Live Response is a powerful capability that provides remote access to endpoints. All Live Response sessions and commands should be closely monitored.
Pay special attention to the create process, kill, and put file commands. Some SOCs fire an alert whenever a Live Response session is initiated.
The following search lists each endpoint and user combination together with the actions, commands, and details of each session.
eventtype="vmware_cbc_auditlogs" description="*liveresponse*" | eval description = replace(description, "[\r\n]","") | rex field=description "LiveResponse\s+(?<device_name>[^\|]+)\|Action\s+(?<action>[^\|]+)\|URL\s+/live\-response\?deviceID=(?<device_id>\d+)\|(Details\s+(?<details>.*))?" | rex field=details "\"name\": \"(?<command>[^\"]+)\"" | iplocation src | eval location = case(Region = "", Country, City = "", Region + ", " + Country, 1=1, City + ", " + Region + ", " + Country) | stats values(action) as actions, values(command) as commands, values(details) as details, values(location) as locations, by device_id, device_name, src, location, user
