Forum Discussion
Kapildev_C
Dec 25, 2023Copper Contributor
Investigate the exported logs
Hi, I have exported timeline logs of the offboarded machine to investigate the unusual activity and it was almost 2 months ago. So now I need to investigate the logs of the machine and it is a littl...
rahuljindal
Dec 25, 2023Bronze Contributor
Depending on the nature of your investigation, you can try advanced hunting queries.
Kapildev_C
Dec 25, 2023Copper Contributor
It's been more than 30 days so unable to fetch logs of the machine. Is there any other option to investigate?
- rahuljindalDec 25, 2023Bronze Contributor
Is the device still connected to the internet? Also, if it is offboarded then options become limited. Can you perhaps elaborate on the unusual activity and the current status of device in question?
- Kapildev_CDec 25, 2023Copper ContributorNo the device is removed from the domain and it's not connected to the Internet. I want to investigate the malware activity and lateral movements.
- rahuljindalDec 25, 2023Bronze Contributor
Defender does offer troubleshooting mode which can also be used in tandem with network isolation. Will be easier to onboard the device and then run forensics. The device doesn’t necessarily need to be joined to the domain. Otherwise you are looking at running forensics locally on the device.