You are aSOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint.
You are allocated an incident with alerts related to a doubtful PowerShell command line.
You start by going through the incident and apprehend all the related alerts, devices, and evidence.
You open the alert page to evaluate the Alert and choose to perform further analysis on the device.
You open the Device page and decide that you require remote access to the device to collect more forensics information using custom .ps1 script.
One of the below is a Device action.
Identify?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A
Network transactions, Process and Command History are not collected.
Only Prefetch files are collected.
An investigation package contains the following folders when you collect it from a device as part of the investigation process.
These can help us to identify the present state of devices and methods used by attackers.
Autoruns, installed programs, Network Connections, Prefetch files, Prefetch folder, Processes, Scheduled tasks, Security event log, Services, Windows Server Message Block (SMB) sessions, System Information, Temp Directories, Users and Groups, WdSupportLogs, CollectionSummaryReport.xls
Reference:
The device action that can be used in this scenario is "Isolate device" (Option B).
As a SOC Analyst, the first step is to investigate the alerts related to the doubtful PowerShell command line. Once the related alerts, devices, and evidence have been gathered, further analysis on the device is needed.
To collect more forensic information, the SOC Analyst requires remote access to the device. However, before granting remote access, it's important to take necessary precautions to prevent potential threats.
In this case, "Isolate device" is the most appropriate action to take. Isolating the device will ensure that it is disconnected from the network and all other devices to prevent any potential spread of malware or other malicious activity. This way, the SOC Analyst can safely connect to the device and collect more forensic information using custom .ps1 script without any potential risks.
The other device actions listed - "Reformat device," "Reinstall," and "Reboot" - are not appropriate in this scenario. Reformatting or reinstalling the device would erase all the data and forensic evidence, which is not desirable in an incident investigation. A reboot can be useful in certain scenarios, but it does not offer the same level of protection as isolating the device from the network.