🔥 3-day streak
Microsoft Security Operations Analyst102 / 190
Question 102 of 190

A SOC analyst receives a Microsoft Defender XDR incident correlating a suspicious PowerShell alert on a domain-joined workstation with an Entra ID sign-in anomaly. The analyst opens the device page in Microsoft Defender for Endpoint and needs to determine exactly which child processes the PowerShell script spawned, in chronological order, before deciding on containment. Which Defender for Endpoint capability should the analyst use first to obtain this sequence of process events?

Reviewed for accuracy · Report an issueNext question