Microsoft Security Operations Analyst — Question 51

You have a Microsoft 365 E5 subscription.

Automated investigation and response (AIR) is enabled in Microsoft Defender for Office 365 and devices use full automation in Microsoft Defender for Endpoint.

You have an incident involving a user that received malware-infected email messages on a managed device.

Which action requires manual remediation of the incident?

Answer options

• A. soft deleting the email message
• B. hard deleting the email message
• C. isolating the device
• D. containing the device

Correct answer: C

Explanation

The correct answer, C, involves isolating the device, which typically requires manual intervention to ensure that the device is properly examined and secured. In contrast, options A and B (soft and hard deleting the email) can be performed automatically, and option D (containing the device) is often part of automated processes as well.