DRAG DROP - You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains a Windows 10 device named Device1. You have a PowerShell script named script1 that collects forensic data and saves the results as a file on the device from which the script is run. You receive a Microsoft Defender for Endpoint alert for suspicious activities on Device1. You need to run script1 on Device1 and retrieve the output file of the script. Which four actions should you perform in sequence in Microsoft 365 Defender portal? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place: Â Suggested Answer: Step 1: Select Initiate Live Response Session. Initiate a live response session on a device 1. Sign in to Microsoft 365 Defender portal. 2. Navigate to Endpoints > Device inventory and select a device to investigate. The devices page opens. 3. Launch the live response session by selecting Initiate live response session. A command console is displayed. Wait while the session connects to the device. 4. Use the built-in commands to do investigative work. 5. After completing your investigation, select Disconnect session, then select Confirm. Note: Initiate live response Session Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. Step 2: Run the putfile command - putfile - Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. Step 3: Run the run command - run - Runs a PowerShell script from the library on the device. Step 4: Run the getfile command - getfile- Downloads a file. For scenarios when you'd like get a file from a device you're investigating, you can use the getfile command. This allows you to save the file from the device for further investigation. Incorrect: * Select Collect Investigation package. Collect investigation package from devices As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker. * Run the analyze command Analyze - Analyses the entity with various incrimination engines to reach a verdict. Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts This question is in MS-500 Microsoft 365 Security Administration Exam For getting Microsoft Certified: Security, Compliance, and Identity Fundamentals Certificate Disclaimers: The website is not related to, affiliated with, endorsed or authorized by Microsoft. The website does not contain actual questions and answers from Microsoft's Certification Exams. Trademarks, certification & product names are used for reference only and belong to Microsoft.
Please login or Register to submit your answer