Forum Discussion
Audit/Alerting on the use of Live Response
Wondering if/how people are auditing/monitoring the use of Live Response in their environments? From what I've seen so far, all actions are logged in the Action Center which is great but ideally ...
jbmartin6 Most notably
| where InitiatingProcessFileName == "SenseIR.exe"But better look in Defender XDR Action Center, History tab
I did not find a way to automate this yet, perhaps need to query the defender API.
This query returns hundreds of results even over the last hour. Maybe related to automated investigations?