🔥 3-day streak
Microsoft Security Operations Analyst60 / 190
Question 60 of 190
During an active incident, a Windows workstation in Microsoft Defender XDR shows signs of a suspicious unsigned executable that keeps launching child processes and reaching out to an external IP. You need to immediately stop any further attacker-controlled binaries from executing on the device while still allowing the device to remain reachable for you to run live response commands and gather forensic data. Which single device action best meets this requirement?
Reviewed for accuracy · Report an issueNext question