Performing Actions on a Device

Containment

• Isolate Device: Disconnect the device from the n/w, Defender for endpoint will keep on monitoring. User will be notified.
• Restrict App Execution: Stops execution of the malicious apps. User will be notified & works only on and above Windows 10 1709 version.
• Run Antivirus Scan: Quick Scan | Full Scan”

Investigation

• Initiate Automated Investigation: Will initiate automated investigation, we will see the result in ”Action Center" after some time.

• Collecting Investigation Package: To download a zip file of all the events running on that device.”

• Investigate Live Response Session: Like a remote shell to the device.

  Note: We can do this action if the automated investigation is already running

  We must have enabled Live Response Unsigned Script Execution on the particular device. "