Forum Discussion
Investigate the exported logs
Hi, I have exported timeline logs of the offboarded machine to investigate the unusual activity and it was almost 2 months ago. So now I need to investigate the logs of the machine and it is a littl...
Depending on the nature of your investigation, you can try advanced hunting queries.
It's been more than 30 days so unable to fetch logs of the machine. Is there any other option to investigate?
Is the device still connected to the internet? Also, if it is offboarded then options become limited. Can you perhaps elaborate on the unusual activity and the current status of device in question?
- No the device is removed from the domain and it's not connected to the Internet. I want to investigate the malware activity and lateral movements.
Defender does offer troubleshooting mode which can also be used in tandem with network isolation. Will be easier to onboard the device and then run forensics. The device doesn’t necessarily need to be joined to the domain. Otherwise you are looking at running forensics locally on the device.