Perform live response and collect investigation packages
5 minutes
5 Questions
Live response is a powerful feature in Microsoft Defender for Endpoint that provides security analysts with instantaneous access to devices using a remote shell connection. This capability enables real-time investigative work during incident response scenarios. When performing live response, analys…Live response is a powerful feature in Microsoft Defender for Endpoint that provides security analysts with instantaneous access to devices using a remote shell connection. This capability enables real-time investigative work during incident response scenarios. When performing live response, analysts can execute commands on potentially compromised endpoints to gather forensic evidence, remediate threats, and collect investigation packages. To initiate live response, navigate to the device page in the Microsoft 365 Defender portal and select 'Initiate Live Response Session.' Once connected, you gain access to a command-line interface where you can run various commands. Basic commands include 'dir' for directory listings, 'cd' for navigation, and 'findfile' to locate specific files. Advanced commands allow file uploads, script execution, and running forensic tools. Investigation packages are comprehensive collections of forensic data from endpoints. To collect an investigation package, use the 'collect investigation package' action from the device page or execute the 'CollectInvestigationPackage' command during a live response session. The package typically contains autoruns data, installed programs, network configurations, prefetch files, scheduled tasks, security event logs, services information, SMB sessions, system information, temp directories, users and groups, and Windows firewall data. Once collected, the investigation package becomes available for download from the Action Center. Analysts can then analyze this data offline using forensic tools to identify indicators of compromise, understand attack patterns, and determine the scope of an incident. Best practices include documenting all actions taken during live response sessions, following your organization's chain of custody procedures, and ensuring proper authorization before accessing endpoints. Live response sessions are logged for audit purposes, maintaining accountability throughout the investigation process. This capability significantly reduces response time by eliminating the need for physical access to affected devices.
Perform Live Response and Collect Investigation Packages
Why This Topic Is Important
Live response capabilities are critical for security operations analysts because they enable real-time investigation of potentially compromised devices. When a security incident occurs, analysts need to act quickly to gather evidence, assess the scope of compromise, and contain threats before they spread. Understanding how to perform live response and collect investigation packages is essential for the SC-200 exam and real-world incident response scenarios.
What Is Live Response?
Live response is a feature in Microsoft Defender for Endpoint that provides security teams with instantaneous access to devices using a remote shell connection. This allows analysts to:
• Execute investigative commands on endpoints • Collect forensic data from suspicious devices • Run remediation actions in real-time • Upload files for analysis • Download files from devices for examination
What Are Investigation Packages?
Investigation packages are comprehensive collections of forensic data gathered from an endpoint. These packages contain:
Prerequisites: • The device must be onboarded to Microsoft Defender for Endpoint • Appropriate role-based access control (RBAC) permissions are required • Live response must be enabled in advanced settings
Starting a Live Response Session: 1. Navigate to the device page in Microsoft 365 Defender portal 2. Select Initiate Live Response Session from the response actions 3. A command console opens with connection to the device 4. Execute commands to investigate or remediate
Common Live Response Commands: • dir - List directory contents • cd - Change directory • getfile - Download a file from the device • putfile - Upload a file to the device • run - Execute a script from the library • processes - Show running processes • scheduledtasks - Display scheduled tasks
Collecting Investigation Packages
To collect an investigation package: 1. Go to the device page in the portal 2. Click on Collect investigation package in the response actions 3. The package is generated and becomes available for download 4. Download and analyze the ZIP file containing forensic artifacts
Key Concepts for the Exam
• Live response requires Advanced live response to be enabled for uploading files and running scripts • Basic live response allows only investigative commands • Investigation packages take time to generate and are available in the Action Center • Sessions automatically disconnect after a period of inactivity • Multiple analysts can connect to the same device but only one session is active at a time
Exam Tips: Answering Questions on Perform Live Response and Collect Investigation Packages
1. Know the permission requirements: Questions often test understanding of which RBAC roles are needed. Security operators need specific permissions for live response capabilities.
2. Understand basic vs advanced live response: Basic live response allows investigative commands while advanced live response enables file uploads and script execution.
3. Remember the location: Live response sessions are initiated from the device page in Microsoft 365 Defender portal, not from incident pages.
4. Focus on command syntax: Know commands like getfile, putfile, and run. The exam may present scenarios requiring you to choose the correct command.
5. Investigation package contents: Be familiar with what data is included in investigation packages when answering questions about forensic collection.
6. Scenario-based questions: When presented with an incident scenario, identify whether the question requires live response for real-time investigation or an investigation package for offline analysis.
7. Prerequisites matter: If a question mentions live response not working, check for onboarding status, network connectivity, and whether the feature is enabled in settings.
8. Time considerations: Investigation packages require generation time while live response provides real-time access. Choose based on urgency described in the scenario.