NetFlow shows one user workstation making authenticated SMB and WinRM connections to more than 40 internal hosts within 15 minutes, starting shortly after the user opened a spreadsheet attachment. No approved admin tool was running on the device. What is the best initial response?

Treat the traffic as normal because the workstation used valid credentials

Valid credentials do not make the behavior normal when the access pattern is unusual and highly distributed.

Increase the DHCP lease time to reduce network noise

DHCP settings do not address suspicious authenticated access to many internal systems.

Block all SMB and WinRM traffic across the entire enterprise

A blanket block would cause broad operational impact and is not the best first step for a single-host anomaly.

What does this SY0-701 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Isolate the workstation and begin investigating for credential compromise or lateral movement — The workstation should be isolated and investigated for credential compromise or lateral movement. A single endpoint making authenticated SMB and WinRM connections to dozens of hosts in a short period is not normal user behavior, especially when it begins after an attachment is opened. Isolation reduces the chance of spread while analysts determine whether the user account, the host, or both have been compromised. Why others are wrong: Valid credentials do not rule out compromise, so normalizing the traffic is unsafe. DHCP changes have no relation to the observed authentication behavior. Blocking SMB and WinRM everywhere is overly disruptive and should not be the first response to a single suspected infected host.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.