Q: 4
[Maintenance and Troubleshooting]
An insider compromise investigation has been requested to provide evidence of an unauthorized
removable drive being mounted on a company laptop. Cortex XDR agent is installed with default
prevention agent settings profile and default extension "Device Configuration" profile. Where can an
engineer find the evidence?
Options
Discussion
A is correct here, but that's only because the question says all settings are default. If prevention or Device Config profile was tweaked, sometimes mounts don't show up unless you enable extra logging or device control. Seen a similar edge case in practice exams.
Its A, Host Inventory Mounts is where you'd look for drive mount activity if everything's running default. Not B or D.
Be respectful. No spam.
