At 10:15, a file server begins renaming documents and creating payment notes. The SOC confirms the server is also making SMB connections to other internal hosts, but users can still access shared folders. What should the incident handler do FIRST?

Shut down the server immediately to stop all malicious activity

A forced shutdown may stop spread, but it can also destroy volatile evidence that is useful for analysis and recovery.

Restore the server from backup before taking any other action

Restoring too early can overwrite evidence and may reintroduce the problem if the root cause is not contained first.

Wait for users to report more symptoms before responding

Waiting increases damage and gives the attacker or malware more time to spread across the environment.

What does this SY0-701 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Disconnect the server from the network or isolate it through EDR containment while preserving power — The first priority in incident response is containment. Isolating the server from the network, preferably through EDR or a switch port action, stops additional encryption and prevents lateral spread while preserving the machine for investigation. Keeping power on is often helpful because volatile data may be useful later. This is the least disruptive action that still quickly reduces risk and supports the rest of the response lifecycle. Why others are wrong: B can be appropriate in some emergency cases, but it is not the best first step because it sacrifices evidence. C is premature because restoration should happen after containment and eradication. D is unsafe because the malware is already active and spreading. The correct response is to contain quickly, then investigate, eradicate, and recover in order.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.