Microsoft Defender for Endpoints provides many tasks that you can perform on a machine to investigate and remediate risks. Of those tasks, Live Response can be one of the most powerful tools. Live Response is a MDE EDR capability that provides a security team immediate remote console access to a device. This provides the ability to perform in-depth investigative analysis on a potentially infected device. With Live response, you can hunt for malicious activities and files, collect those files for analysis, run scripts, and remediate threats all remotely. Live response can also be combined with device isolation to truly cut off the potential attack. Let us look at the requirements and tasks that you can perform with Live Response.
- Devices must be running Windows 10 1709 or later
- Make sure to install appropriate security updates.
- 1903: KB4515384
- Enable Live Response in Settings > Advanced Features page
- Devices require an Automation Remediation level (Semi or Full)
- Sufficient permissions to run Live Response Console
- Global or Security Administrator
- Custom RBAC group with Live response capabilities (Basic or Advanced)
Live response Commands
There are two levels of capabilities, Basic and Advanced.
- Basiccommands allow you to do the following tasks:
- Start a live response session
- Perform read only live response commands
- Advancedcommands allow you to do the following tasks. Users must still be assigned Basic rights to perform Basic commands:
- Upload\Download a file
- View\Execute a script from the files library
- Remediate commands
Basic rights allow for admins to run the following commands:
Live response Capabilities
Creating a Live Response Session
When you want to start a Live Response Session, head over to the Machine details page. Look in the top menu bar for the list of actions or select the ellipsis (…) menu for more options. Select Initiate Live Response Session. This will open a console window within your web browser and make a remote console connection to the machine.
Once you have a session created, you can begin running any commands based on level of permissions.
Live Response Library
If you need to upload a script file to perform actions, select Upload file to library and select your file and any parameters required. This option is greyed out if you do not have enough permissions.
Live Response File Download
You can download any file from the remote machine to your machine. You can also pipe (>) output to any file that will allow download the output
Live Response Analyze and Remediate
You can also analyze and remediate files directly on the remote machine. In this example, I analyzed a specific file for threats and then ran a remediate command, which deleted it from the local machine. Both commands provides output details related to the file and action taken.
Live Response Logs
All actions are logged in the Command Log as well as the Action Center History.
In the Action Center, you can go back to a read-only console to review commands run and output.
Per Microsoft, these are currently the limitations with Live Response
- Live response sessions are limited to 10 live response sessions at a time.
- Large-scale command execution is not supported.
- A user can only initiate one session at a time.
- A device can only be in one session at a time.
- The following file size limits apply:
- getfile limit: 3 GB
- fileinfo limit: 10 GB
- library limit: 250 MB
Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.