Respond to Microsoft Defender for Endpoint Alerts
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.
Included in this chapter:
- Reconstruct the attack on the device timeline
- Device response actions: contain, collect, remediate
- Live response: the RBAC-gated remote shell
- Investigate evidence and entities across the incident
- Exam-pattern recognition
Device response actions: when each one fits
| Action | Goal | What it does | Key prerequisite/limit |
|---|---|---|---|
| Isolate device | Contain | Cuts network access but keeps the Defender for Endpoint service connection alive; full or selective | Needs the Active remediation actions role and device-group access; retries up to 3 days if offline |
| Restrict app execution | Contain | Applies a WDAC code-integrity policy so only Microsoft-signed code runs | Windows 10 1709+ with Defender Antivirus; reversible |
| Contain device | Contain | Onboarded devices block all traffic to/from a compromised unmanaged device | Target need not be onboarded; enforced by onboarded Windows devices |
| Collect investigation package | Collect | Downloads a zip of forensic artifacts (autoruns, processes, services, network, more) | Available from the device page; downloaded from Action center |
| Run antivirus scan | Remediate | Triggers a remote quick or full Defender Antivirus scan | CPU capped (default 50%) during the scan |
| Live response | Investigate + remediate | Remote shell to run commands, pull files, run scripts, remediate entities | Enabled in advanced settings; basic vs advanced commands are RBAC-gated |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- https://learn.microsoft.com/en-us/defender-endpoint/investigate-machines
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview
- https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts
- https://learn.microsoft.com/en-us/defender-xdr/automatic-attack-disruption
- https://learn.microsoft.com/en-us/defender-endpoint/live-response
- https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents
- https://learn.microsoft.com/en-us/defender-xdr/m365d-autoir
- https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-go-hunt