🔥 3-day streak
Microsoft Security Operations Analyst36 / 190
Question 36 of 190

During an investigation in Microsoft Defender for Endpoint, you open the device timeline for a workstation and confirm that a malicious PowerShell script executed and created a scheduled task. You need to view the exact sequence of process creations, file writes, and registry modifications that occurred around the time of the alert, and be able to filter this list to only registry-related events so you can pinpoint the persistence mechanism. Which feature of the device page should you use?

Reviewed for accuracy · Report an issueNext question