Query Details
Defender Live Response
Query
//Show the user that initiated a Defender Live Response session and against which device, with IP and port. DeviceEvents | join DeviceNetworkEvents on DeviceName | where AdditionalFields.RemoteClientsAccess == "AcceptRemote" | where InitiatingProcessFileName == "msedge.exe" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, RemoteIP1, RemotePort1
Explanation
This query shows the user who started a Defender Live Response session and which device they used. It also includes the IP address and port number of the device.
Details
Rod Trent
Released: June 2, 2022
Tables
DeviceEventsDeviceNetworkEvents
Keywords
DeviceEvents,DeviceNetworkEvents,AdditionalFields,RemoteClientsAccess,InitiatingProcessFileName,msedge.exe,TimeGenerated,DeviceName,InitiatingProcessAccountName,RemoteIP1,RemotePort1
Operators
joinwhereproject