🔥 3-day streak
Microsoft Security Operations Analyst38 / 190
Question 38 of 190

During an incident investigation, you open the device timeline in Microsoft Defender for Endpoint for a compromised workstation. You confirm a malicious executable was written to disk and executed. Endpoint automated investigation is not enabled for this device group, and you must remove the file from the device immediately while preserving the ability to investigate further. Which single action from the device page best achieves immediate removal of the identified file across the organization while allowing you to reverse it later if needed?

Reviewed for accuracy · Report an issueNext question