Set up and start Live Response
Live Response lets you connect to devices to investigate and remediate possible security issues.
Using Live Response, you can stop suspicious processes, restart devices with pending updates, browse folders, delete files, and more.
This page tells you how to do as follows:
- Turn on Live Response and specify which devices you can connect to. Note You need to turn on Live Response for computers and servers separately.
- Start a Live Response session.
- Audit general Live Response activity.
- Audit a Live Response session.
Turn on Live Response for computers
To turn on Live Response and specify which computers it can connect to, do as follows:
Turn on Live Response for servers
To turn on Live Response and specify which servers it can connect to, do as follows:
Start a Live Response session
To start Live Response, do as follows:
The connection is also closed in the following cases:
- You close the tab.
- You refresh the tab.
- You browse elsewhere in Sophos Central from here.
- There is no activity for 30 minutes.
Audit Live Response activity
To see general Live Response activity, view the audit log.
- Go to Logs & Reports.
- Under General Logs, click Audit Logs.
The audit log shows when sessions started and ended, the admin who started the session, the device that the session accessed, and the "Purpose" given when the session was started.
If you want full details of a specific session, view the Live Response session audit log.
Audit a Live Response session
To see full details of what happened in a specific Live Response session, view the session audit log.
To view the audit log, do as follows:
The audit log shows the commands entered in the Live Response session and the command-line responses.