Audit/Alerting on the use of Live Response

Iron Contributor

Wondering if/how people are auditing/monitoring the use of Live Response in their environments?

 

From what I've seen so far, all actions are logged in the Action Center which is great but ideally I would like to access the detail the Action Center contains via an API/Alerting mechanism to generate alerts/email notifications when a user triggers a Live Response session and raise information events in Sentinel to allow realtime (or near realtime) alerting.

 

I've had a cursory look this morning and can see some LiveResponse info is written to the MachineActions area of the Endpoint API - is this the only option?

 

I can also see that Live Response actions can be searched for in the Audit Log in the Security portal, but based on my brief tests this morning in my demo tenant, dont appear to return my test Live Response sessions in the results?

 

The Action Center contains the info I need, so is clearly logged somewhere, but how best to access it??

 

Anyone else addressed this challenge?

 

Thanks

Paul

9 Replies

Check in the DeviceEvents table, I know there are events in there for entering/leaving troubleshooting mode, there might be same kind of events for live response actions. 

Thanks for your reply.

I've pulled the content of the DeviceEvents table for a machine I ran Live Response on and can see entries for the script I ran via Live Response. Looking at the events either side of these shows some interesting RemoteWMI events which contain the word "connection" in the additional fields but nothing unique to Live Response - ie I queried across my tenant for those same events and got thousands of results from thousands of machines which didnt have Live Response sessions on.

The search continues........

@PJR_CDF did you find anything on this  

I'm afraid not - the auditing of Live Response use remains a gap for now
That's a shame from microsoft.

Live response session can be used to abuse network as well ( domain admin creation on DC)
In article below its explained that Live Reponse API sessions can be audited but not sessions from Defender UI!

https://www.cloud-architekt.net/abuse-detection-live-response-tier0/

Maybe the local Windows log Applications/Microsoft/Windows/SenseIR can help. It logs when SenseIR is executed, as well as the powershell script runner. Not much detail beyond that but at least you can see when IR actions are run.

@jbmartin6 Most notably

 | where InitiatingProcessFileName == "SenseIR.exe"

But better look in  Defender XDR Action Center, History tab

I did not find a way to automate this yet, perhaps need to query the defender API.

This query returns hundreds of results even over the last hour. Maybe related to automated investigations?

Nope, cannot be queried from Defender API.
We would like to be able to stream this data to Sentinel/Defender XDR, so we can alert on it.
I will put in a feature request for that.