Skip to main content

Workflow Template: Run LiveResponses on Microsoft Defender for Endpoint

Execute Live Responses on an Endpoint and collects the results of each command.

Updated this week

The "Run LiveResponses on Microsoft Defender for Endpoint" workflow template is designed to enhance Endpoint Detection and Response (EDR) capabilities by automating Live Response actions on Microsoft Defender for Endpoint. This workflow allows security teams to execute commands such as retrieving or placing files, running scripts, or executing a set of commands on endpoints. It collects and stores the results of these actions, providing a comprehensive view of endpoint activities and facilitating efficient incident response.

Take Me to the Template

Optional Triggers

["This workflow is intended to be used as a function."]

Use Cases

Endpoint Detection and Response (EDR) , Function

Workflow Breakdown

  1. Workflow takes as an input machineId or computerDnsName values.

  2. Run a single command such as Get a File, Put a File and Run a script or a complete set of commands with all three mentioned actions.

  3. Workflow will wait a specified period of time to verify the action is successfully applied.

  4. Collect results of each response as a tqfile.

  5. Collects a list of LiveResponse previous actions.

Vendors

Utils, Microsoft Defender for Endpoint

Workflow Output

Summary includes the executed command along with its results as a file

Related Articles
Workflow Template: Run Antivirus Scan on a device on Microsoft Defender for Endpoint
Workflow Template: QuickAction - Isolate or Release a Device on MS Defender Endpoint
Workflow Template: QuickAction - Scan Device on MS Defender for Endpoint
Workflow Template: Poll for New Microsoft Defender for Endpoint Events for Cases
Workflow Template: QuickAction - Run a command on a device with MS Defender Endpoint
Did this answer your question?