Q: 5
Which of the following alert sources can provide identity-based alerts?
Options
Discussion
A. had something like this in a mock-directory services pulls in real user identities so fits identity-based alerts best.
C
Option A, Saw a similar question in some exam practice, directory services is the only thing here that gives real user identity info for alerts.
It’s A. I don’t think DNS sinkhole or AV can really tie alerts to specific identities, since they focus on host or traffic data. Directory services integration actually imports user/group info, so that’s how XDR does true identity-based alerting. D is tempting but those logs aren’t consistent for identity. Pretty sure A is right, but open to pushback.
Don’t think it’s C, A is more about real identity context with directory integration. Endpoint AV engines just report threats detected, usually not actual user identities tied to alerts. I think A fits better but not 100% sure, anyone disagree?
A tbh
A for sure
Its A here. Directory services integration is what lets Cortex XDR actually map and alert on identities, not just devices or IPs. The others don’t really give real user account context. Pretty sure that’s what the question is after but happy to hear if anyone disagrees.
A, not D. Directory services integration is key for true identity-based alerts, broker logs can miss user mapping.
A saw something super close on a recent exam and directory services is what XDR uses for true identity-based alerts.
Be respectful. No spam.
