Exam SC-200 topic 6 question 18 discussion

Evidence and Response: This tab provides detailed information about "all" the evidence related to an incident.

Correct me if I wrong, but should answer be B. Assets ? https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents#alerts Easily view and manage all your assets in one place with the new Assets tab. This unified view includes Devices, Users, Mailboxes and Apps. The Assets tab displays the total number of assets beside its name. A list of different categories with the number of assets within that category is presented when selecting the Assets tab. All assets affected at one place.

The Impacted Assets column in the Incidents list gives a clear overview of affected entities, and the Assets pane breaks this down further, showing items like devices and user accounts involved in an incident. Meanwhile, the Entities tab under Evidence and Response focuses more on technical artifacts such as files, processes, and services, but it doesn’t include all impacted assets like user accounts. This distinction is crucial when investigating incidents, as security teams need both perspectives—technical details from the Entities tab and broader context from the Assets pane.

C. Evidence and Response Considering that affected entities could include unmanaged ones by "Assets" like IP addresses, the correct tab to use in the Microsoft Defender portal to identify all entities affected by an incident would likely be Evidence and Response (C). This tab provides broader insight into the evidence collected during the investigation, which includes both managed and unmanaged entities, such as IP addresses, files, or processes.

Displays a complete list (e.g., devices, users, files, IPs, mailboxes) tied to the incident’s alerts and evidence.

assets. i use it every timeeeeeeeeeeee

However, the "Evidence and Response" tab, specifically within an incident's context, provides that deeper dive into the affected entities.

I would say Alerts -> Assets tab which would show you something like this Devices (10) Users (0) Mailboxes (0) Apps (1) Cloud Resources (0)

I work with MS Defender XDR and all entities are in Evidence and Response. Correct answer.

I asked Copilot and answer is Assets

Same as Q31 Topic 1

I'll go with D) Alerts Important part of the question is identifying all the entities AFFECTED by an incident. The Assets and Evidence & Response tabs show entities that are part of or related to the incident, not necessarily affected. Alerts tab will show you "events of the alert, which other triggered alerts caused the current alert, and all the affected entities and activities involved in the attack, including devices, files, users, and mailboxes". The table in the Alerts tab also has a column for Impacted entities

Evidence and Response: This tab provides detailed information about all the evidence related to an incident. This includes the entities (such as files, devices, users, IP addresses, etc.) that are involved or impacted by the incident. The tab allows you to see how these entities are related to the threat and what actions have been taken or need to be taken. This is the most appropriate place to view all affected entities within an incident.

This proves it's D https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents#alerts

I vote D, the key here being "identify ALL the entities" https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents Alerts On the Alerts tab, you can view the alert queue for alerts related to the incident and other information about them such as: Severity. The entities that were involved in the alert. The source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Defender for Cloud Apps, and the app governance add-on). The reason they were linked together.

Evidence and Response: This tab provides a detailed view of all the evidence collected during the investigation, including affected entities such as files, processes, users, and devices. It also shows the response actions taken for the incident.

Alert is better to identifying all the entities affected by an incident