SC-200 · Question #429
SC-200 Question #429: Real Exam Question with Answer & Explanation
The correct answer is C: Isolate device. Isolate device completely cuts off all network communication for the compromised endpoint except for the Defender for Endpoint service channel itself, which is needed to maintain manageability. This prevents the Linux device from communicating with any other device, including all
Question
You have a Microsoft 365 subscription. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint. You have 500 devices that run Linux. Users sign in to the Windows and Linux devices by using their Microsoft Entra credentials. You need to recommend a response process for Microsoft Defender XDR security incidents associated with a compromised Linux endpoint. The solution must ensure that the compromised device is prevented from communicating with all devices onboarded to Defender for Endpoint. Which response action should you include in the recommendation?
Options
- AContain user
- BContain device
- CIsolate device
- DConfirm user compromised
Explanation
Isolate device completely cuts off all network communication for the compromised endpoint except for the Defender for Endpoint service channel itself, which is needed to maintain manageability. This prevents the Linux device from communicating with any other device, including all Windows 11 devices onboarded to Defender for Endpoint. 'Contain device' (B) is a lighter-touch action that only blocks the device from communicating with other MDE-onboarded Windows devices while leaving other network paths open - it does not fully prevent all lateral movement. 'Contain user' (A) and 'Confirm user compromised' (D) are identity-focused actions that do not directly restrict network-level device communication.
Community Discussion
No community discussion yet for this question.