SC-200 Question #445: Real Exam Question with Answer & Explanation

Question

You have a Microsoft 365 E5 subscription that contains a device named Device1. From the Microsoft Defender portal, you discover that an alert was triggered for Device1. From the Device inventory page, you isolate Device1. You need to collect a list of installed programs on Device1. What should you do?

Options

• AInitiate a live response session and run the library command.
• BRun an advanced hunting query against the DeviceTvmSoftwareInventory table.
• CInitiate a live response session and run the analyze command.
• DInitiate an automated investigation and view the results in the Action center.

Explanation

• Collect an investigation package and download the results from the Action center. Collect investigation package from devices As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker. Investigation package contents for Windows devices For Windows devices, the package contains the folders described in the following table: -> Installed programs This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. * Run an advanced hunting query against the DeviceTvmSoftwareInventory table. The DeviceTvmSoftwareInventory is a table in the Microsoft Defender XDR advanced hunting schema that contains the inventory of all software installed on devices within your organization, as identified by Microsoft Defender Vulnerability Management (MDVM). It provides details such as the software's vendor, name, version, and its end-of-support status, allowing organizations to hunt for specific software, track its lifecycle, and identify potential risks associated with end-of-life * Initiate an automated investigation and view the results in the Action center. * Initiate a live response session and run the library command. * Initiate a live response session and run the analyze command. Analyze - just analyses the entity with various incrimination engines to reach a verdict. * Initiate a live response session and run the processes command. Processes - just shows all processes running on the device, not all installed programs. * Run an advanced hunting query against the DeviceProcessEvents table. The DeviceProcessEvents table in the advanced hunting schema contains information about process creation and related events. * Run an advanced hunting query against the DeviceTvmInfoGathering table. The DeviceTvmInfoGathering table in the advanced hunting schema contains Microsoft Defender Vulnerability Management assessment events including the status of various configurations and attack surface area states of devices. https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-devicetvmsoftwareinventory- https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts

No community discussion yet for this question.