XDR Incidents Flashcards

1
Q

What are MS defender XDR indcidents based on?

A

Incidents are based on related alerts created when a malicious event or activity is seen on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How do MS defender XDR collect alerts to create an incident?

A

An incident is a collection of correlated alerts that make up the story of an attack. Microsoft Defender XDR automatically aggregates malicious and suspicious events that are found in different device, user, and mailbox entities in the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which security framework is MS defender XDR aligned to?

A

MITRE ATT&CK framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What type of activities could trigger high (red) alerts in MS Defender XDR?

A

Credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of activities could trigger Medium (Orange) alerts in MS Defender XDR?

A

Activities that could be a part of an APT, observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What type of activities could trigger Low (yellow) alerts in MS defender XDR?

A

Activities that could be associated with prevalent malware.
E.g hack-tools, non-malware hack tools, or security testing from legitimate activties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An unauthorized User used RDP to gain access to a single host and from there moves to other hosts in network, what alert category is triggered in the Defender XDR platform?

A

Lateral movement - Moving between devices in the target network to reach critical resources or gain network persistence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When creating a suppression rule in defender for endpoint, which alerts is the rule applied for?

A

It will ONLY be applied to alerts that satisfy the conditions set AFTER the rule is created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the automation levels in the Defender for endpoint platform?

A
  • Non protected
  • Semi- require approval for any remediation
  • Semi- require approval for non-temp folders
  • Semi- require approval for Core folders
  • Full – Remediate threats automatically
How well did you know this?
1
Not at all
2
3
4
5
Perfectly