Microsoft Defender for Endpoints Live Response

Microsoft Defender for Endpoints provides many tasks that you can perform on a machine to investigate and remediate risks. Of those tasks, Live Response can be one of the most powerful tools. Live Response is a MDE EDR capability that provides a security team immediate remote console access to a device. This provides the ability to perform in-depth investigative analysis on a potentially infected device. With Live response, you can hunt for malicious activities and files, collect those files for analysis, run scripts, and remediate threats all remotely. Live response can also be combined with device isolation to truly cut off the potential attack. Let us look at the requirements and tasks that you can perform with Live Response. 

Requirements

  • Devices must be running Windows 10 1709 or later
  • Make sure to install appropriate security updates.
  • Enable Live Response in Settings > Advanced Features page
  • Devices require an Automation Remediation level (Semi or Full)
  • Sufficient permissions to run Live Response Console
    • Global or Security Administrator
    • Custom RBAC group with Live response capabilities (Basic or Advanced) 

Live Response Commands

There are two levels of capabilities, Basic and Advanced.

  • Basic commands allow you to do the following tasks:
    • Start a live response session
    • Perform read only live response commands

 

  • Advanced commands allow you to do the following tasks. Users must still be assigned Basic rights to perform Basic commands:
    • Upload\Download a file
    • View\Execute a script from the files library
    • Remediate commands
Basic Commands

Basic rights allow for admins to run the following commands:

Live Response Capabilities

Creating a Live Response Session

When you want to start a Live Response Session, head over to the Machine details page. Look in the top menu bar for the list of actions or select the ellipsis (…) menu for more options. Select Initiate Live Response Session. This will open a console window within your web browser and make a remote console connection to the machine.

Once you have a session created, you can begin running any commands based on level of permissions.

Live Response Library

If you need to upload a script file to perform actions, select Upload file to library and select your file and any parameters required. This option is greyed out if you do not have enough permissions.

Live Response File Download

You can download any file from the remote machine to your machine. You can also pipe (>) output to any file that will allow download the output.

Live Response Analyze & Remediate

You can also analyze and remediate files directly on the remote machine. In this example, I analyzed a specific file for threats and then ran a remediate command, which deleted it from the local machine. Both commands provides output details related to the file and action taken.

Live Response Logs

All actions are logged in the Command Log as well as the Action Center History.

In the Action Center, you can go back to a read-only console to review commands run and output.

Limitations

Per Microsoft, these are currently the limitations with Live Response:

  • Live response sessions are limited to 10 live response sessions at a time.
  • Large-scale command execution is not supported.
  • A user can only initiate one session at a time.
  • A device can only be in one session at a time.
  • The following file size limits apply:
    • getfile limit: 3 GB
    • fileinfo limit: 10 GB
    • library limit: 250 MB

eGroup | Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. Contact our team of experts today for assistance!

Last updated on July 28th, 2023 at 04:27 pm