Investigate the exported logs

Question

Hi,I have exported timeline logs of the offboarded machine to investigate the unusual activity and it was almost 2 months ago. So now I need to investigate the logs of the machine and it is a little hectic to work on Excel to identify the malicious activity. Is there any option available to upload the logs to Defender to investigate? Or any other tool will be helpful.

rahuljindal · Answer

Depending on the nature of your investigation, you can try advanced hunting queries.

kapildev_c · Answer

It's been more than 30 days so unable to fetch logs of the machine. Is there any other option to investigate?

rahuljindal · Answer

Is the device still connected to the internet? Also, if it is offboarded then options become limited. Can you perhaps elaborate on the unusual activity and the current status of device in question?

kapildev_c · Answer

No the device is removed from the domain and it's not connected to the Internet. I want to investigate the malware activity and lateral movements.

rahuljindal · Answer

Defender does offer troubleshooting mode which can also be used in tandem with network isolation. Will be easier to onboard the device and then run forensics. The device doesn’t necessarily need to be joined to the domain. Otherwise you are looking at running forensics locally on the device.

Forum Discussion

Investigate the exported logs

6 Replies