Q: 10
You receive a security bulletin about a potential attack that uses an image file.
You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent
the attack.
Which indicator type should you use?
Options
Discussion
Yeah, option C fits since you're targeting a known image file. File hash is the right indicator for something specific like that, and setting it to alert and block means Defender stops it outright. Pretty sure that's how MS expects you to handle these but open if someone spots a catch.
If the attack came from a custom file and not, say, a signed cert, I'd pick C.
Where in the official guide does it say C is better than B for this? Practice test put B too.
Maybe B for this one since blocking the domain could cut off downloads of any image file hosting the attack. Not totally sure though, as it doesn't target a specific file hash. Open to other thoughts.
For a specific image file, C makes the most sense since Defender for Endpoint can use file hashes to directly block it. I saw something similar in practice exams and the docs always mention hash-based indicators for targeting individual files. Only reason I'd hesitate is if they mentioned domain-wide threats, but that's not the case here. Anyone disagree?
Probably C here, since Defender uses file hash indicators to recognize and block specific files like a malicious image. If they mentioned something about certs or the whole domain, it'd be different. Anyone see it differently?
Wouldn't using a file hash indicator (C) be the right move here since the threat is tied to a specific image file? I don't see any mention of certificates in the scenario, so D seems off to me. Could someone clarify if I'm missing something?
Its B. If the attack uses a URL or domain to deliver the image, blocking at that level seems right. Maybe it's a trap question and they expect file hash, but I'd pick B here.
It’s C. File hash blocking is most accurate for a known malicious image file. Pretty sure this catches the specific threat, while B could block legit content too. Don't see why you’d use certificate here.
File hash indicator is the way to go here, C. Blocking the specific hash is precise and stops just that malicious image, not everything from a domain. Pretty sure this matches how Defender for Endpoint works with file-based IoCs. Correct me if I'm wrong but C seems spot on.
Be respectful. No spam.
