Forum Discussion

PJR_CDF's avatar
PJR_CDF
Iron Contributor
Mar 07, 2023

Audit/Alerting on the use of Live Response

Wondering if/how people are auditing/monitoring the use of Live Response in their environments?   From what I've seen so far, all actions are logged in the Action Center which is great but ideally ...
scsteady's avatar
scsteady
Copper Contributor
Jun 16, 2023

PJR_CDF did you find anything on this  

PJR_CDF's avatar
PJR_CDF
Iron Contributor
Jun 18, 2023
I'm afraid not - the auditing of Live Response use remains a gap for now
  • Kaaamil's avatar
    Kaaamil
    Copper Contributor
    Jun 27, 2023
    That's a shame from microsoft.

    Live response session can be used to abuse network as well ( domain admin creation on DC)
    In article below its explained that Live Reponse API sessions can be audited but not sessions from Defender UI!

    https://www.cloud-architekt.net/abuse-detection-live-response-tier0/

Resources