Conducting a thorough forensic investigation of compromised machines is integral to incident response. However, it can be a challenging task because it requires the device to be in the corporate network and for additional software to be deployed, or for SecOps to have physical access to the device.
In the modern workplace, employees often work beyond the corporate network boundary, at their homes or while traveling, where the risk for compromise is potentially higher. If, for example, an executive connects her laptop to a hotel wi-fi and is compromised, SecOps may be forced to wait until the executive is back in the office, leaving her high-value laptop exposed.
That changes today, with the public preview of live response capabilities in Microsoft Defender ATP. Live response gives SecOps instantaneous access to a compromised machine regardless of location using a remote shell and gather any required forensic information.
This powerful feature allows you to:
A few examples:
We know you’ll ask: This feature is very powerful; can I grant the access for senior SOC members?
Of course. There are two roles that can be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands like PowerShell scripts or binary tools, download files, etc.
Furthermore, all live response commands are audited and recorded into the Action center, where remediation actions can be undone, if applicable (for example, remove a file from quarantine).
Microsoft Defender ATP team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.