Forum Discussion
Audit/Alerting on the use of Live Response
Wondering if/how people are auditing/monitoring the use of Live Response in their environments?
From what I've seen so far, all actions are logged in the Action Center which is great but ideally I would like to access the detail the Action Center contains via an API/Alerting mechanism to generate alerts/email notifications when a user triggers a Live Response session and raise information events in Sentinel to allow realtime (or near realtime) alerting.
I've had a cursory look this morning and can see some LiveResponse info is written to the MachineActions area of the Endpoint API - is this the only option?
I can also see that Live Response actions can be searched for in the Audit Log in the Security portal, but based on my brief tests this morning in my demo tenant, dont appear to return my test Live Response sessions in the results?
The Action Center contains the info I need, so is clearly logged somewhere, but how best to access it??
Anyone else addressed this challenge?
Thanks
Paul
- jbmartin6Iron Contributor
Check in the DeviceEvents table, I know there are events in there for entering/leaving troubleshooting mode, there might be same kind of events for live response actions.
- PJR_CDFIron ContributorThanks for your reply.
I've pulled the content of the DeviceEvents table for a machine I ran Live Response on and can see entries for the script I ran via Live Response. Looking at the events either side of these shows some interesting RemoteWMI events which contain the word "connection" in the additional fields but nothing unique to Live Response - ie I queried across my tenant for those same events and got thousands of results from thousands of machines which didnt have Live Response sessions on.
The search continues........ - AndrePKIIron Contributor
jbmartin6 Most notably
| where InitiatingProcessFileName == "SenseIR.exe"
But better look in Defender XDR Action Center, History tab
I did not find a way to automate this yet, perhaps need to query the defender API.
- jbmartin6Iron ContributorThis query returns hundreds of results even over the last hour. Maybe related to automated investigations?
- jbmartin6Iron ContributorMaybe the local Windows log Applications/Microsoft/Windows/SenseIR can help. It logs when SenseIR is executed, as well as the powershell script runner. Not much detail beyond that but at least you can see when IR actions are run.