Event details

During Microsoft Secure you learned about the latest innovations around Microsoft's SIEM and XDR solution. Join this Ask Microsoft Anything (AMA) session to get your questions about Microsoft Sentine...
Trevor_Rusher
Updated Dec 27, 2024
siem
Tech Accelerator
xdr
TobyMcG's avatar
TobyMcG
Copper Contributor
Mar 31, 2023
Apologies for the lack of formatting. I promise i used spaces and paragraphs but the text boxes here didn't appreciate that effort. Thanks for taking the time to read through my submissions below. One final point would be possible feature requests: Better logging of Live Response activations and channel destruction in M365 Defender. I see there is "connect" logging now but no destruction logging yet. On the Windows Event Logging on the host, both AIR and Live Response use the same commands when launching the SenseIR.exe with arguments "OnlineSenseIR"(opposed to Threat Hunting using "OfflineSenseIR"). Could AIR and LR be split out so that we can alert on the process argument to detect each individually? This includes SenseIR.exe "OnlineSenseIR" being abused by Device Discovery. Thanks again everyone!
Ed Fisher's avatar
Ed Fisher
Icon for Microsoft rankMicrosoft
Apr 13, 2023
That's really a limit of this Q&A format. My apologies for not being able to fully address many of your questions below. Your account team and CSAM can help you to get more detailed answers to your questions (the answers to many of which will likely generate more questions....) so please do reach out to them for this. They can reach out to the PG for more detail if needed.