Symantec Updated 250-580 Exam Questions and Answers by alannah

To integrateSymantec Endpoint Detection and Response (SEDR)withSymantec Endpoint Protection (SEP)effectively, the recommended configuration order isECC, Synapse, then Insight Proxy.

Order of Configuration:

ECC (Endpoint Communication Channel): This establishes the communication layer for SEDR and SEP integration, which is foundational for data exchange.

Synapse: This integration uses data from ECC to correlate threat intelligence and provide context to detected threats.

Insight Proxy: Configured last, Insight Proxy adds cloud-based file reputation lookups, enhancing detection capabilities with reputation scoring.

Why This Order is Effective:

Each component builds on the previous one, maximizing the value of integration by ensuring that foundational communication (ECC) is established before adding Synapse correlation and Insight Proxy reputation data.

References: Configuring ECC, Synapse, and Insight Proxy in this order is considered best practice for optimizing integration benefits between SEDR and SEP​.

For anAfter Actions Reportin Symantec EDR, an Incident Responder should gather data from both theIncident ManagerandSyslog:

Incident Manager:

This is the primary interface for tracking incidents, where responders can review incident details, timeline, response actions, and associated IoCs. It provides a full view of the case, including actions taken and the threat’s impact on the environment.

Syslog:

Syslog captures logs and alerts from various network devices and security systems, providing valuable information on system events related to the incident. Collectingsyslog data helps in analyzing broader network impacts and documenting incident response activities.

Why Other Options Are Less Suitable:

Policies(Option B) are not directly relevant to specific incident details.

Action Manager(Option D) tracks response actions but lacks the comprehensive case view provided by Incident Manager.

Endpoint Search(Option E) is a tool for querying endpoint data but is not a centralized reporting source.

References: Incident Manager and Syslog are crucial for gathering actionable data and documenting the response for After Actions Reports in EDR​.

In antimalware solutions,Level 5intensity is defined as a setting where the software blocks files that are considered either most certainly malicious or potentially malicious. This level aims to balance security with usability by erring on the side of caution; however, it acknowledges that some level of bothfalsepositives(legitimate files mistakenly flagged as threats) andfalse negatives(malicious files mistakenly deemed safe) may still occur.

This level is typically used in environments where security tolerance is high but with an understanding that some legitimate files might occasionally be flagged. It provides robust protection without the extreme strictness of the highest levels, thus reducing, but not eliminating, the possibility of false alerts while maintaining an aggressive security posture.

TheEndpoint searchfeature in Symantec Endpoint Detection and Response (EDR) is specifically used to search forreal-time indicators of compromise (IoCs)across endpoints. This feature allows administrators and security analysts to query and identify potential compromises on endpoints by looking for specific indicators such as file hashes, IP addresses, or registry keys.

Purpose of Endpoint Search:

Endpoint search enables a quick and focused investigation, helping identify endpoints that exhibit IoCs associated with known or suspected threats.

This real-time search capability is essential for incident response and threat hunting.

Why Other Options Are Incorrect:

Domain search(Option A) is used for domain-level queries and not directly for IoCs.

Cloud Database search(Option C) andDevice Group search(Option D) may support broader searches but do not focus on endpoint-specific, real-time IoC searches.

References: Endpoint search provides a direct and efficient method for identifying real-time IoCs across the network, essential for quick threat response​.