cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Incident response at your fingertips with Microsoft Defender ATP live response
By
Evald Markinzon
Published May 20 2019 10:55 AM 17.9K Views
Evald Markinzon
Microsoft
‎May 20 2019 10:55 AM

Incident response at your fingertips with Microsoft Defender ATP live response

‎May 20 2019 10:55 AM

Conducting a thorough forensic investigation of compromised machines is integral to incident response. However, it can be a challenging task because it requires the device to be in the corporate network and for additional software to be deployed, or for SecOps to have physical access to the device. 

 

In the modern workplace, employees often work beyond the corporate network boundary, at their homes or while traveling, where the risk for compromise is potentially higher. If, for example, an executive connects her laptop to a hotel wi-fi and is compromised, SecOps may be forced to wait until the executive is back in the office, leaving her high-value laptop exposed. 

 

That changes today, with the public preview of live response capabilities in Microsoft Defender ATP. Live response gives SecOps instantaneous access to a compromised machine regardless of location  using a remote shell and gather any required forensic information.

This powerful feature allows you to: 

  1. Gather snapshot of connections, drivers, scheduled tasks, and services, as well as search for specific files or request file analysis to reach a verdict (clean, malicious, or suspicious)
  2. Download malware files for reverse-engineering
  3. Create a tenant-level library of forensic tools like PowerShell scripts and third-party binaries that allow SecOps to gather forensic information like MFT table, firewall logs, event logs, process memory dumps, and others
  4. Run remediation activities such as quarantine file, stop process, remove registry, remove scheduled task, others 

A few examples:

Run basic commandsRun basic commandsRun PowerShell scriptsRun PowerShell scriptsRun remediation commandsRun remediation commands

We know you’ll ask: This feature is very powerful; can I grant the access for senior SOC members? 

Of course. There are two roles that can be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands like PowerShell scripts or binary tools, download files, etc.  

 

Furthermore, all live response commands are audited and recorded into the Action center, where remediation actions can be undone, if applicable (for example, remove a file from quarantine). 

 

To learn more, try the live response DIY or read the documentation.

 

 

Microsoft Defender ATP team 

 

 

Version history
Last update:
‎May 21 2019 01:50 PM
Updated by: