Endpoint Investigation, Invasive or Invaluable?


Give analysts agency wihout losing availability.

Microsoft Defender for Endpoint (MDE) has live response options that allow security analysts using the EDR system to take actions on a connected system. This is exciting for security departments that are using the tool, but this may raise concerns for the rest of the IT departments.

MDE offers cybersecurity analysts the option of running live commands on a connected system, and there is a noticeable chance that running one of the live response options may cause unintended consequences. If security administrators are going to implement live response in their environment, they will need to understand what the tools do and how it may affect the endpoints it is responding to.

In this blog, we go over each of the live response tools and discuss how they are used to respond to an incident. Then we will discuss considerations for other IT departments regarding how invasive it may be and potential issues that could be caused by using these tools.

Isolate Device

This response action isolates the device from all registered organization cloud resources aside from the Outlook and Teams apps in Office 365. This is an invasive action that an analyst should only take in a situation where it is necessary. Review the documentation and discuss the implications with relevant stakeholders before implementing isolating a device in a production environment.

Restrict App Execution

This response action changes the configuration on the endpoint’s Defender Antimalware to only allow applications with Microsoft signed certificates to run. You would need to understand the business context and use cases before initiating this.

Run Antivirus Scan

This response action will run the “Microsoft Defender Antivirus” scan, which is the solution that MDE enables on all connected devices unless instructed otherwise. This action is not as invasive as other options, so analysts can normally run this action unless there are any custom apps or processes that might need special consideration beforehand.

This action should be performed after the analyst is done collecting artifacts from the device. An analyst will be given the option to choose between “quick” and “full” scans, quick scans only likely areas and full scans almost everything. It is up to the organization to decide if full scans are appropriate on some production devices that may not be able to handle the extra processing work load.

Collect Investigation Package

The investigation package is a zip file that contains a sizable amount of forensic information. For a full list of information that is collected in the investigation package, see the Investigation Package Docs article.

This action is not as invasive as other options, so analysts can normally take this action without consulting documentation or other teams. This action should either be taken during an investigation to get more information or when gathering artifacts after the investigation.

Initiate Live Response

Live response allows an analyst to make an RDP connection to a connected device so that they can take actions on the device through the command line. This is an invasive action that analysts should only take in an environment that specifically allows this type of action.

Analysts should always review documentation about the environment before taking this live response action. The option to use an RDP connection to address a security concern should be approved by the admin responsible for the device to ensure that no unintended damage is not caused to the endpoint.

Initiate Automated Investigation

The automated investigation allows an analyst to run the Automated Investigation and Response (AIR) service on a device to look for potential malicious activity. This action is not as invasive as other options, so analysts can normally run automated investigations without extensive verification.

AIR provides investigation and response capabilities, so it should be used during the investigation to check for details that the MDE alert system may have missed. Depending on the level of automation set up in the settings menu, AIR may remove artifacts, so precautions may need to be taken to preserve artifacts if the automation is allowed to remove files.

We will continue to share best practices and lessons learned in future posts on using MDE live response tools in customer environments. We are committed to making sure our customers know that we are using our EDR tools in a way that allows us to be effective and allows them to operate effectively.

In closing, consider these three questions when using MDE live response tools in your organization:

  1. Does our incident management lifecycle address how we need to perform response actions like live response?
  2. Do we have a trusted relationship with other IT departments and stakeholders that would allow us to begin using some of the live response tools?
  3. Should we cross-train our analysts so that they will understand more about the endpoints that they are doing live responses on?

How Can We Help?

Main Contact Form