You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You need to identify all the entities affected by an incident. Which tab should you use in the Microsoft 365 Defender portal?
Correct Answer - C, Evidence and Response.
Question emphasizes on 'incident'. Though you can view affected entities by clicking on Alerts tab > Alert list, it will be for that particular alert one alert doesn't necessarily be an incident. An incident can have multiple alerts. So you need to click on Incidents tab, open the Incident, go to Evidences and Response tab and look there.
Correct answer is indeed C: wheb you click on an incident it will open the Summary tab, on the summery tab you can see the overview of evidence with a option to view all entities, this will bring you to "Evidence and Response".
Question Keywords: "...identify all the entities AFFECTED BY AN INCIDENT."
Answer: C Evidence and response.
"The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident."
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide#evidence-and-response
The "Evidence and Response" tab in the Microsoft 365 Defender portal can be used to identify all the entities affected by an incident. In the "Evidence and Response" tab, you can access information about the scope of the incident and the entities that were affected. This information can help you understand the extent of the incident and determine the necessary steps to respond to it.
A. Investigations
To identify all the entities affected by an incident in the Microsoft 365 Defender portal, you should use the "Investigations" tab. The Investigations tab provides a centralized location where you can manage and track incidents, perform analysis, and review related entities and evidence associated with the incident.
Using the Investigations tab, you can explore the scope of the incident, review impacted devices, users, and other entities, and gather evidence to understand the nature and extent of the security issue. This tab allows you to perform a comprehensive investigation to ensure that you have a clear understanding of the incident's impact on your environment.
The other options (B, C, and D) are relevant to incident response and security management but may not provide the same level of comprehensive analysis and entity identification as the Investigations tab.
The Alerts tab is primarily used for monitoring and managing security alerts generated by various Microsoft 365 Defender services. While it can provide insights into individual alerts, it may not provide a holistic view of all entities affected by an incident. So defintely C
The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide
The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide
C - Evidence and Response
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents#evidence-and-response
The description even says 'Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more.'
C - Evidence and Response
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents#evidence-and-response
The description even says 'Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more.'
C - Evidence and Response
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents#evidence-and-response
The description even says 'Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more.'
To identify all the entities affected by an incident in the Microsoft 365 Defender portal, you should use the Evidence and Response tab.
The Evidence and Response tab in the Microsoft 365 Defender portal provides a detailed view of an incident, including information about the affected entities. When you select an incident in the Investigations tab, the Evidence and Response tab will display information about the affected users, devices, applications, and other entities. You can use this information to understand the scope of the incident and to determine which entities may have been compromised or affected by the incident.
The Devices, Alerts, and Investigations tabs may also contain information about affected entities, but the Evidence and Response tab provides the most comprehensive view of the entities involved in an incident.
On the Alerts tab, you can view the alert queue for alerts related to the incident and other information about them such as:
Severity,
The entities that were involved in the alert.
...
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Pointless
Highly Voted 2 weeks, 6 days agoNickname01
1 year, 12 months agoMetasploit
Highly Voted 1 year, 11 months agoLone__Wolf
Most Recent 2 weeks, 6 days agokazaki
9 months, 3 weeks agochepeerick
11 months, 3 weeks agoCandice79
1 year agohovlund
1 year agoOryx360
1 year, 1 month agodanb67
12 months agoSolozero
1 year, 3 months agoCodexFT
1 year, 5 months agoAnko6116
1 year, 8 months agoLocian
1 year, 9 months agocelomomo
1 year, 9 months agocelomomo
1 year, 9 months agoSuperGraham
1 year, 9 months ago[Removed]
1 year, 9 months ago[Removed]
1 year, 9 months agoApocalypse03
1 year, 9 months agoAhmed_Root
1 year, 10 months ago