In Microsoft Defender for Endpoint, Live Response provides an interactive remote shell for investigating a device directly from the Microsoft Defender portal. It allows security analysts to run commands, collect data, inspect processes, and perform incident response tasks without manually logging into the endpoint.
For this scenario, you must:
All of these can be achieved efficiently through a Live Response session. Once connected, you can use built-in commands such as:
netstat to view active network connections,
ps to list running processes,
cat or less to review log files containing login history.
According to Microsoft Defender for Endpoint documentation, “Live response enables analysts to perform in-depth investigation on a device remotely to collect forensic data, run scripts, and remediate threats.” It is the least administrative-intensive way to gather this information compared to collecting an investigation package, which is more time-consuming and primarily for offline forensic analysis.
Option B (enable unsigned script execution) is only needed for running custom scripts, not built-in commands.
Option C (collect investigation package) gathers data for offline review and does not allow interactive analysis.
Option D (initiate live response) gives immediate, interactive insight into processes, connections, and logs — satisfying all requirements with minimal effort.
✅ Therefore, the correct first step is to initiate a live response session on Device1.
