A security analyst notices a number of SIEM events that show the following activity: 

Which of the following response actions should the analyst take FIRST? 

Answer options:

A. Disable powershell.exe on all Microsoft Windows endpoints.
B. Restart Microsoft Windows Defender.
C. Configure the forward proxy to block 40.90.23.154.
D. Disable local administrator privileges on the endpoints.

A