EDR shows encoded PowerShell launched by a word processor and an outbound connection to a rare domain. What is the best immediate containment action?

Uninstall the word processor from every workstation.

Removing the application from all systems is too broad and does not immediately contain the affected host. The priority is to stop the active suspicious endpoint.

Wait to see whether more alerts appear before responding.

Waiting can allow the attacker more time to move laterally or exfiltrate data. Suspicious PowerShell and rare-domain traffic warrant prompt containment.

Send a notice to all users reminding them not to open attachments.

User awareness is useful, but it does not contain the active endpoint or stop the current malicious activity. Operational containment must happen first.

What does this SY0-701 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Isolate the endpoint from the network using the EDR console. — When EDR identifies suspicious script execution and unusual outbound traffic, the fastest safe action is to isolate the endpoint. That breaks the attacker’s connection while preserving the host for analysis and reduces the chance of lateral movement or data loss. EDR isolation is preferred because it is fast, targeted, and reversible once the incident is understood and handled properly. Why others are wrong: Uninstalling software across the fleet is too disruptive and does not immediately stop the compromised host. Waiting for more alerts gives the attacker time to do more damage. A broad awareness notice may help prevention later, but it does not contain the live incident already in progress.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.