Set up and start Live Response

Live Response lets you connect to devices to investigate and remediate possible security issues.

Using Live Response, you can stop suspicious processes, restart devices with pending updates, browse folders, delete files, and more.

This page tells you how to do as follows:

Turn on Live Response and specify which devices you can connect to.
Note You need to turn on Live Response for computers and servers separately.
Start a Live Response session.
Audit general Live Response activity.
Audit a Live Response session.

Turn on Live Response for computers

Restriction To change Live Response settings, you must be a Super Admin or have a custom role that includes Manage Live Response settings for computers. See Give admins access to Live Response.

To turn on Live Response and specify which computers it can connect to, do as follows:

Go to Settings > Endpoint Protection > Live Response.
Turn on Allow Live Response connections to computers.

By default, Live Response can connect to all computers.
To prevent Live Response from connecting to specific computers, look under Exclusions, select computers in Available, and move them to Excluded.
Click Save.

Turn on Live Response for servers

Restriction To change Live Response settings, you must be a Super Admin or have a custom role that includes Manage Live Response settings for servers. See Give admins access to Live Response.

To turn on Live Response and specify which servers it can connect to, do as follows:

Go to Global Settings > Server Protection > Live Response.
Turn on Allow Live Response connections to servers.

By default, Live Response can connect to all servers.
To prevent Live Response from connecting to specific servers, look under Exclusions, select servers in Available, and move them to Excluded.

Start a Live Response session

Restriction To start a Live Response session, you must be a Super Admin or have a custom role that lets you start it, and you must sign in using multi-factor authentication. See Give admins access to Live Response.

To start Live Response, do as follows:

Go to Devices.
Select a device and click it to open its details page.
On the left of the details page, click Live Response.

A connection to the computer opens in another browser tab. The tab shows a terminal window.

If the new tab doesn't open, your browser may have blocked it. Configure your browser to allow it.
At the command prompt, enter commands to perform your investigation or remediation.
When you finish, click End Session. The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.
The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.

The connection is also closed in the following cases:

You close the tab.
You refresh the tab.
You browse elsewhere in Sophos Central from here.
There is no activity for 30 minutes.

Audit Live Response activity

To see general Live Response activity, view the audit log.

Go to Logs & Reports.
Under General Logs, click Audit Logs.

The audit log shows when sessions started and ended, the admin who started the session, the device that the session accessed, and the "Purpose" given when the session was started.

If you want full details of a specific session, view the Live Response session audit log.

Audit a Live Response session

To see full details of what happened in a specific Live Response session, view the session audit log.

Restriction To get session audit logs, you must be a Super Admin or have a custom role that includes both Manage Live Response settings for computers and Manage Live Response settings for servers.

To view the audit log, do as follows:

Go to Logs & Reports.
Under Endpoint & Server Protection Logs, click Live Response session audit.
Find the session you want and click Download session log.
The session log is downloaded as a gzip compressed file.
Extract the file and view it.

The audit log shows the commands entered in the Live Response session and the command-line responses.