Skip to main content

Workflow Template: QuickAction - Run a command on a device with MS Defender Endpoint

Execute commands on a remote endpoint using LiveResponse.

Updated over 2 weeks ago

The "QuickAction - Run a command on a device with MS Defender Endpoint" workflow template is designed for SOC analysts to efficiently execute diagnostic commands on remote endpoints using Microsoft Defender for Endpoint. This workflow automates the execution of commands like ping, netstat, tracert, and ipconfig, waiting for the target device to come online before initiating a session. The results are automatically documented as case notes, streamlining threat hunting and case management processes.

Take Me to the Template

Use Cases

Case Management , Threat Hunting

Workflow Breakdown

  1. The analyst can select from a pre-defined set of commands, such as ping, tracert, netstat, and ipconfig.

  2. LiveResponse waits for the target endpoint to come online, then automatically initiates a session to execute the chosen commands.

  3. Add each command output as a note for the analyst to review.

Vendors

Scripting, Utils, HTTP, Microsoft Defender for Endpoint, Torq Cases

Workflow Output

Commands output are added as a case note.

Related Articles
Workflow Template: Run LiveResponses on Microsoft Defender for Endpoint
Workflow Template: QuickAction - Scan Device on MS Defender for Endpoint
Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint
Workflow Template: QuickAction - Run a RemoteScript on a device with SentinelOne
Workflow Template: QuickAction - Query Device Timeline on MS Defender for Endpoint
Did this answer your question?