Endpoint: Timeline & Live Response
When an endpoint is compromised, the device timeline tells the story. Learn how to investigate device timelines, use live response for real-time forensics, and collect investigation packages.
The device timeline: the crime scene recording
The device timeline is a recording of everything that happened on a machine. Every process launched, every file created, every network connection, every registry change β all in chronological order.
When you investigate a compromised device, the timeline is where you reconstruct what the attacker did: what malware ran, when it ran, what it connected to, and what it changed. It is the forensic evidence that tells the story of the attack.
Live response goes further β it gives you a remote shell on the device so you can investigate in real-time: check running processes, download files, run scripts, and collect evidence while the device is still live.
Investigating the device timeline
What the timeline shows
| Event Type | What It Captures | Example |
|---|---|---|
| Process creation | New processes launched with command lines | powershell.exe -enc aQBlAHg... |
| File operations | Files created, modified, deleted, or renamed | C:\Temp\payload.exe created |
| Network connections | Outbound/inbound connections with IPs and ports | Connection to 198.51.100.42:443 |
| Registry changes | Keys created, modified, or deleted | Run key added for persistence |
| Logon events | User logons, logoffs, RDP sessions | Interactive logon from 10.0.0.50 |
| Alert events | Alerts generated by MDE on this device | βSuspicious PowerShell activityβ |
How to use the timeline
- Start at the alert timestamp β what was happening when the alert fired?
- Work backwards β what caused the malicious process to launch? What was the parent process?
- Work forwards β what happened after the malicious activity? Did the attacker establish persistence?
- Check network connections β did the malware phone home? What C2 server did it contact?
- Check file operations β what files were created, downloaded, or exfiltrated?
Filtering the timeline
The timeline can be overwhelming on busy servers. Use filters:
- Event type β show only process creation, or only network events
- Time range β narrow to the investigation window
- Flag β show only flagged (suspicious) events
- Search β find specific file names, process names, or IP addresses
Scenario: Elena traces malware on a payment server
Elena at Atlas Bank investigates a compromised payment server. The alert says: βSuspicious outbound connection from w3wp.exe.β
Timeline investigation:
- 14:23:
w3wp.exe(IIS worker process) spawnscmd.exe - 14:23:
cmd.exespawnspowershell.exewith a Base64-encoded command - 14:24:
powershell.execreatesC:\Windows\Temp\update.exe - 14:24:
update.execonnects to198.51.100.42:443(C2 server) - 14:25:
update.execreates a scheduled task for persistence - 14:30:
update.exebegins scanning internal network on port 445 (SMB)
Elenaβs conclusion: Web shell uploaded to IIS β command execution β malware download β C2 connection β persistence β lateral movement attempt.
Live response
Live response opens a remote shell on the device β without needing RDP or physical access.
What you can do in live response
| Command | What It Does |
|---|---|
dir / cd | Navigate the file system |
processes | List running processes with PIDs |
getfile | Download a file from the device for analysis |
putfile | Upload a file to the device (e.g., remediation script) |
run | Execute a script on the device |
remediate | Remove a file or kill a process |
trace | Collect diagnostic trace data |
connections | Show active network connections |
When to use live response
- Collect a specific file for malware analysis (the malware binary, a suspicious script)
- Check running processes that might not appear in the timeline yet
- Run remediation scripts to clean up persistence mechanisms
- Collect memory dumps for advanced forensic analysis
Exam tip: live response prerequisites
Live response requires:
- Advanced feature enabled in MDE settings (Module 4)
- Unsigned script execution enabled if running custom scripts
- Appropriate RBAC permissions (Security Administrator or custom role)
- Device must be online and communicating with MDE
If an exam question says βan analyst cannot start a live response session,β check these prerequisites.
Investigation packages
An investigation package is an automated forensic data collection. When you trigger it, MDE gathers:
| Data | What It Contains |
|---|---|
| Autoruns | Programs that start automatically (startup, services, scheduled tasks) |
| Installed programs | Software installed on the device |
| Network connections | Active and recent connections with associated processes |
| Event logs | Security, System, and Application event logs |
| Prefetch files | Evidence of program execution history |
| Scheduled tasks | All configured scheduled tasks |
| Security product status | Defender AV status, last scan time, definitions version |
The package is uploaded to the Defender portal for download and offline analysis.
| Feature | Device Timeline | Live Response | Investigation Package |
|---|---|---|---|
| When to use | Reconstruct past events | Investigate in real-time | Collect forensic evidence for offline analysis |
| Requires device online? | No β historical data stored in cloud | Yes β active connection needed | Yes β collection runs on device |
| Type of analysis | Chronological event review | Interactive investigation and remediation | Comprehensive forensic snapshot |
| Speed | Instant β data already in cloud | Real-time β you interact directly | Minutes β collection, then download |
| Best for | Understanding what happened | Investigating what is happening now | Preserving evidence for legal/compliance |
Elena needs to download a suspicious file from a compromised server for malware analysis. The server is still online but she cannot RDP into it. What should she use?
Tyler wants to understand the exact sequence of events on a compromised developer workstation β what processes ran, what files were created, and what network connections were made. The workstation was isolated 2 hours ago. What tool should he use?
Elena is investigating a compromised payment server at Atlas Bank. The device timeline shows the attack started 3 days ago, but the server was isolated 2 hours ago. She needs to collect a malware binary from C:\\Windows\\Temp\\update.exe for forensic analysis. Which tool should she use and why?
Next up: Device-level investigation is covered. Now letβs examine evidence and entities more deeply β tracing relationships between files, processes, and users across the investigation.