🔥 3-day streak
Microsoft Security Operations Analyst2 / 190
Question 2 of 190
A SOC analyst is investigating a Defender XDR incident that flags a user account exhibiting anomalous behavior: the user signed in from an unmanaged personal device and is actively downloading large volumes of sensitive files from SharePoint Online. The account is not yet confirmed compromised, and business leadership requires the user to retain read-only access to complete a time-sensitive task. The analyst must stop data exfiltration from the unmanaged device while allowing continued in-browser viewing. Which response action best meets these requirements?
Reviewed for accuracy · Report an issueNext question