You are aSOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence. 
You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using custom .ps1 script. 
Which type of information is gathered in an Investigation package? 
 

Answer options:

A.Prefetch Files
B.Network transactions
C.Command History
D.Process History

Correct Answer: A 
Network transactions, Process and Command History are not collected. Only Prefetch files are collected. 
An investigation package contains the following folders when you collect it from a device as part of the investigation process. These can help us to identify the present state of devices and methods used by attackers. 
Autoruns, installed programs, Network Connections, Prefetch files, Prefetch folder, Processes, Scheduled tasks, Security event log, Services, Windows Server Message Block (SMB) sessions, System Information, Temp Directories, Users and Groups, WdSupportLogs, CollectionSummaryReport.xls 
 Reference: 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide