Exam AB-900 Topic 2 Question 2 Discussion

The correct answer is C. Microsoft Defender for Endpoint . Microsoft documents that Defender for Endpoint is the Microsoft security solution for endpoint devices , including Windows 11 , and that it lets security teams investigate incidents, alerts, affected devices, files, processes, and remediation actions in the Microsoft Defender portal. Microsoft's investigation guidance specifically describes using Defender for Endpoint to review alerts and investigate affected devices from the devices list, alerts queue, and incident views.
The other options do not match this requirement. Microsoft Entra ID Protection is for risky users and risky sign-ins, not device incident investigation. Microsoft Purview Insider Risk Management focuses on risky user behavior such as data theft or exfiltration, not endpoint security alerts from Windows devices. Microsoft Defender for Identity monitors on-premises and hybrid identity signals from Active Directory environments, not Windows 11 endpoint incidents. For security incidents and alerts raised from organization-managed Windows 11 devices, Microsoft's documented solution is Microsoft Defender for Endpoint .