List Live Response Unsigned Script Setting Changes
Live Response Unsigned Power Shell Changes
Query
CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)
| where SettingName == "Live Response unsigned script execution"
| project-reorder Timestamp, AccountId, ActionType, SettingName, SettingsNewValueAbout this query
List Live Response Unsigned Script Setting Changes
Query Information
Description
This query lists all changes to the Live Response Unsigned Script settings in the Advanced Features in Defender For Endpoint. You want to monitor this because allowing the use of unsigned scripts may increase your exposure to threats.
References
- https://kqlquery.com/posts/leveraging-live-response/
- https://learn.microsoft.com/en-us/defender-endpoint/live-response
- https://kqlquery.com/posts/audit-defender-xdr/
Defender XDR
Sentinel
CloudAppEvents
| where ActionType == "SetAdvancedFeatures"
| extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)
| where SettingName == "Live Response unsigned script execution"
| project-reorder TimeGenerated, AccountId, ActionType, SettingName, SettingsNewValue
Explanation
This query is designed to track changes to a specific security setting in Microsoft Defender for Endpoint, specifically the "Live Response Unsigned Script" setting. The query is important because allowing unsigned scripts can increase security risks. Here's a simple breakdown of what the query does:
-
Data Source: It pulls data from
CloudAppEvents, which logs various actions and events related to cloud applications. -
Filter by Action: It looks for events where the action type is "SetAdvancedFeatures", indicating changes to advanced security settings.
-
Extract Details: It extracts the specific setting name and its new value from the raw event data. This is done using JSON parsing to get the
SettingNameandSettingsNewValue. -
Focus on Specific Setting: It filters the results to only include changes to the "Live Response unsigned script execution" setting.
-
Output: The query organizes the output to show the timestamp (or time generated), account ID, action type, setting name, and the new value of the setting.
This query is useful for security monitoring, as it helps identify when and by whom the setting for executing unsigned scripts in Live Response was changed, allowing for quick response to potential security threats.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators