ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-200 All Questions

View all questions & answers for the SC-200 exam
Go to Exam

Exam SC-200 topic 7 question 6 discussion

Actual exam question from Microsoft's SC-200
Question #: 6
Topic #: 7
[All SC-200 Questions]

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.

You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:

• Identify all the active network connections on Device1.
• Identify all the running processes on Device1.
• Retrieve the login history of Device1.
• Minimize administrative effort.

What should you do first from the Microsoft Defender portal?

  • A. From Devices, click Collect investigation package for Device1.
  • B. From Advanced features in Endpoints, enable Live Response unsigned script execution.
  • C. From Devices, initiate a live response session on Device1.
  • D. From Advanced features in Endpoints, disable Authenticated telemetry.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by pk69 at April 25, 2024, 6:07 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
wheeldj
Highly Voted 11 months, 3 weeks ago
Selected Answer: A
Answer A: The investigation package collected by defender includes all the required information and is considerable less admin effort than running a live response session and collecting this information interactively. https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices
upvoted 11 times
...
DChilds
Highly Voted 11 months, 4 weeks ago
Selected Answer: A
A is correct. https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices
upvoted 5 times
...
Optimizor_IT
Most Recent 3 days, 7 hours ago
Selected Answer: A
A. From Devices, click Collect investigation package for Device1. This action is the most efficient first step, as it collects a comprehensive forensic package from Device1 that includes active network connections, running processes, and login history, meeting all requirements with minimal administrative effort.
upvoted 1 times
...
CDR
4 months ago
Selected Answer: C
The correct answer is C. From Devices, initiate a live response session on Devic
upvoted 2 times
...
sapphire
5 months, 1 week ago
Selected Answer: A
• Minimize administrative effort. A is Correct.
upvoted 2 times
...
rebecchu0731
5 months, 2 weeks ago
Asked copilot and answer is live session. While collecting an investigation package can provide a snapshot of the device’s current state, it may not offer the same level of detailed, real-time information and control as a live response session.
upvoted 1 times
...
smanzana
8 months, 3 weeks ago
A https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices
upvoted 2 times
...
Avaris
10 months, 1 week ago
Selected Answer: C
checked chat-gpt and the answer is C Here's why: Initiating a live response session allows you to interact with Device1 in real-time. You can run commands to check active network connections, running processes, and retrieve the login history. Minimize administrative effort: Live response sessions provide direct access and control, which minimizes the need for additional configurations or complex procedures. The other options either involve additional steps that are not immediately necessary (like collecting an investigation package, which can be more comprehensive but less direct for immediate queries) or configurations that don't directly address the investigative tasks at hand. By starting a live response session, you can quickly gather the necessary information directly from Device1, fulfilling the investigation requirements effectively.
upvoted 2 times
...
laddu001
11 months ago
Minimize Administrative Effort: Live response sessions allow you to interact directly with the device, minimizing administrative overhead.
upvoted 2 times
talosDevbot
6 months, 1 week ago
I would argue that collecting the Investigation package requires less effort because all you have to do is download the package, and look for the info you need in the Network Connections folder, Processes folder, and Users and groups folder. Whereas for a live session, you will have to establish a session and execute several commands to retrieve the information you need
upvoted 2 times
...
...
ServerBrain
11 months, 4 weeks ago
Selected Answer: C
By initiating a live response session, you can achieve your investigation goals while minimizing administrative effort. Remember that live response provides real-time access to the device, allowing you to perform tasks directly on Device
upvoted 2 times
...
pk69
11 months, 4 weeks ago
Selected Answer: C
live response session
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago