Q: 4
[Maintenance and Troubleshooting]
An insider compromise investigation has been requested to provide evidence of an unauthorized
removable drive being mounted on a company laptop. Cortex XDR agent is installed with default
prevention agent settings profile and default extension "Device Configuration" profile. Where can an
engineer find the evidence?
Options
Discussion
My pick: A, since default device profiles log mounts in Host Inventory. C is tricky but only if custom or restricted configs are in play, which isn't the case here. Pretty sure about this based on similar exam reports. Disagree?
A. saw a similar question in recent exam reports and Host Inventory > Mounts is what gets checked with defaults.
Option A Official admin guide and lab drills help with these Cortex XDR default profile scenarios.
A
A, not D. The trap here is thinking device_control preset logs mounts by default but only Host Inventory -> Mounts shows mount evidence with default configs.
Its A, some think D because of the device control preset but Host Inventory Mounts gives the evidence right away with defaults.
D, Device control preset should log these actions by default, so I'd check there first.
I don't think it's C. A is the best pick here since with default profiles, Host Inventory -> Mounts will show removable device mount events. C is a trap because extra config isn't needed for this data (unless defaults were changed). Disagree?
C not A
If device logging on the "default" profile was actually disabled, then yeah maybe C would apply. From what I know though, default Device Configuration profile usually logs mounts so A is still more likely.
Be respectful. No spam.
