What occurs when an endpoint fails its Host Integrity check and is unable to remediate?

What occurs when an endpoint fails its Host Integrity check and is unable to remediate?
A . The endpoint automatically switches to using a Compliance location, where a Compliance policy is applied to the computer.
B . The endpoint automatically switches to using a System Lockdown location, where a System Lockdown policy is applied to the computer.
C . The endpoint automatically switches to using a Host Integrity location, where a Host Integrity policy is applied to the computer.
D . The endpoint automatically switches to using a Quarantine location, where a Quarantine policy is applied to the computer.

Answer: D

Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an incident for an After Actions Report?

Why is it important for an Incident Responder to review Related Incidents and Events when analyzing an incident for an After Actions Report?
A . It ensures that the Incident is resolved, and the responder can clean up the infection.
B . It ensures that the Incident is resolved, and the responder can determine the best remediation method.
C . It ensures that the Incident is resolved, and the threat is NOT continuing to spread to other parts of the environment.
D . It ensures that the Incident is resolved, and the responder can close out the incident in the ATP manager.

Answer: C

Which prerequisite is necessary to extend the ATP: Network solution service in order to correlate email detections?

Which prerequisite is necessary to extend the ATP: Network solution service in order to correlate email detections?
A . Email Security.cloud
B . Web security.cloud
C . Skeptic
D . Symantec Messaging Gateway

Answer: A

Explanation:

Reference: https://www.symantec.com/content/dam/symantec/docs/data-sheets/endpoint-detection-and­response-atp-endpoint-en.pdf

How should you configure the query filter?

HOTSPOT

Your network contains an Active Directory domain named contoso.com.

You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain. You install the ATA Gateway on a server named Server1. To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect events. You need to configure the query filter for event subscriptions on Server1.

How should you configure the query filter? To answer, select the appropriate options in the answer are.

Answer:

Explanation:

https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collectionTo enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733, 4728, 4729,4756, 4757.These can either be read automatically by the ATA Lightweight Gateway or in case the ATA LightweightGateway is not deployed, it can be forwarded to the ATA Gateway in one of two ways, by configuring the ATA Gateway to listen for SIEMevents or by configuring Windows Event Forwarding.

Event ID: 4776 NTLM authentication is being used against domain controllerEvent ID: 4732 A User is Added to Security-Enabled DOMAIN LOCAL Group,Event ID: 4733 A User is removed from Security-Enabled DOMAIN LOCAL GroupEvent ID: 4728 A User is Added or Removed from Security-Enabled Global GroupEvent ID: 4729 A User is Removed from Security-Enabled GLOBAL GroupEvent ID: 4756 A User is Added or Removed From Security-Enabled Universal GroupEvent ID: 4757 A User is Removed From Security-Enabled Universal Group

Why is it important for an Incident Responder to analyze an incident during the Recovery phase?

Why is it important for an Incident Responder to analyze an incident during the Recovery phase?
A . To determine the best plan of action for cleaning up the infection
B . To isolate infected computers on the network and remediate the threat
C . To gather threat artifacts and review the malicious code in a sandbox environment
D . To access the current security plan, adjust where needed, and provide reference materials in the event of a similar incident

Answer: D

What are two reasons the responder should analyze the information using Syslog?

An Incident Responder wants to create a timeline for a recent incident using Syslog in addition to ATP for the After Actions Report.

What are two reasons the responder should analyze the information using Syslog? (Choose two.)
A . To have less raw data to analyze
B . To evaluate the data, including information from other systems
C . To access expanded historical data
D . To determine what policy settings to modify in the Symantec Endpoint Protection Manager (SEPM)
E . To determine the best cleanup method

Answer: BE