: Enter a reason for the collection in the text box and select Confirm .
Forensics collection summary showing commands run to collect the data. Firewall status and EFI integrity (macOS specific). Comparison: Investigation Package vs. Client Analyzer mde download investigation package
Note: The download may fail if the device is on a metered connection or has a low battery. What’s Inside the Package? : Enter a reason for the collection in
In Microsoft Defender for Endpoint (MDE), "Collect investigation package" is a high-impact response action that allows security analysts to remotely gather forensic data from a compromised or suspicious device. This package provides a point-in-time snapshot of the system's state, helping you identify the tools and techniques used by an attacker without needing direct physical or RDP access to the machine. How to Download an MDE Investigation Package Comparison: Investigation Package vs
: Once the agent finishes gathering data, the zipped package will be available in the Action center for download.
You can initiate and download the package directly from the Microsoft Defender Portal: