Set up and start Live Response

Live Response lets you connect to devices to investigate and remediate possible security issues.

Using Live Response, you can stop suspicious processes, restart devices with pending updates, browse folders, delete files, and more.

This page tells you how to do as follows:

• Turn on Live Response.

  Note

  You need to turn on Live Response for computers and servers separately.

• Start a Live Response session.

• Audit general Live Response activity.
• Audit a Live Response session.

Turn on Live Response for computers

To turn on Live Response, do as follows:

1. Go to My Products > Endpoint.
2. Click Policies.

3. Go to Data Collection and Investigation and click a policy to open its details.

   The base policy applies to all computers by default. You might also have custom policies for groups of computers that you specify. See About Policies.

4. Click the Settings tab.

5. Turn on Allow Live Response connections to computers.

   By default, Live Response can connect to all computers.

6. Click Save.

Turn on Live Response for servers

To turn on Live Response and specify which servers it can connect to, do as follows:

1. Go to My Products > Server.
2. Click Policies.

3. Go to Data Collection and Investigation and click a policy to open its details.

   The base policy applies to all servers by default. You might also have custom policies for groups of servers that you specify. See About Policies.

4. Click the Settings tab.

5. Turn on Allow Live Response connections to servers.

   By default, Live Response can connect to all servers.

6. Click Save.

Start a Live Response session

If you're using federated sign-in with a supported identity provider that enforces MFA challenges, you can avoid Sophos Central MFA challenges when starting a Live Response session. To do this, turn on the IdP Enforced MFA option. Click the General Settings icon . Under Administration, click Federated identity providers. See Add the identity provider (Entra ID/Open IDC/ADFS).

Start Live Response

To start Live Response, do as follows:

1. Go to My Environment > Computers & Servers.
2. Select a device and click it to open its details page.

3. In the top pane, click Actions and select Live Response.

   A connection to the computer opens in another browser tab. The tab shows a terminal window.

   If the new tab doesn't open, your browser may have blocked it. Configure your browser to allow it.

4. At the command prompt, enter commands to perform your investigation or remediation.

   Use DOS, UNIX, or Linux commands depending on the computer to which you’ve connected.

5. When you finish, click End Session. The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here. The connection is closed, although the tab remains open. You can browse elsewhere in Sophos Central from here.

The connection is also closed in the following cases:

• You close the tab.
• You refresh the tab.
• You browse elsewhere in Sophos Central from here.
• There is no activity for 30 minutes.

Audit Live Response activity

To see general Live Response activity, view the audit log.

1. Go to Reports > Logs.
2. Under General Logs, click Audit Logs.

The audit log shows when sessions started and ended, the admin who started the session, the device that the session accessed, and the "Purpose" given when the session was started.

To see full details of sessions, click See session audit logs next to a log entry for the start or end of a session.

Audit a Live Response session

To see full details of what happened in a specific Live Response session, view the session audit log.

To view the audit log, do as follows:

1. Go to Reports > Logs.
2. Under Endpoint & Server Protection Logs, click Live Response session audit.
3. Find the session you want and click Download session log. The session log is downloaded as a gzip compressed file.
4. Extract the file and view it.

The audit log shows the commands entered in the Live Response session.