SC-200 Certification Practice Question #10

Question

You receive a security bulletin about a potential attack that uses an image file.
You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack.
Which indicator type should you use?

Accepted Answer

The attack is delivered via a specific image **file**, so the IoC must match the file artifact — a file hash indicator. MS Learn states file-hash indicators ban/prevent execution of a known malicious file and can be configured to both raise an alert and block. URL/domain indicators (A, B) govern site access, not a file artifact, and a certificate indicator (D) targets files signed by a given certificate, not an arbitrary image. To actually *prevent* the attack (not merely alert), the action must be **Alert and block**, eliminating A. Suggested Answer, a unanimous Most Voted, a heavily upvoted walkthrough comment, and MS Learn all converge on C.

More SC-200 practice questions