An EDR alert shows a user workstation launching an unfamiliar executable from the Downloads folder and then making repeated outbound connections to an IP address in another country. What is the best first response by the security team?

Wait for more alerts before taking any action to avoid disrupting the user

Delaying action allows a possible compromise to continue, increasing risk to the endpoint and network.

Immediately reinstall the operating system without collecting evidence

Reimaging too early can destroy useful evidence and makes it harder to understand what happened.

Disable the user's account in the directory service and close the ticket

Account disablement may be useful later, but it does not stop malware already running on the host.

What does this SY0-701 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Isolate the workstation from the network and begin incident triage — The best first response is to isolate the workstation from the network. The alert shows signs of possible compromise: an unknown executable followed by suspicious outbound traffic. Isolation limits further damage, prevents command-and-control communication, and helps contain the event while analysts investigate. It also preserves the endpoint for triage so logs, memory, and file artifacts can still be reviewed before cleanup or reimaging. Why others are wrong: Waiting for more alerts gives the attacker more time. Reinstalling the OS immediately can erase evidence needed for investigation. Disabling the user account may help stop account misuse, but it does not contain malware already active on the machine. In this situation, containment comes first, then identity actions and remediation after evidence is gathered.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.