Investigation Tools
This is Defender's version of a query language, used in investigations to find specific information.
What is KQL?
Bonus point if you know what KQL stands for
Your alert indicates that an Adware file was detected on a workstation, but that the file was not mitigated by Defender. What should you do?
What is request a stop and quarantine?
This is the Microsoft equivalent of a block/allow list addition.
What is an indicator?
Customers and analysts alike are able to cause alerts to generate whenever activity from a specific IP, domain, certificate, or hash is detected. What are these alerts called?
What are custom TI?
What is run full AV scan?
A customer comments on your alert while you are working it and asks for Critical Start to "allow the alerted file". What should you do?
What is create an admin action request to have a superuser add an allow indicator?
This page details pending or completed actions on a given device.
What is the action center?
True or false: we can create indicators for customers who have Microsoft Sentinel or Microsoft 365, but not Microsoft Defender for Endpoint.
This is where you would go to run KQL queries in MDE.
What is Advanced Hunting?
Your alert states that an autorun worm was detected on a workstation by AV. You have already confirmed the file as malware by checking VT. What should you check in the console before proceeding further?
What is remediation status?
This is to Defender as Alert is to CORR.
What is an incident?
True or false: In regards to device network events, "ConnectionSuccess" indicates that the connection was successful, even if a block indicator exists for the IP/domain the host connected to.
Explanation: due to the three-way handshake, connections proxied by block indicators may still show "ConnectionSuccess" because this is registered before the block indicator actually prevents the connection.
Most customer consoles allow access using your personal credentials. However, a select few do not. This is what you should utilize in the event that you work an alert for one of these customers.
What are the L1 shared credentials?
You are working an alert titled "Suspicious URL Clicked". What kind of query table would be especially useful in investigating this activity?
What is DeviceNetworkEvents, DeviceFileEvents, URLClickEvents, EmailEvents?
(Any are acceptable)
This special option in the host isolation window, when ticked, allows specific communication channels to remain open when a security administrator isolates a host.
What is enable Outlook, Microsoft Teams, and Skype for Business connectivity?
Also acceptable: What is selective isolation?
True or false: closing an alert in CORR with a true/false positive verdict will apply that verdict on the incident within the Defender console.
* This is important because filters/closing alerts in CORR can inadvertently alter the verdict within Defender, which can be misleading if not done properly.
What is the device timeline?
You are investigating an event and you decide you want to look in the device timeline for more context. Clicking on this CORR KVP allows you to pivot directly to the device's timeline around the time the alert generated. (3 possible answers)
What is Device ID?
What is Creation Time?
What is Event Timestamp?
For many alerts, Defender breaks down contextual evidence (host, user, etc.) from incidents/alerts into these types.
What are entities?
This portal/button in the MDE user page for a given user allows you to view and investigate the user's sign-in and audit logs, when available.
What is Entra ID?