SC-200 · Question #325
SC-200 Question #325: Real Exam Question with Answer & Explanation
The correct answer is E: Tactic1, Tactic2, and Tactic3. The MicrosoftGraphActivityLogs table in Microsoft Defender XDR provides insights into activities performed via the Microsoft Graph API, which attackers can leverage for various malicious actions spanning multiple MITRE ATT&CK tactics.
Question
You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table. You need to search for malicious activities in your organization. Which tactics can you analyze by using the MicrosoftGraphActivityLogs table?
Options
- ATactic1 only
- BTactic2 only
- CTactic1 and Tactic3 only
- DTactic2 and Tactic3 only
- ETactic1, Tactic2, and Tactic3
Explanation
The MicrosoftGraphActivityLogs table in Microsoft Defender XDR provides insights into activities performed via the Microsoft Graph API, which attackers can leverage for various malicious actions spanning multiple MITRE ATT&CK tactics.
Common mistakes.
- D. Restricting the analysis to only two specific tactics is incorrect because the Microsoft Graph API's extensive capabilities mean that its logs can reveal attacker activities across a wide range of MITRE ATT&CK tactics.
Concept tested. Defender XDR KQL table for Graph API activities and MITRE ATT&CK mapping
Community Discussion
No community discussion yet for this question.