If a computer is badly infected with a secret type of virus, what special tools in Microsoft Defender for Endpoint can a security expert use to grab all the clues from that computer and stop the virus from spreading, without losing any important information for figuring out what happened?

To effectively investigate a badly infected computer with a secret type of virus using Microsoft Defender for Endpoint, while preventing its spread and preserving critical forensic information, a security expert leverages several specialized tools. The initial and most critical step is to contain the threat and prevent further lateral movement. This is achieved using the Isolate Device feature directly from the device's page in the Microsoft Defender portal. Isolating the device disconnects it from the organization’s network, preventing the virus from communicating with other systems or command-and-control servers, while crucially maintaining its connection to Defender for Endpoint for continued management and investigation. This action stops the spread without altering the device's internal state for forensic purposes. Once isolated, the expert immediately utilizes Live Response. Live Response provides a direct, real-time command-line interface connection to the infected device, allowing interactive investigation and remediation actions. This tool is paramount for gathering clues without losing important information because it enables the expert to execute forensic commands to collect specific artifacts. For instance, the expert can use commands like `file-get` to safely retrieve samples of the virus binary, suspicious scripts, or critical log files from the device. They can use `get-process` to identify all running processes and their parent-child relationships, potentially revealing the malware’s execution chain. `registry-query` allows inspecting registry keys for persistence mechanisms or configuration data used by the virus. This direct interaction ensures precise data collection, preserving the original state of other parts of the system. All collected files and logs via Live Response are securely transferred to the cloud for analysis, ensuring their integrity and availability for later review. To reconstruct the entire attack timeline and understand the virus's activities, the expert consults the Device Timeline. This feature within the Microsoft Defender portal provides a chronological record of all events observed on the infected device by the Defender for Endpoint sensor, including process creation, network connections, file modifications, registry changes, and user actions. By filtering and reviewing these events, the expert can pinpoint the initial compromise vector, track lateral movement attempts, identify specific files dropped or modified by the virus, and understand its behavior without directly interacting with the live system, thus preserving the original evidence. For broader impact assessment and proactive hunting across the organization, Advanced Hunting is indispensable. This Kusto Query Language (KQL)-based tool allows security experts to query raw telemetry data collected from all devices onboarded to Defender for Endpoint. By using indicators identified during the Live Response and Device Timeline analysis (e.g., unique file hashes of the virus, specific process names, network connection patterns, IP addresses, or domain names of command-and-control servers), the expert can search for similar activity or presence on other devices. This helps determine the full scope of the breach and identify other potentially infected machines, without disturbing them. For example, a query might search for all devices that executed a specific file hash or connected to a known malicious IP address. The Evidence and Response tab in the Microsoft Defender portal serves as a centralized repository for all collected artifacts and automated investigation details. Any files, registry entries, network connections, or processes identified as suspicious during automated investigations or manually collected via Live Response are stored here. This ensures that all evidence is securely preserved and linked to the incident for comprehensive post-incident analysis and reporting, guaranteeing no information is lost. Finally, to prevent future spread and re-infection, the expert creates Indicators (IoCs) based on the unique artifacts discovered. These custom indicators, such as specific file hashes, C2 server IP addresses, or domain names, are deployed across the entire environment via Defender for Endpoint to automatically block or alert on any further attempts by the secret virus to execute or communicate, thereby proactively stopping its spread based on the forensic evidence gathered.