4.1 Respond with Defender for Endpoint
Key Takeaways
- Device isolation cuts a compromised endpoint off from the network while keeping the Microsoft Defender for Endpoint connection alive so analysts can still investigate and run Live Response
- Automated investigation and remediation (AIR) verdicts are Malicious, Suspicious, or No threats found, and the automation level (Full vs Semi) decides whether remediation runs automatically or waits for approval
- Live Response opens a remote shell to a device for collecting forensic artifacts and running commands without re-imaging the machine
- App restriction (restrict app execution) limits a device to Microsoft-signed binaries via Windows Defender Application Control, a lighter containment step than full isolation
- The unified incident queue at security.microsoft.com correlates Defender for Endpoint alerts with other Defender XDR workloads into a single incident with a combined attack story
Why Endpoint Response Matters on SC-200
The Respond to security incidents domain is 35-40% of the SC-200 exam, and Microsoft Defender for Endpoint (MDE) is where most hands-on response actions live. Expect scenario questions that hand you an incident and ask which single action contains the threat with the least disruption. Knowing exactly what isolate, restrict, collect, and Live Response each do — and what they do not do — is the difference between two plausible-looking answers.
All response work happens in the unified Microsoft Defender portal at security.microsoft.com. Microsoft Defender XDR (Extended Detection and Response) correlates signals from endpoint, identity, email, and cloud apps into one incident.
The Incident and Alert Queue
Alerts are individual detections. An incident is a container that groups related alerts, devices, users, and mailboxes into one attack story. Defender XDR correlates automatically, so a single phishing-to-ransomware chain becomes one incident, not twenty alerts.
| Concept | What it is | Where you triage it |
|---|---|---|
| Alert | One detection (e.g., suspicious PowerShell) | Alerts queue |
| Incident | Correlated group of alerts + assets | Incidents queue |
| Severity | Informational → Low → Medium → High | Used to prioritize |
| Classification | True positive / Informational expected / False positive | Set when resolving |
| Determination | Specific cause (e.g., Malware, Phishing) | Feeds tuning + AIR |
When you resolve an incident, set classification and determination. These feed automation tuning and improve future AIR decisions, so a question about "how do you reduce repeat false positives" often points here.
Investigating a Device
Open the device page to reach the device timeline — a chronological event stream of processes, files, network connections, registry changes, and logon events. This is the primary forensic surface for endpoint investigation.
- Timeline — raw events, filterable by event type and date
- Security recommendations / discovered vulnerabilities — surfaces from Defender Vulnerability Management (covered in 4.3)
- Software inventory — installed apps and versions
- Alerts — detections involving this device
From the device page you launch the response actions below.
Device Response Actions
These are the high-frequency exam facts. Memorize what each action contains and what it preserves.
| Action | Effect | Key nuance |
|---|---|---|
| Isolate device | Cuts network access for the device | Defender for Endpoint connection stays up so you can still investigate; Selective isolation keeps Outlook/Teams/Skype allowed |
| Restrict app execution | Only Microsoft-signed binaries may run | Uses Windows Defender Application Control; lighter than full isolation, app keeps device online |
| Run antivirus scan | Triggers a Microsoft Defender Antivirus scan | Quick or Full; remote-initiated |
| Collect investigation package | Gathers forensic artifacts into a downloadable ZIP | Autoruns, installed programs, network connections, prefetch, etc. |
| Initiate automated investigation | Manually starts an AIR playbook on the device | Useful when auto-trigger did not fire |
| Initiate Live Response | Opens a remote command shell to the device | Forensics + remediation without re-imaging |
| Stop and quarantine file | Stops the running file and quarantines it across the org | Acts on the file's hash org-wide |
| Add indicator | Blocks a file/IP/URL/cert org-wide | Custom indicator, allow or block |
Isolation vs Restriction (a classic distractor pair)
- Isolate = network containment. The host cannot talk to other systems; the attacker loses lateral movement and C2. Best for active compromise.
- Restrict app execution = execution containment. The host stays on the network but can only run trusted Microsoft-signed code. Best when you must keep the device reachable but stop unknown payloads.
If a question wants "contain lateral movement now," the answer is isolate. If it wants "keep the machine usable but block the malware from re-launching," the answer is restrict app execution.
Live Response
Live Response gives an analyst a remote shell on the device. It is gated by role-based access control (RBAC) and must be turned on in advanced features.
# Common Live Response commands
getfile C:\Users\bob\Downloads\invoice.exe # pull a file for analysis
fileinfo invoice.exe # hash + signer metadata
processes # list running processes
remediate file invoice.exe # remove the file
putfile triage.ps1 # push a script from the library
run triage.ps1 # execute a library script
connections # active network connections
Live Response collects evidence and remediates without re-imaging, which makes it the answer to "investigate and clean a single host while preserving evidence."
Automated Investigation and Remediation (AIR)
AIR runs an automated playbook when a supported alert fires. It expands the investigation across related entities and assigns a verdict.
- Verdicts: Malicious, Suspicious, or No threats found
- Automation level (device groups):
- Full — remediate automatically, no analyst approval
- Semi — require approval (variants exist: core folders, non-temp folders, all folders)
- No automated response — AIR investigates but takes no action
The Action center is where pending AIR actions wait for approval and where completed actions are audited. A question about "why didn't the malware get auto-removed" usually traces to the device group's automation level being Semi or No automated response.
Advanced Features That Change Behavior
Under Settings → Endpoints → Advanced features, several toggles affect response:
- Automated investigation — enables AIR at all
- Live Response / Live Response for servers / Live Response unsigned script execution
- Allow or block file — required before custom file indicators work
- Tamper protection — stops attackers (and misconfig) from disabling MDE
- EDR in block mode — lets Defender for Endpoint block post-breach artifacts even when a non-Microsoft AV is primary
- Web content filtering and Device discovery
If a custom file-block indicator "isn't working," check Allow or block file is enabled and a cloud-delivered protection prerequisite is met.
An analyst confirms active lateral movement from a workstation but must keep investigating the host with Live Response. Which single action best contains the threat while preserving investigation access?
A device group is set to the "Semi - require approval for all folders" automation level. AIR classifies a file as Malicious but it is not removed. Where does the analyst go to complete the remediation?
Which Defender for Endpoint response action limits a device to running only Microsoft-signed binaries while keeping it on the network?