Skip to main content

QuickAction - Run a command on a device with MS Defender Endpoint - Workflow Template

Execute commands on a remote endpoint using LiveResponse.

Updated today

This workflow template enables SOC analysts to execute predefined commands like ping, tracert, netstat, and ipconfig on remote endpoints using Microsoft Defender for Endpoint. It automates the process of waiting for the target endpoint to come online, executing the commands, and logging the outputs as case notes for review. Ideal for threat hunting and case management, it enhances response times and accuracy in handling incidents.

Take Me to the Template

Use Cases

Case Management , Threat Hunting

Workflow Breakdown

  1. The analyst can select from a pre-defined set of commands, such as ping, tracert, netstat, and ipconfig.

  2. LiveResponse waits for the target endpoint to come online, then automatically initiates a session to execute the chosen commands.

  3. Add each command output as a note for the analyst to review.

Vendors

Scripting, Utils, HTTP, Microsoft Defender for Endpoint, Torq Cases

Workflow Output

Commands output are added as a case note.

Related Articles
Threat Hunt for a Specified SHA1 Signature in SingularityXDR - Workflow Template
Run LiveResponses on Microsoft Defender for Endpoint - Workflow Template
QuickAction - Isolate or Release a Device on MS Defender Endpoint - Workflow Template
QuickAction - Scan Device on MS Defender for Endpoint - Workflow Template
QuickAction - Fetch a File from Device on MS Defender Endpoint - Workflow Template
Did this answer your question?