Task 03: Endpoint isolate and collect triage bundle

---

Security Architecture Team

1. Approve device isolation on the Windows VM.

   Used when lateral movement or credential theft is suspected.

2. For lab purposes, the Engineer should limit isolation approval to the Windows VM only.

   In real-world scenarios, document the approval of the VMs list for isolation.

---

Security Engineering and Administration

1. Open Edge to your security.microsoft.com tab.

2. In the leftmost pane, go to Assets > Devices.

3. Select the text for winvm-mde to open the device page.

4. In the upper-right corner of the page, select the ellipsis, then select Isolate Device.

   

5. In the dialog, select the checkbox for Allow Outlook, Teams and Skype….

6. Under Comment, enter Isolate Device, then select Confirm.

   If you shut down winvm-mde, it will need to be started for this to complete.

7. Close the flyout pane.

---

SOC Analyst

1. In your regular Microsoft Edge window, go back to the Defender XDR portal tab.

2. In the leftmost pane, go to Investigation & response > Actions & submissions > Action center.

3. Select the History tab to see the Isolate device action type.