Forum Discussion
Is it possible to alert on live response session use in Defender for Endpoint?
Live response sessions are logged under the Action Center, but I don't see a way to send alerts when a live response session is initiated.
I looked at events in some of the Device-related tables under Advanced Hunting but I could not identify any events that appeared to match the live response session (or at least not obviously so).
Live response sessions are powerful tools and I want my security team to have access to them, but I also want to make sure multiple people are notified whenever a live response session is used. Burying this data under History in the Action Center is insufficient.
- Rod_TrentMicrosoftOnce the data is in the Log Analytics workspace for Microsoft Sentinel, this is what I use: https://github.com/rod-trent/SentinelKQL/blob/master/DefenderLiveResponse.txt
This should be a start.- c4s_h3Copper Contributor
Rod_TrentI assume the way to get the data into a Log Analytics workspace is via the Streaming API settings under Settings -- Microsoft 365 Defender?
I can run similar queries within the Advanced Hunting section of MDE, but I haven't been able to match Live Response Session activity.