Forum Discussion

PJR_CDF's avatar
PJR_CDF
Iron Contributor
Mar 07, 2023

Audit/Alerting on the use of Live Response

Wondering if/how people are auditing/monitoring the use of Live Response in their environments?

 

From what I've seen so far, all actions are logged in the Action Center which is great but ideally I would like to access the detail the Action Center contains via an API/Alerting mechanism to generate alerts/email notifications when a user triggers a Live Response session and raise information events in Sentinel to allow realtime (or near realtime) alerting.

 

I've had a cursory look this morning and can see some LiveResponse info is written to the MachineActions area of the Endpoint API - is this the only option?

 

I can also see that Live Response actions can be searched for in the Audit Log in the Security portal, but based on my brief tests this morning in my demo tenant, dont appear to return my test Live Response sessions in the results?

 

The Action Center contains the info I need, so is clearly logged somewhere, but how best to access it??

 

Anyone else addressed this challenge?

 

Thanks

Paul

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor

    Check in the DeviceEvents table, I know there are events in there for entering/leaving troubleshooting mode, there might be same kind of events for live response actions. 

    • PJR_CDF's avatar
      PJR_CDF
      Iron Contributor
      Thanks for your reply.

      I've pulled the content of the DeviceEvents table for a machine I ran Live Response on and can see entries for the script I ran via Live Response. Looking at the events either side of these shows some interesting RemoteWMI events which contain the word "connection" in the additional fields but nothing unique to Live Response - ie I queried across my tenant for those same events and got thousands of results from thousands of machines which didnt have Live Response sessions on.

      The search continues........
      • jbmartin6's avatar
        jbmartin6
        Iron Contributor
        This query returns hundreds of results even over the last hour. Maybe related to automated investigations?
  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    Maybe the local Windows log Applications/Microsoft/Windows/SenseIR can help. It logs when SenseIR is executed, as well as the powershell script runner. Not much detail beyond that but at least you can see when IR actions are run.

Resources