You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft Defender portal?
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft Defender portal?
To identify all the entities affected by an incident in the Microsoft Defender portal, you should use the 'Evidence and Response' tab. This tab provides a detailed view of all the evidence collected during the investigation, including affected entities such as files, processes, users, and devices. It also shows the response actions taken for the incident, making it the most comprehensive option for identifying all affected entities.
Alert is better to identifying all the entities affected by an incident
Evidence and Response: This tab provides a detailed view of all the evidence collected during the investigation, including affected entities such as files, processes, users, and devices. It also shows the response actions taken for the incident.
I vote D, the key here being "identify ALL the entities" https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents Alerts On the Alerts tab, you can view the alert queue for alerts related to the incident and other information about them such as: Severity. The entities that were involved in the alert. The source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Defender for Cloud Apps, and the app governance add-on). The reason they were linked together.