Introduction
Microsoft Defender for Endpoint provides detailed device information, including forensics information.
You're a Security Operations Analyst working at a company that has implemented Microsoft Defender for Endpoint, and your primary job is to remediate incidents. You're assigned an incident with alerts related to a suspicious PowerShell command line. You start by reviewing the incident and understand all the related alerts, devices, and evidence. You open the alert page to review the Alert Story and decide to perform further analysis on the device.
You open the Devices page to provide more context to the incident. The Overview tab on the Device page immediately provides concerning information such as the Risk level and Exposure level. You select the Incidents and alerts tab to see a history of alerts for the device. Next, you choose the Timeline tab to see a list of events from the device. You see many suspicious events.
After completing this module, you'll be able to:
- Use the device page in Microsoft Defender for Endpoint
- Describe device forensics information collected by Microsoft Defender for Endpoint
- Describe behavioral blocking by Microsoft Defender for Endpoint
Prerequisites
- Intermediate understanding of Windows 10 and 11
- Basic understanding of PowerShell
- Basic understanding of security operations