Remediation actions When an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be Malicious, Suspicious, or No threats found. Depending on the type of threat, the resulting verdict, and how your organization’s device groups are configured, remediation actions can occur automatically or only upon approval by your organization’s security operations team. Here are a few […]
Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center. Response actions run along the top of a specific device page and include: Manage tags Initiate Automated Investigation Initiate Live Response Session Collect investigation package Run antivirus scan […]
Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in Devices list view, or to group devices. For more information on […]
Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you’re investigate potential attacks. The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on […]
The Devices list shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance you’ll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk. There are several options you […]
Investigate user account entities Identify user accounts with the most active alerts (displayed on dashboard as “Users at risk”) and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between devices with that user account. You can find user account […]
Defender for Endpoint supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy […]
Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain. You can investigate a domain by using the search feature or by clicking on a domain link from the Device timeline. You can see information from the following sections in the URL view: URL details, […]
Examine possible communication between your devices and external internet protocol (IP) addresses. Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected devices. You can find information from the following sections […]
Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach. Note As part of the investigation or response process, you can collect an investigation package from a device. Here’s how: Collect investigation package from devices. […]