As part of our ongoing effort to deliver industry leading EDR capabilities across platforms, we are pleased to announce that new live response capabilities for macOS and Linux are now available now for public preview customers.
With live response, you have the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats -- in real-time.
Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
With live response for macOS and Linux, analysts can do the following tasks:
Along with the new capabilities for macOS and Linux we are pleased to introduce new commands that are unique for these platforms which allow you to trigger response actions from the live response interface while investigating a device.
Enforce network isolation – Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. This feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.
Collect an investigation package – As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
Run an antivirus scan - As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender Antivirus alerts will reflect any detections that surfaced during the scan.
Check out the following guide to get started with live response on macOS and Linux:
Before you can initiate a session on a machine, make sure you fulfil the following requirements:
Note: Only users with manage security or global admin roles can edit these settings.
Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role.
#!/bin/bash
function test_connection()
{
ping bing.com -c5
}
test_connection
exit 0
#!/bin/bash
function connections()
{
case $(uname | tr '[:upper:]' '[:lower:]') in
linux*)
ss -a
;;
darwin*)
netstat -an
;;
*)
echo "unsupported"
;;
esac
}
connections
exit 0
Note – Currently, the following steps are only applicable to macOS devices.
Important – When isolating a device, only certain processes and destinations are allowed. Therefore, devices that are behind a full
VPN tunnel won't be able to reach the Microsoft Defender for Endpoint cloud service after the device is isolated.
We recommend using a split-tunneling VPN for Microsoft Defender for Endpoint and Microsoft Defender Antivirus cloud-based
protection-related traffic.
Congrats – you’ve initiated a live response session and performed basic remediation!
We’ve demonstrated how you can initiate a live response session and perform basic remediation, query device assets using a Bash script, and take response actions to contain identified threats.
This tutorial emphasizes the typical scenarios and commands that would be useful when an in-depth investigation and remediation is needed on a compromised device.
We hope you enjoyed this tutorial and are now encouraged to explore live response as well as other features and capabilities. For more information, read the product guide at docs.microsoft.com.
We welcome your feedback and look forward to hearing from you! You can submit feedback through the Microsoft Defender Security Center or through the Microsoft 365 security center. Let us know how you feel about this tutorial or any other aspects of the product. We would love to hear your ideas about additional simulations and tutorials. Thank you!
Keep an eye on our blog and Twitter channel to stay up to date on additional Microsoft Defender for Endpoint advancements.
Microsoft Defender for Endpoint is an industry leading, cloud ML powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.