You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.
You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:
• Identify all the active network connections on Device1.
• Identify all the running processes on Device1.
• Retrieve the login history of Device1.
• Minimize administrative effort.
What should you do first from the Microsoft Defender portal?
To investigate a Defender for Endpoint agent alert on Device1 with minimal administrative effort, you should initiate a live response session on Device1. This allows you to interact directly with the device in real-time, enabling you to identify all active network connections, running processes, and retrieve the login history efficiently. Live response provides the most immediate and direct access to the necessary information without additional configurations or steps, meeting all the investigation requirements effectively.
Answer A: The investigation package collected by defender includes all the required information and is considerable less admin effort than running a live response session and collecting this information interactively. https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices
A is correct. https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices
live response session
By initiating a live response session, you can achieve your investigation goals while minimizing administrative effort. Remember that live response provides real-time access to the device, allowing you to perform tasks directly on Device
Minimize Administrative Effort: Live response sessions allow you to interact directly with the device, minimizing administrative overhead.
I would argue that collecting the Investigation package requires less effort because all you have to do is download the package, and look for the info you need in the Network Connections folder, Processes folder, and Users and groups folder. Whereas for a live session, you will have to establish a session and execute several commands to retrieve the information you need
checked chat-gpt and the answer is C Here's why: Initiating a live response session allows you to interact with Device1 in real-time. You can run commands to check active network connections, running processes, and retrieve the login history. Minimize administrative effort: Live response sessions provide direct access and control, which minimizes the need for additional configurations or complex procedures. The other options either involve additional steps that are not immediately necessary (like collecting an investigation package, which can be more comprehensive but less direct for immediate queries) or configurations that don't directly address the investigative tasks at hand. By starting a live response session, you can quickly gather the necessary information directly from Device1, fulfilling the investigation requirements effectively.
A https://learn.microsoft.com/en-us/defender-endpoint/respond-machine-alerts?view=o365-worldwide#collect-investigation-package-from-devices
• Minimize administrative effort. A is Correct.
The correct answer is C. From Devices, initiate a live response session on Devic
Asked copilot and answer is live session. While collecting an investigation package can provide a snapshot of the device’s current state, it may not offer the same level of detailed, real-time information and control as a live response session.
A. From Devices, click Collect investigation package for Device1. This action is the most efficient first step, as it collects a comprehensive forensic package from Device1 that includes active network connections, running processes, and login history, meeting all requirements with minimal administrative effort.