indicator to block or allow a file. Microsoft Defender for Business does not include the "Stop and quarantine a file" action at this time.
upvoted 3 times
...
Fren686478
1 year, 1 month ago
https://learn.microsoft.com/en-us/defender-xdr/m365d-remediation-actions
upvoted 1 times
scfitzp
1 year, 1 month ago
This link is for XDR, not MDE. And if this were an accurate citing then the question would be rather terrible because the only thing not listed in that source is containing a device
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel