7.6 Device Isolation and Response Actions

75 minutes · Module 7

Device Isolation and Response Actions

By the end of this subsection, you will know every response action available on a device, when to use each, and the correct sequence for containment during an active incident.

Response actions available

Action	What it does	Severity	Reversible?	When to use
Run antivirus scan	Full or quick scan on the device	Low	N/A	Initial triage — confirm or dismiss the alert
Collect investigation package	Gathers running processes, network connections, scheduled tasks, autorun entries into a downloadable zip	Low	N/A	Before isolation — captures live state
Restrict app execution	Only Microsoft-signed executables can run	Medium	Yes	Active malware — prevents execution of attacker tools
Initiate automated investigation	Triggers AIR to investigate the device	Low	N/A	When you want Defender to scope the incident automatically
Isolate device	Cuts all network access except the Defender management channel	High	Yes	Confirmed compromise — prevents lateral movement and C2
Contain device	Blocks communication from other devices to this one	High	Yes	When you suspect the device is being used as a pivot point
Live response	Opens remote command shell	Medium	N/A	Evidence collection, forensic analysis, targeted remediation

The containment sequence

When you confirm a device is compromised, the response actions follow a specific order. Each step has a reason for its position.

Step 1: Collect investigation package — before any other action. Isolation changes the device state (active connections are dropped). The investigation package captures the live state: running processes, open network connections, scheduled tasks, and autorun entries. Once you isolate, some of this data is no longer available.

Step 2: Isolate the device — cuts network access immediately. The attacker loses C2 communication and cannot move laterally. The Defender management channel remains active, so you can still run live response commands and collect files.

Step 3: Restrict app execution (if active malware is running) — limits execution to Microsoft-signed binaries. Attacker tools, scripts, and dropped payloads cannot run even if they are still on the device.

Step 4: Run antivirus scan — identifies and quarantines known malicious files on the isolated device.

Step 5: Live response — connect to the isolated device for detailed forensic analysis. Collect memory dumps, specific log files, registry exports.

Collect BEFORE you isolate

This is the most common mistake in endpoint response. An analyst sees a confirmed compromise, immediately isolates the device, then tries to collect the investigation package. But isolation drops all active network connections — the package no longer shows where the malware was connecting to. Collect first, then isolate. The 30 seconds it takes to initiate the collection does not meaningfully increase risk.

Isolation behavior

An isolated device cannot communicate with any other device on the network. It cannot reach the internet, internal servers, file shares, or other workstations. The ONLY communication channel that remains open is the connection to the Defender for Endpoint cloud service.

This means:

The attacker’s C2 connection is severed — they lose control of the device
Lateral movement from this device is blocked — the attacker cannot pivot
Data exfiltration from this device stops — no outbound connections
You can still run live response commands, collect files, and manage the device through Defender
The user on the device sees “network disconnected” — they cannot work until isolation is released

1
2
3
4
5
6
// Verify isolation is active
DeviceEvents
| where TimeGenerated > ago(1h)
| where DeviceName == "DESKTOP-NGE042"
| where ActionType == "DeviceIsolated"
| project TimeGenerated, DeviceName, ActionType, InitiatingProcessAccountName

Expected Output

TimeGenerated	DeviceName	ActionType	InitiatingProcessAccountName
14:32	DESKTOP-NGE042	DeviceIsolated	soc-analyst@northgateeng.com

What to look for: The isolation event with the analyst who initiated it. This is evidence for the incident report — who took the containment action, when, and on which device. If you do not see this event, isolation may not have propagated. Check the device page in the Defender portal for current isolation status.

Response decision: which action first?

An alert fires on DESKTOP-NGE042 showing PowerShell connecting to a known C2 domain. The alert severity is High. The device belongs to a finance team member.

What is your first action?

Check your understanding

1. Why collect the investigation package BEFORE isolating the device?

The investigation package captures live network connections, running processes, and active sessions. Isolation drops all connections — the C2 IP, the active data exfiltration channel, and the lateral movement session are no longer visible. The package preserves this evidence for the investigation.

The package cannot be collected after isolation

Isolation takes longer than collection

The live state is perishable evidence. Once you isolate, active connections are terminated and some process state changes. The 30-second window to initiate collection does not meaningfully increase risk but preserves critical investigation data.

2. An isolated device — can you still run live response commands on it?

Yes. Isolation blocks all network traffic EXCEPT the Defender management channel. You can still run live response commands, collect files, execute scripts, and manage the device. This is the key advantage of Defender isolation over network-level blocking (which would cut all communication including management).

No — all connections are cut

Only if you enabled it before isolation

The Defender management channel is maintained through isolation. This is by design — you need to continue investigating and remediating the device after containment. The attacker loses their channel; you keep yours.

← 7.5 The Device Investigation Page 7.7 Device Groups and RBAC →