Task 08: Execute Live Response and track actions

1. In the Live Response console, run library and verify lr-proof.ps1 is listed.

   

2. Run:

    run lr-proof.ps1 -parameters "-OutDir 'C:\ProgramData\AIR-Lab' -Note 'Lab run'"
   

   

3. Verify output by running

    dir C:\ProgramData\AIR-Lab
   

   Then confirm proof.txt exists.

   

4. Above the console, select the Command log tab to review actions taken.

   

5. In the leftmost pane, go to System > Permissions.

6. Under the Endpoints roles & groups section, select Device groups.

   

7. Select Ungrouped devices (default).

8. In the flyout pane, under Remediation level, select the dropdown menu, then select Semi - Approval required for all folders.

   

9. In the lower-right corner of pane, select Save and close.

10. Select the Pilot Lab group and repeat the same steps.

11. In the leftmost pane, go to Assets > Devices.

12. Select your pilot device, winvm-mde.

13. In the upper-right corner of the page, select the ellipsis to open the More actions menu, then select Initiate Live Response Session.

14. In the console, run

     remediate file C:\ProgramData\AIR-Lab\proof.txt
    

    

15. In the leftmost pane, go to Investigation & response > Actions & submissions > Action center.

16. At the top of the page, select the History tab to confirm results.