🔥 3-day streak
Microsoft Security Operations Analyst37 / 190
Question 37 of 190

During an investigation in Microsoft Defender for Endpoint, you review the device timeline of a workstation and discover that a legitimate but vulnerable line-of-business application has been exploited and is now beaconing to a known command-and-control IP. The SOC lead requires that the compromised device stop communicating with the malicious infrastructure, yet the device must remain reachable from the Microsoft Defender portal for continued live investigation and evidence collection, and the analyst must retain the ability to run further live response commands. Which response action best meets all of these requirements?

Reviewed for accuracy · Report an issueNext question