DRAG DROP – You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains a Windows 10 device named Device1. You have a PowerShell script named script1 that collects forensic data and saves the results as a file on the device from which the script is run. You receive a Microsoft Defender for Endpoint alert for suspicious activities on Device1. You need to run script1 on…

QuestionsCategory: MS-500DRAG DROP – You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains a Windows 10 device named Device1. You have a PowerShell script named script1 that collects forensic data and saves the results as a file on the device from which the script is run. You receive a Microsoft Defender for Endpoint alert for suspicious activities on Device1. You need to run script1 on…
Admin Staff asked 4 months ago
DRAG DROP -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains a Windows 10 device named Device1.
You have a PowerShell script named script1 that collects forensic data and saves the results as a file on the device from which the script is run.
You receive a Microsoft Defender for Endpoint alert for suspicious activities on Device1.
You need to run script1 on Device1 and retrieve the output file of the script.
Which four actions should you perform in sequence in Microsoft 365 Defender portal? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
 Image
















 

Suggested Answer: 
    Correct Answer Image

Step 1: Select Initiate Live Response Session.
Initiate a live response session on a device
1. Sign in to Microsoft 365 Defender portal.
2. Navigate to Endpoints > Device inventory and select a device to investigate. The devices page opens.
3. Launch the live response session by selecting Initiate live response session. A command console is displayed. Wait while the session connects to the device.
4. Use the built-in commands to do investigative work.
5. After completing your investigation, select Disconnect session, then select Confirm.
Note: Initiate live response Session
Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
Step 2: Run the putfile command -
putfile - Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.
Step 3: Run the run command -
run - Runs a PowerShell script from the library on the device.
Step 4: Run the getfile command -
getfile  - Downloads a file.
For scenarios when you'd like get a file from a device you're investigating, you can use the getfile command. This allows you to save the file from the device for further investigation.
Incorrect:
* Select Collect Investigation package.
Collect investigation package from devices
As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
* Run the analyze command
Analyze - Analyses the entity with various incrimination engines to reach a verdict.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response
 https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts

This question is in MS-500 Microsoft 365 Security Administration Exam
For getting Microsoft Certified: Security, Compliance, and Identity Fundamentals Certificate



Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Microsoft. 
The website does not contain actual questions and answers from Microsoft's Certification Exams.
Trademarks, certification & product names are used for reference only and belong to Microsoft.

Recommended

Welcome Back!

Login to your account below

Create New Account!

Fill the forms below to register

Retrieve your password

Please enter your username or email address to reset your password.