🔥 3-day streak
Microsoft Cybersecurity Architect Expert53 / 158
Question 53 of 158
A financial services company runs Microsoft Defender XDR across endpoints, identities, and email. The SOC is overwhelmed by high-volume, low-complexity alerts (malware quarantines, phishing clicks) that consume analyst time on routine triage. Leadership demands that these repetitive containment actions occur automatically within seconds, but the SOC lead insists that any remediation touching domain controllers or Tier 0 assets must still require explicit analyst approval before execution. As the security architect, which approach to Defender XDR automated investigation and response (AIR) best satisfies both requirements?
Reviewed for accuracy · Report an issueNext question