Mar 07 2023 05:52 AM
Wondering if/how people are auditing/monitoring the use of Live Response in their environments?
From what I've seen so far, all actions are logged in the Action Center which is great but ideally I would like to access the detail the Action Center contains via an API/Alerting mechanism to generate alerts/email notifications when a user triggers a Live Response session and raise information events in Sentinel to allow realtime (or near realtime) alerting.
I've had a cursory look this morning and can see some LiveResponse info is written to the MachineActions area of the Endpoint API - is this the only option?
I can also see that Live Response actions can be searched for in the Audit Log in the Security portal, but based on my brief tests this morning in my demo tenant, dont appear to return my test Live Response sessions in the results?
The Action Center contains the info I need, so is clearly logged somewhere, but how best to access it??
Anyone else addressed this challenge?
Thanks
Paul
Mar 08 2023 06:41 AM
Check in the DeviceEvents table, I know there are events in there for entering/leaving troubleshooting mode, there might be same kind of events for live response actions.
Mar 09 2023 03:24 AM
Jun 16 2023 10:15 AM
@PJR_CDF did you find anything on this
Jun 18 2023 02:17 AM
Jun 27 2023 05:55 AM
Jun 29 2023 11:35 AM
Jun 26 2024 01:48 AM
@jbmartin6 Most notably
| where InitiatingProcessFileName == "SenseIR.exe"
But better look in Defender XDR Action Center, History tab
I did not find a way to automate this yet, perhaps need to query the defender API.
Jun 26 2024 05:51 AM
Jul 29 2024 06:19 AM
Nope, cannot be queried from Defender API.
We would like to be able to stream this data to Sentinel/Defender XDR, so we can alert on it.
I will put in a feature request for that.