Microsoft Security Operations Analyst — Question 46

You have an on-premises network.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.

From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert.

Suspected identity theft (pass-the-ticket) (external ID 2018)

You need to contain the incident without affecting users and devices. The solution must minimize administrative effort.

What should you do?

Answer options

• A. Disable User1 only.
• B. Quarantine Device1 only.
• C. Reset the password for all the accounts that previously signed in to Device1.
• D. Disable User1 and quarantine Device1.
• E. Disable User1, quarantine Device1, and reset the password for all the accounts that previously signed in to Device1.

Correct answer: E

Explanation

The correct answer is E because it combines disabling the compromised user account, quarantining the affected device, and resetting passwords, which are all necessary actions to fully contain the incident and prevent further unauthorized access. Other options, such as A, B, C, and D, do not provide comprehensive containment and may leave vulnerabilities that could be exploited.