Perform Actions On A Device

 



Device Actions

While investigating a device you can perform actions, collect data or remotely access the machine including the following containment actions:

  • Isolate device
  • Restrict app execution
  • Run antivirus scan 

You can perform the following investigation actions:

  • Initiate Automated Investigation
  • Collect investigation package
  • Initiate Live Response Session

The action center provides information on the actions that were taken on a device or file.

Isolate devices from networks

This action can help you to prevent the attacker from controlling the compromised device as well as performing the further activities such as data exfiltration and lateral movement and its isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

Once you have selected the isolate device on the device page, type a comment and select confirm after which the Action Center will show you the scan information and the device timeline will include a new event. When a device is being isolated, a notification is displayed to inform the user that the device is being isolated from the network.

Restrict app execution

This action is available for devices on Windows 10, version 1709, or later and also if your organization uses Microsoft Antivirus Defender Antivirus and to restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate which can help you to prevent an attacker from controlling compromised devices as well as performing further malicious activities.

You will be capable to reverse the restriction from applications running at any time and the button on the device page will change to say Remove app restriction, after which you have to take the same steps as restricting app execution. When an app is restricted, a notification is displayed to inform the user that an app is being restricted from running. 

Collect investigation package from devices

As a part of the investigation or response process, you can easily collect an investigation package from a device and can identify the current state of the device as well as further understand the tools and techniques used by the attacker. To download the package (zip file) and investigate the events that occurred on a device:

  • Select Collect investigation package from the row of response actions at the top of the device page.
  • Specify in the text box why you want to do this action. Select Confirm.
  • The zip file will download.   

Alternate way:

  • Select Action center from the response actions section of the device page.
  • In the Action center fly-out, select Package collection package available to download the zip file. 

Initiate live response session

Live response gives security operations teams instantaneous access to a device (also referred to as a machine) by using a remote shell connection which gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.

Live response is designed to enhance the investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for the emerging threats.

With live response, analysts can do all of the following tasks:

  • Run basic and advanced commands to do the investigative work on a device. 
  • Download files such as malware samples and outcomes of the PowerShell scripts. 
  • Download files in the background (new).
  • Upload a PowerShell script or executable to the library or run it on a device from a tenant level.
  • Take or undo remediation actions. 

 Prerequisites

Before you can initiate a session on a device, make sure you fulfill the following the requirements:

Verify that you are running a supported version on Windows 10- You will also need to enable the live response capability in the Advanced features settings page. 

Only users with manage security or global admin roles can edit these settings. 

Ensure that the device has an Automation Remediation level assigned to it- You'll need to enable, at least, the minimum Remediation level for a give Device Group, otherwise you won't be able to establish a Live Response session to a member of that group. 

Enable live response unsigned script execution (optional) - Allowing the use of unsigned scripts may increase your exposure to threats and running them is not recommended. But if you must use them, then you will need to enable the setting in the Advanced features settings page. 

Ensure that you have the appropriate permissions- Only the users who have been provisioned with the appropriate RBAC permissions can initiate the session. Depending on the role that's being granted to you, you can easily run basic and advanced live response commands. Users' permissions are controlled by the RBAC custom role. 

Limitations:

Live response has the following limitations:
  • Live response sessions are limited to 10 live response sessions at a time.
  • Large-scale command execution is not supported.
  • Live response session inactive timeout value is 5 minutes.
  • A user can only initiate one session at a time.
  • A device can only be in one session at a time. 

  The following file size limits apply:

  • getfile limit- 3 GB
  • fileinfo limit- 10 GB
  • library limit- 250 MB







Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)