Domain 3 of 4 · Chapter 2 of 5

Respond to Microsoft Defender for Endpoint Alerts

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • Reconstruct the attack on the device timeline
  • Device response actions: contain, collect, remediate
  • Live response: the RBAC-gated remote shell
  • Investigate evidence and entities across the incident
  • Exam-pattern recognition

Device response actions: when each one fits

ActionGoalWhat it doesKey prerequisite/limit
Isolate deviceContainCuts network access but keeps the Defender for Endpoint service connection alive; full or selectiveNeeds the Active remediation actions role and device-group access; retries up to 3 days if offline
Restrict app executionContainApplies a WDAC code-integrity policy so only Microsoft-signed code runsWindows 10 1709+ with Defender Antivirus; reversible
Contain deviceContainOnboarded devices block all traffic to/from a compromised unmanaged deviceTarget need not be onboarded; enforced by onboarded Windows devices
Collect investigation packageCollectDownloads a zip of forensic artifacts (autoruns, processes, services, network, more)Available from the device page; downloaded from Action center
Run antivirus scanRemediateTriggers a remote quick or full Defender Antivirus scanCPU capped (default 50%) during the scan
Live responseInvestigate + remediateRemote shell to run commands, pull files, run scripts, remediate entitiesEnabled in advanced settings; basic vs advanced commands are RBAC-gated

Decision tree

Device onboarded toDefender for Endpoint?Contain deviceneighbors block its trafficNo (unmanaged)Goal: preserve evidenceor stop the spread?YesCollect packageor live response getfilepreserveCut network entirely,or just block apps?stop spreadIsolate devicefull or selective;sensor stays connectedcut networkRestrict app executionWDAC: Microsoft-signedcode onlyblock appsLive response: run,remediate, undohands-on remediationthen clean upAlways: read the device timeline first,and every action is logged in the Action center

Cheat sheet

  • Read the device timeline before taking any response action
  • Device timeline shows 30 days by default but retains data for 90
  • Hunt for related events pivots a single event into advanced hunting
  • Isolating a device keeps the Defender for Endpoint sensor connected
  • Selective isolation can keep Outlook and Teams reachable
  • Isolation needs the Active remediation actions role and device-group access
  • Restrict app execution applies a WDAC policy for Microsoft-signed code only
  • Contain device is for compromised devices that are not onboarded
  • Collect the investigation package to capture forensics without changing the device
  • Live response is an RBAC-gated remote shell you enable in advanced features
  • Basic vs advanced live response commands are separate RBAC grants
  • Scripts must be in the live response library before run can call them
  • Live response limits: 1 per device, 5 per user, 50 tenant-wide, 30-min idle
  • getfile and putfile have platform-specific size limits
  • Ctrl+C in live response cancels the portal view, not the agent action
  • Evidence and Response marks each entity Malicious, Suspicious, or Clean
  • Go hunt finds an entity everywhere else in the estate
  • Every device response action is recorded in the Action center
  • Investigation-package collection: role, download URI, in-flight limit, and failure causes

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. https://learn.microsoft.com/en-us/defender-endpoint/investigate-machines
  2. https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview
  3. https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts
  4. https://learn.microsoft.com/en-us/defender-xdr/automatic-attack-disruption
  5. https://learn.microsoft.com/en-us/defender-endpoint/live-response
  6. https://learn.microsoft.com/en-us/defender-xdr/investigate-incidents
  7. https://learn.microsoft.com/en-us/defender-xdr/m365d-autoir
  8. https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-go-hunt