Q: 14
You have a Microsoft 365 tenant that contains a Windows 10 device. The device is onboarded to
Microsoft Defender for Endpoint.
From Microsoft Defender Security Center, you perform a security investigation.
You need to run a PowerShell script on the device to collect forensic information.
Which action should you select on the device page?
Options
Discussion
Probably A for this one. Live Response is the only option that actually lets you open an interactive shell and run PowerShell scripts on the endpoint. The others either just gather static data or search logs, so I think this is the catch in the options.
Its C
Its C for me. Collect investigation package should pull forensic info, so I assumed that's the right move here. Not totally sure if it allows custom scripts or just collects default logs, but feels close enough for most scenarios.
Yeah, for running a PowerShell script remotely on the device, it’s definitely A. Live Response is the only one that gives you an interactive shell. Pretty sure C just downloads files, not actual execution. Open to hearing if I missed something.
I don’t think it's A. C.
A imo. Bit of a trap with D, since Go hunt is more for searching data not running scripts directly.
D
A nice and clear scenario. Live Response is exactly for running scripts like that in Defender.
Be respectful. No spam.
