SY0-701 Question #575: Real Exam Question with Answer & Explanation

Question

A security analyst wants to better understand the behavior of users and devices in order to gain visibility into potential malicious activities. The analyst needs a control to detect when actions deviate from a common baseline. Which of the following should the analyst use?

Options

• AIntrusion prevention system
• BSandbox
• CEndpoint detection and response
• DAntivirus

Explanation

Endpoint Detection and Response (EDR) is correct because it continuously monitors endpoint activity, builds behavioral baselines, and alerts when user or device actions deviate from those patterns - exactly what the analyst needs for detecting anomalous, potentially malicious behavior.

• A (IPS) is wrong because an intrusion prevention system focuses on blocking known network-based attack signatures in transit, not on behavioral baseline monitoring of users and devices.
• B (Sandbox) is wrong because a sandbox isolates and analyzes suspicious files/code in a controlled environment - it doesn't monitor ongoing user/device behavior across the environment.
• D (Antivirus) is wrong because AV relies on signature-based detection of known malware; it doesn't perform behavioral baselining or anomaly detection at the level EDR does.

Memory tip: Think "EDR = Eyes on the Endpoint over time." The word Response implies it's always watching and reacting - including to behavior that deviates from normal, not just files that match a known bad signature.

No community discussion yet for this question.