Forum Discussion

Copper Contributor

Aug 18, 2022

Is it possible to alert on live response session use in Defender for Endpoint?

Live response sessions are logged under the Action Center, but I don't see a way to send alerts when a live response session is initiated. I looked at events in some of the Device-related tables ...

Rod_Trent

Microsoft

Aug 18, 2022

Once the data is in the Log Analytics workspace for Microsoft Sentinel, this is what I use: https://github.com/rod-trent/SentinelKQL/blob/master/DefenderLiveResponse.txt

This should be a start.

c4s_h3
Copper Contributor
Aug 19, 2022
Rod_TrentI assume the way to get the data into a Log Analytics workspace is via the Streaming API settings under Settings -- Microsoft 365 Defender?

I can run similar queries within the Advanced Hunting section of MDE, but I haven't been able to match Live Response Session activity.