Exam SC-200 topic 2 question 36 discussion

B. Intent https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?tabs=HTTP#intent

Within the JSON structure of a Microsoft Defender for Cloud alert, the MITRE ATT&CK tactic information is stored within the ExtendedProperties section.

Correct Answer: C. ExtendedProperties Explanation: The ExtendedProperties JSON key is designed to hold additional and structured information about the alert. In the context of Microsoft Defender for Cloud and other security platforms, this often includes detailed metadata such as MITRE ATT&CK tactic mappings. Therefore, searching the ExtendedProperties key will likely yield results that specifically indicate the Privilege Escalation tactic.

Option B ("Intent") is not typically used to directly represent the MITRE ATT&CK tactics or techniques associated with an alert in Microsoft Defender for Cloud. The "Intent" field, if present in the alert data, might provide information about the suspected purpose or objective of the observed activity. However, it does not specifically indicate the MITRE ATT&CK tactic or technique being employed. On the other hand, the "ExtendedProperties" field often contains additional contextual information about the alert, including any associated MITRE ATT&CK tactics and techniques. This field is more likely to contain the specific details needed to identify alerts related to the Privilege Escalation tactic. Therefore, in the context of locating alerts related to the Privilege Escalation MITRE ATT&CK tactic, the "ExtendedProperties" field (Option C) is more relevant to search within the JSON data.

To locate Privilege Escalation MITRE ATT&CK tactic alerts in Microsoft Defender for Cloud, search the Description JSON key. To locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic in Microsoft Defender for Cloud, you should search the Description JSON key. The Description key provides a detailed explanation or summary of the alert, and it may include information about the observed behavior or activity related to privilege escalation. By searching the Description key, you can filter and identify alerts that specifically mention or describe privilege escalation techniques. This can help in effectively reviewing and addressing such alerts using the third-party security information and event management (SIEM) solution.

B intent

B. Intent https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?tabs=HTTP#intent:~:text=%22High%22%2C-,%22intent%22%3A%20%22Execution%22%2C,-%22startTimeUtc%22%3A

The JSON key that you should search for alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic is Entities. This key contains information about the entities involved in the alert, such as users, devices, files, etc. The value of this key can include a MITRETechniques property that lists the MITRE ATT&CK techniques associated with the alert.

On the exam July 7 2023

The "Intent" key is part of the JSON format used by Microsoft Defender for Cloud to transmit security alert data to third-party security information and event management (SIEM) solutions. The "Intent" key provides information on the type of attack or tactic that the alert is related to, and can be used to identify alerts that are specifically related to the Privilege Escalation tactic.

B. Intent Personally find the extendedProperties to contain the data as well but Intent clearly defines Privilege Escalation without digging around in extended properties.

B - https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?tabs=HTTP#intent:~:text=%22High%22%2C-,%22intent%22%3A%20%22Execution%22%2C,-%22startTimeUtc%22%3A

https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?tabs=HTTP#intent:~:text=%22High%22%2C-,%22intent%22%3A%20%22Execution%22%2C,-%22startTimeUtc%22%3A

The JSON key you should search for to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic is extendedProperties. The extendedProperties key in the JSON structure of an alert contains the MITRE ATT&CK information for the alert, such as the tactics and techniques used by the attacker. The key contains the tactic name in the MITRE ATT&CK framework, such as "Privilege Escalation", "Initial Access", "Execution" and so on. You can use the extendedProperties key to filter and search for alerts that are related to the Privilege Escalation tactic in your third-party SIEM solution. It's also important to note that, the other options A,B,C are not related to the MITRE ATT&CK information and are used for different purposes.

Entities