Introduction

Microsoft Defender for Endpoint provides information about forensic artifacts found in the environment. There are specific observable pages for Files, User Accounts, IP Addresses, and Domains.

You're a Security Operations Analyst working at a company that implemented Microsoft Defender for Endpoint, and your primary job is to remediate incidents. You're assigned to an incident with alerts related to a suspicious PowerShell command line.

You start by reviewing the incident and understand all the related alerts, devices, and evidence. The evidence tab shows three files, six processes, and one persistence method. One of the files has a name your unfamiliar with. You open the file page to review everything known about the file.

The file was unknown in the organization before this incident. If the situation is malware, it's good to know whether this file impacted only this machine. You decide to submit a deep analysis on the file to see if the file performs any suspicious activities. The results show suspicious activity; you then select Add Indicator from the file page to ensure Defender for Endpoint uses the indicator for detections.

After completing this module, you'll be able to:

• Investigate files in Microsoft Defender for Endpoint
• Investigate domains and IP addresses in Microsoft Defender for Endpoint
• Investigate user accounts in Microsoft Defender for Endpoint

Prerequisites

Intermediate understanding of Windows 10 or later.