Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. An alert indicates that an external IP address is downloading large amounts of data from a SharePoint site containing confidential documents. The activity is coming from a valid user account that appears to be compromised. What should you do first to stop the data exfiltration?
Suspending the account stops the download immediately.
Why this answer
Option A is correct because suspending the user account immediately stops the download. Option B is wrong because blocking the IP may not be effective if the attacker uses multiple IPs. Option C is wrong because changing permissions is slower.
Option D is wrong because deleting files destroys evidence.