Forum Discussion
Audit/Alerting on the use of Live Response
Wondering if/how people are auditing/monitoring the use of Live Response in their environments? From what I've seen so far, all actions are logged in the Action Center which is great but ideally ...
Check in the DeviceEvents table, I know there are events in there for entering/leaving troubleshooting mode, there might be same kind of events for live response actions.
Thanks for your reply.
I've pulled the content of the DeviceEvents table for a machine I ran Live Response on and can see entries for the script I ran via Live Response. Looking at the events either side of these shows some interesting RemoteWMI events which contain the word "connection" in the additional fields but nothing unique to Live Response - ie I queried across my tenant for those same events and got thousands of results from thousands of machines which didnt have Live Response sessions on.
The search continues........
I've pulled the content of the DeviceEvents table for a machine I ran Live Response on and can see entries for the script I ran via Live Response. Looking at the events either side of these shows some interesting RemoteWMI events which contain the word "connection" in the additional fields but nothing unique to Live Response - ie I queried across my tenant for those same events and got thousands of results from thousands of machines which didnt have Live Response sessions on.
The search continues........
- I'm afraid not - the auditing of Live Response use remains a gap for now
- That's a shame from microsoft.
Live response session can be used to abuse network as well ( domain admin creation on DC)
In article below its explained that Live Reponse API sessions can be audited but not sessions from Defender UI!
https://www.cloud-architekt.net/abuse-detection-live-response-tier0/
