This chapter covers Live Response and Remote Forensics within Microsoft Defender for Endpoint, a critical skill for the SC-200 exam. You will learn how to perform real-time investigations on compromised endpoints, collect volatile evidence, and execute remediation actions remotely. This topic area constitutes approximately 10-15% of the exam questions, focusing on the mechanics of Live Response sessions, available commands, and integration with Microsoft Sentinel and other tools. Mastery of these concepts is essential for any security operations analyst responding to incidents.
Jump to a section
Live Response and Remote Forensics are like a police CSI team arriving at a crime scene while the crime is still in progress. The team must carefully collect volatile evidence before it disappears, such as conversations (running processes), footprints (network connections), and smells (memory artifacts), without disturbing the scene. They use specialized tools to capture this evidence remotely, like a robot that can take samples and photos from a distance, because entering the scene might alter it. Once the volatile evidence is secured, they can then perform a deeper analysis, like dusting for fingerprints (disk forensics) and reviewing security footage (logs). The key is speed and precision—any delay or mistake can cause evidence to be lost or contaminated. Similarly, in cybersecurity, when a threat is detected, analysts must quickly collect live data from endpoints before the attacker covers their tracks or the system state changes. Remote forensics allows this to happen without physically accessing the machine, using tools like Microsoft Defender for Endpoint's Live Response capability.
What is Live Response and Remote Forensics?
Live Response is a feature in Microsoft Defender for Endpoint that allows security analysts to remotely connect to an endpoint and perform real-time investigative and remediation actions. It provides a command-line interface (CLI) that runs on the endpoint, enabling analysts to execute a wide range of commands—from collecting system information to running scripts—without needing to deploy agents or physically access the machine. Remote Forensics extends this by allowing analysts to collect and download forensic artifacts such as memory dumps, event logs, and disk images for offline analysis.
The primary purpose of Live Response is to reduce incident response time by enabling immediate action on compromised endpoints. It bypasses the need for traditional remote desktop tools or on-premises forensic kits, which can be slow and may alert adversaries. Live Response is initiated from the Microsoft 365 Defender portal and uses a secure, authenticated channel to the endpoint.
How Live Response Works Internally
Live Response operates through a secure WebSocket connection established between the Microsoft Defender for Endpoint cloud service and the endpoint. Here is the step-by-step mechanism:
Initiation: An analyst with appropriate permissions (typically a Security Administrator or Security Operator) initiates a Live Response session from the Microsoft 365 Defender portal. The request is sent to the Defender for Endpoint cloud service.
Session Creation: The cloud service identifies the target endpoint via its machine ID and verifies that the endpoint is online and communicating with the service. It then creates a session object and sends a command to the endpoint to start a Live Response agent.
Communication Channel: The endpoint, which has the Microsoft Defender for Endpoint sensor installed, receives the command and launches a dedicated Live Response process. This process establishes a secure, encrypted WebSocket connection back to the cloud service. All subsequent commands and outputs are transmitted over this channel.
Command Execution: The analyst types commands in the portal's Live Response console. These commands are sent to the cloud service, which forwards them to the endpoint via the WebSocket. The Live Response process on the endpoint executes the command and returns the output to the cloud service, which displays it in the console.
Session Termination: The analyst can end the session at any time, or the session will automatically timeout after a period of inactivity (default is 30 minutes). The endpoint then terminates the Live Response process and closes the WebSocket connection.
Key Components, Values, Defaults, and Timers
Permissions: To use Live Response, you must be assigned to a role that includes the "Live Response capabilities" permission. Built-in roles include Security Administrator, Security Operator, and custom roles.
Supported Operating Systems: Windows 10/11, Windows Server 2012 R2 and later, and some versions of Linux (Ubuntu, RHEL, CentOS).
Session Timeout: 30 minutes of inactivity. The session is automatically terminated after this period.
Maximum Session Duration: 3 hours (configurable via advanced features).
Command History: Up to 1000 commands per session.
File Collection: Files up to 3 GB can be collected via the collect command. Larger files require alternative methods.
Concurrent Sessions: An endpoint can have up to 10 concurrent Live Response sessions.
Configuration and Verification Commands
Live Response does not require separate installation; it is enabled by default in Microsoft Defender for Endpoint. However, administrators can disable it via advanced features settings. To verify that Live Response is available on an endpoint, check the device's health status in the portal. The following are common commands used during a Live Response session:
help - Lists all available commands.
info - Displays basic system information (OS, RAM, disk space).
processes - Lists running processes.
connections - Lists active network connections.
fileinfo <file_path> - Gets metadata for a specific file.
collect <file_path> - Collects a file and makes it available for download.
run <script> - Executes a PowerShell or Python script on the endpoint.
take <file_path> - Takes a file from the endpoint and uploads it to the cloud.
put <file_path> - Places a file from the cloud onto the endpoint.
analyze <file_path> - Initiates a deep analysis of a file (e.g., malware analysis).
exit - Ends the Live Response session.
Interaction with Related Technologies
Live Response integrates with Microsoft Sentinel, allowing analysts to trigger Live Response sessions directly from Sentinel incidents. It also works with Microsoft 365 Defender's automated investigation and response (AIR) capabilities, where playbooks can invoke Live Response commands. Additionally, collected forensic artifacts can be ingested into Microsoft Sentinel for further analysis using KQL queries.
Security Considerations
Live Response commands are audited and logged in the Microsoft 365 Defender portal. All actions are recorded in the device's timeline, providing an audit trail for compliance. The WebSocket connection uses TLS 1.2+ encryption. Access to Live Response should be tightly controlled, as it grants significant power over endpoints. The principle of least privilege should be applied.
Initiate Live Response Session
From the Microsoft 365 Defender portal, navigate to the device page of the target endpoint. Click on 'Initiate Live Response' button. The system checks your permissions and the device's connectivity. If the device is offline or not supported, the session cannot be started. Once initiated, a secure WebSocket connection is established between the cloud and the endpoint. The analyst sees a command prompt in the portal.
Run Investigative Commands
The analyst begins by running basic commands like `info` to get system information, `processes` to see running processes, and `connections` to view network connections. These commands return output within seconds. The analyst can identify suspicious processes or connections. For example, a process named 'malware.exe' or a connection to a known bad IP address would be flagged. The output is displayed in the console and can be copied for further analysis.
Collect Forensic Artifacts
To gather evidence, the analyst uses the `collect` command to download files such as event logs, registry hives, or memory dumps. The command syntax is `collect <file_path>`. The file is uploaded to the cloud storage associated with the Defender for Endpoint tenant. The analyst can then download it from the portal. File collection is asynchronous; the analyst can continue running other commands while the file uploads. The maximum file size is 3 GB.
Execute Remediation Actions
If a malicious process is identified, the analyst can terminate it using the `kill <process_id>` command. Similarly, a malicious file can be deleted using `delete <file_path>`. The analyst can also quarantine a file using `quarantine <file_path>`. These actions take effect immediately on the endpoint. The analyst must be cautious, as these actions cannot be easily undone. All actions are logged.
Terminate the Session
After completing the investigation and remediation, the analyst types `exit` to end the Live Response session. The WebSocket connection is closed, and the Live Response process on the endpoint terminates. The session history is saved in the portal for auditing. If the analyst forgets to exit, the session will timeout after 30 minutes of inactivity. The endpoint returns to its normal state.
Enterprise Scenario 1: Rapid Response to Ransomware Outbreak
A large enterprise with 10,000 endpoints detects a ransomware outbreak via Defender for Endpoint alerts. The SOC team uses Live Response to connect to infected endpoints within minutes. They run processes to identify the ransomware process, then use kill to terminate it before it encrypts more files. They then collect a memory dump and the ransomware binary for analysis using collect. The entire response takes under 10 minutes per endpoint, preventing widespread encryption. Without Live Response, the team would have to physically access machines or use remote desktop, which could alert the attacker and allow the ransomware to spread.
Enterprise Scenario 2: Remote Forensics for Insider Threat Investigation
A financial services company suspects an employee of exfiltrating sensitive data. The SOC initiates a Live Response session on the employee's machine. They run connections to see active network connections and identify an SSH tunnel to an external IP. They then use fileinfo to check recently modified files and collect to download the suspicious files. The collected artifacts are analyzed in a sandbox, confirming data exfiltration. The evidence is used for disciplinary action. Live Response allowed the investigation to proceed without alerting the employee.
Performance and Scale Considerations
In large-scale deployments, Live Response sessions consume network bandwidth and endpoint resources. Each session uses a persistent WebSocket connection, which can impact network performance if hundreds of simultaneous sessions are active. On the endpoint, the Live Response process uses CPU and memory, but generally less than 5% of system resources. To mitigate performance issues, administrators should limit concurrent sessions and schedule investigations during off-peak hours. The 3-hour session limit prevents resource exhaustion.
Common Misconfigurations
A common mistake is granting Live Response permissions to too many users. This increases the risk of unauthorized actions. Another misconfiguration is not enabling advanced features that allow Live Response on Linux endpoints. If the feature is disabled, Live Response sessions cannot be initiated. Additionally, if network proxies block WebSocket connections, Live Response will fail. Administrators must ensure that the endpoint can communicate with the Defender for Endpoint cloud service on port 443 with WebSocket support.
Exactly What SC-200 Tests
SC-200 exam objective 1.1 covers "Manage incidents in Microsoft 365 Defender" and includes the ability to use Live Response and Remote Forensics. Specifically, you must know:
How to initiate a Live Response session.
The default session timeout (30 minutes) and maximum duration (3 hours).
The list of available commands and their purposes.
How to collect files and the maximum file size (3 GB).
The permissions required to use Live Response.
How Live Response integrates with Microsoft Sentinel.
Common Wrong Answers and Why Candidates Choose Them
Wrong Answer: Live Response requires a VPN to the endpoint. Candidates assume remote connections always need VPN. Reality: Live Response uses a secure WebSocket through the cloud, not a direct VPN.
Wrong Answer: You can only run PowerShell scripts via Live Response. While run supports PowerShell, it also supports Python scripts on Linux. Candidates miss this nuance.
Wrong Answer: Live Response can be used on any endpoint regardless of OS. The exam tests that only Windows 10/11, Windows Server 2012 R2+, and specific Linux distros are supported. macOS is not supported.
Wrong Answer: Files collected via Live Response are automatically analyzed by Microsoft. The collect command only uploads files; analysis requires separate steps like analyze or manual submission.
Specific Numbers and Terms
30 minutes: Session inactivity timeout.
3 hours: Maximum session duration.
3 GB: Maximum file size for collection.
10: Maximum concurrent sessions per endpoint.
1000: Maximum command history per session.
Edge Cases and Exceptions
If the endpoint is offline, Live Response cannot be initiated. The session will fail immediately.
For Linux endpoints, Live Response must be enabled via advanced features; it is off by default.
If an endpoint has a pending reboot, some commands may fail (e.g., file collection).
How to Eliminate Wrong Answers
Use the underlying mechanism: Live Response is a cloud-mediated, WebSocket-based connection. If an answer suggests direct network access or VPN, it is wrong. If it mentions unsupported OS like macOS, it is wrong. If it overstates capabilities (e.g., automatic remediation of all threats), it is wrong.
Live Response is initiated from the Microsoft 365 Defender portal and uses a secure WebSocket connection to the endpoint.
Default session inactivity timeout is 30 minutes; maximum session duration is 3 hours.
Maximum file size for collection is 3 GB.
Supported OS: Windows 10/11, Windows Server 2012 R2+, specific Linux distros (not macOS).
Required permission: 'Live Response capabilities' in role assignments.
Common commands: `info`, `processes`, `connections`, `collect`, `run`, `kill`, `delete`, `quarantine`.
Live Response integrates with Microsoft Sentinel for incident response automation.
All actions are logged in the device timeline for auditing.
These come up on the exam all the time. Here's how to tell them apart.
Live Response
Command-line interface only.
Uses secure WebSocket through cloud.
No direct network access required.
Designed for forensic and remediation actions.
Lightweight, minimal resource usage.
Remote Desktop Protocol (RDP)
Full graphical desktop interface.
Direct network connection (port 3389).
Requires network access and firewall rules.
Designed for remote administration and user support.
Heavier resource usage, potential for latency.
Mistake
Live Response is the same as Remote Desktop Protocol (RDP).
Correct
Live Response is a command-line interface for forensic and remediation actions, not a full desktop session. RDP provides a graphical interface to control the entire desktop, which is more intrusive and requires network-level access. Live Response uses a secure WebSocket through the cloud, not RDP.
Mistake
You can collect any file of any size using Live Response.
Correct
The maximum file size that can be collected via the `collect` command is 3 GB. Larger files must be collected using alternative methods, such as scripted downloads or manual retrieval.
Mistake
Live Response sessions last indefinitely until manually ended.
Correct
Sessions have a maximum duration of 3 hours and an inactivity timeout of 30 minutes. After either limit, the session is automatically terminated.
Mistake
Live Response can be used on any operating system, including macOS.
Correct
Live Response is supported on Windows 10/11, Windows Server 2012 R2+, and some Linux distributions (Ubuntu, RHEL, CentOS). macOS is not supported.
Mistake
All Live Response commands are available on every endpoint.
Correct
Some commands, like `analyze`, require the endpoint to have the Microsoft Defender for Endpoint sensor in active mode. Additionally, Linux endpoints have a subset of commands compared to Windows.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Live Response refers to the real-time, interactive command-line session on an endpoint, allowing immediate investigation and remediation. Remote Forensics is the broader capability to collect and download forensic artifacts (like memory dumps, event logs, files) from endpoints for offline analysis. In Defender for Endpoint, Remote Forensics is often performed using Live Response's `collect` command, but it can also involve scheduled or automated collection via APIs.
Navigate to the device page of the target endpoint in the Microsoft 365 Defender portal. Click the 'Initiate Live Response' button. Ensure you have the required permissions (e.g., Security Administrator role). The endpoint must be online and supported. Once initiated, a command prompt appears in the portal.
Common commands include: `help`, `info`, `processes`, `connections`, `fileinfo`, `collect`, `run`, `take`, `put`, `analyze`, `kill`, `delete`, `quarantine`, and `exit`. Use `help` to see the full list. Some commands are OS-specific.
Yes, but only on supported Linux distributions (Ubuntu, RHEL, CentOS). Live Response for Linux must be enabled via advanced features in the Defender for Endpoint settings. The command set is slightly different; for example, `run` supports Python scripts.
The session will fail to start. You will see an error indicating that the device is unreachable. You can try again later when the device is online. Alternatively, you can use other methods like initiating a scheduled collection via APIs.
After using the `collect` command, the file is uploaded to the cloud storage associated with your tenant. In the portal, go to the device's action center or the specific session's file collection tab. Click the download link to save the file locally. Files are retained for a limited time (typically 30 days).
Yes, all Live Response actions are logged in the Microsoft 365 Defender portal. You can view the session history, including commands executed and outputs, from the device's timeline. This provides an audit trail for compliance and investigation.
You've just covered Live Response and Remote Forensics — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?