Hey there, to be honest I had some difficulties to find the right title for todays blog post, so if you are still wondering here’s what this is all about. I had a customer asking me “how can we see what MDATP Respond actions were taken on a particular machine both from a Console and client perspective?“. At the time of writing this blog post we have the following machine response actions that trigger a remote action available for MDATP managed devices.
- Initiate Automated Investigation
- Initiate Live Response Session
- Collect investigation package
- Run antivirus scan
- Restrict app execution
- Isolate machine
Console View
If you want to see the response actions that were taken on a machine, go to the machine detail page, select the Timeline option, set the time range and then set the filter to Response Action Event and there you go, you see all the response action events.
Client View
Okay now let’s have a look on the client itself. Here we look at the Windows event log provider for Microsoft Defender Advanced Threat Protection that is Microsoft-Windows-SENSE
| Event ID | Description |
| 59 | Starting command: |
| 60 | Failed to run command: |
| 71 | Succeeded to run command: |
So if now we pull just these events from the MDATP Event log, we see all the individual actions.
The mapping of the response actions to the event message is as following:
| Console Response Action | Event Message |
| Initiate automated investigation | remediationcommand |
| Initiate live response session | incidentresponsecommand |
| Collect investigation package | forensicscollectioncommand |
| Run antivirus scan | scancommand |
| Restrict app execution | Restrictexecutioncommand unrestrictexecutioncommand |
| Isolate machine | Isolationcommand
unisolationcommand |
That’s it for today, hope you enjoyed reading
Alex
Quite an insightful info on the threat protection.
thanks! Nice writeup.
As “live response” actions have the highest risk for abuse we’d like deep auditing of those actions. However, I can’t seem to find the specific commands that were executed during a live response session. I only find that a “LiveResponseCommand” command was executed but no specifics.
e.g. I’d like to know when an administrator executed a getfile command.
Would those actions be logged somewhere?
In the MSDATP console, you can find a detailed list of all Live Response actions under “action center” as well.
Hello Brecht, thanks for your feedback, “currently” this is all that is logged
That’s great info!