Forum Discussion

Kapildev_C's avatar
Kapildev_C
Copper Contributor
Dec 25, 2023

Investigate the exported logs

Hi, I have exported timeline logs of the offboarded machine to investigate the unusual activity and it was almost 2 months ago. So now I need to investigate the logs of the machine and it is a littl...
rahuljindal's avatar
rahuljindal
Bronze Contributor
Dec 25, 2023

Is the device still connected to the internet? Also, if it is offboarded then options become limited. Can you perhaps elaborate on the unusual activity and the current status of device in question?

Kapildev_C's avatar
Kapildev_C
Copper Contributor
Dec 25, 2023
No the device is removed from the domain and it's not connected to the Internet. I want to investigate the malware activity and lateral movements.
  • rahuljindal's avatar
    rahuljindal
    Bronze Contributor
    Dec 25, 2023

    Defender does offer troubleshooting mode which can also be used in tandem with network isolation. Will be easier to onboard the device and then run forensics. The device doesn’t necessarily need to be joined to the domain. Otherwise you are looking at running forensics locally on the device.

    • Kapildev_C's avatar
      Kapildev_C
      Copper Contributor
      Dec 25, 2023
      Thanks much.