Q: 7
When reviewing alert evidence, which of the following provides the clearest insight into the root cause of
an attack?
Options
Discussion
Option B. Official guide and lab walkthroughs usually say forensic host data is best for root cause in XDR scenarios.
B. ITDR logs are tempting but forensic data gives more direct evidence for root cause imo. If the question focused on credential abuse, maybe A, but here B fits better. Disagree?
C/D? Alert starring (C) lets you quickly focus and prioritize investigation in some platforms, so in edge cases where you need to triage tons of alerts and spot patterns, it could bring clarity fast. Not sure if that's "root cause" in the forensic sense, but it can highlight what needs deeper digging. Maybe still useful depending on workflow.
I think B, since forensic data usually gives more detail than ITDR logs when tracing root cause. Not totally sure though if it's a hybrid attack.
A. ITDR logs could point right to identity attacks, so I might go with A for complex breaches.
A tbh. ITDR logs seem like they'd give the best clue when the attack was tied to stolen credentials or lateral movement. I know B is strong for endpoint stuff, but identity data can be the root in complex attacks. Maybe I'm missing something?
B Official guide and most exam practice sets say forensic data from affected hosts is what the exam looks for in root cause questions like this. Would use lab environments to get more hands-on with this if unsure.
Looks like B. A is a common trap here since ITDR logs are great for identity stuff but forensic data really nails the root cause.
A , because ITDR logs can actually expose credential misuse or identity pivoting, which sometimes is the real root of an attack. Not 100% sure since forensic data is strong too.
A tbh, since ITDR logs can sometimes reveal identity-based attack paths or compromised credentials, which could expose the initial vector. I know forensic host data (B) is solid for direct evidence, but if user creds are abused via SSO or federation, logs might be clearer on root cause in those edge cases. Disagree?
Be respectful. No spam.
