KQL Search

Query Details

Live Response Unsigned Power Shell Changes

Query

# List Live Response Unsigned Script Setting Changes

## Query Information

### Description
This query lists all changes to the Live Response Unsigned Script settings in the Advanced Features in Defender For Endpoint. You want to monitor this because allowing the use of unsigned scripts may increase your exposure to threats.

### References
- https://kqlquery.com/posts/leveraging-live-response/
- https://learn.microsoft.com/en-us/defender-endpoint/live-response


## Defender For Endpoint
```
CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)
| where SettingName == "Live Response unsigned script execution"
| project-reorder Timestamp, AccountId, ActionType, SettingName, SettingsNewValue
```
## Sentinel
```
CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)
| where SettingName == "Live Response unsigned script execution"
| project-reorder TimeGenerated, AccountId, ActionType, SettingName, SettingsNewValue
```

Explanation

This query helps you track changes to the Live Response Unsigned Script settings in Defender For Endpoint. It monitors if unsigned scripts are allowed, which could increase your exposure to threats.

Details

Bert-Jan Pals

Released: May 30, 2024

Tables

CloudAppEvents

Keywords

Live,Response,Unsigned,Script,Setting,Changes

Operators

whereextendparse_jsonproject-reorder

KQL Search

Live Response Unsigned Power Shell Changes

Query

Explanation

Details

Actions