Live Response Automation via API in Microsoft Defender for Endpoint

By /

Listen to this Post

Microsoft Defender for Endpoint (MDE) provides powerful Live Response capabilities, allowing security teams to investigate and remediate threats in real time. This article explores how to automate Live Response using the Defender API, including uploading and executing files remotely—even on unmanaged devices.

🔗 Reference: Live Response Automation via API in Microsoft Defender

You Should Know:

1. Prerequisites for API Automation

  • Microsoft Defender for Endpoint API Access: Ensure you have the necessary permissions (Threat.ReadWrite, Machine.LiveResponse).
  • Authentication: Use OAuth 2.0 with Microsoft Graph API. 
    PowerShell: Get OAuth Token 
$tenantId = "YOUR_TENANT_ID" 
$clientId = "YOUR_CLIENT_ID" 
$clientSecret = "YOUR_CLIENT_SECRET" 
$resource = "https://api.securitycenter.microsoft.com" </li>
</ul>

$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" 
$body = @{ 
client_id = $clientId 
client_secret = $clientSecret 
scope = "$resource/.default" 
grant_type = "client_credentials" 
} 
$response = Invoke-RestMethod -Uri $tokenUrl -Method Post -Body $body 
$accessToken = $response.access_token

    2. Initiate Live Response Session

     Bash: Start Live Response Session 
curl -X POST "https://api.securitycenter.microsoft.com/api/machines/{deviceId}/liveResponse" \ 
-H "Authorization: Bearer $accessToken" \ 
-H "Content-Type: application/json"

    3. Upload and Execute a Script Remotely

     PowerShell: Upload a File 
$sessionId = "YOUR_SESSION_ID" 
$filePath = "C:\Scripts\investigate.ps1" 
$uploadUrl = "https://api.securitycenter.microsoft.com/api/machines/{deviceId}/liveResponse/sessions/$sessionId/files"

$headers = @{ 
"Authorization" = "Bearer $accessToken" 
"Content-Type" = "application/octet-stream" 
} 
Invoke-RestMethod -Uri $uploadUrl -Method Post -Headers $headers -InFile $filePath

Execute the Script 
$commandUrl = "https://api.securitycenter.microsoft.com/api/machines/{deviceId}/liveResponse/sessions/$sessionId/commands" 
$body = @{ 
"Command" = "RunScript" 
"Input" = "investigate.ps1" 
} | ConvertTo-Json

Invoke-RestMethod -Uri $commandUrl -Method Post -Headers $headers -Body $body

    4. Error Handling & Logging

    • API Rate Limits: Microsoft enforces throttling (e.g., 100 calls per minute).
    • Retry Logic: Implement exponential backoff. 
      Python: Retry Mechanism 
import requests 
import time </li>
</ul>

def make_api_request(url, headers, payload, max_retries=3): 
for attempt in range(max_retries): 
try: 
response = requests.post(url, headers=headers, json=payload) 
response.raise_for_status() 
return response 
except requests.exceptions.RequestException as e: 
if attempt == max_retries - 1: 
raise 
time.sleep(2  attempt)

      What Undercode Say:

      Automating Live Response via Microsoft Defender’s API significantly enhances SOC efficiency, especially for hybrid environments. Key takeaways:
      – API Flexibility: Execute scripts, collect forensic data, and remediate threats without manual intervention.
      – Unmanaged Devices: Even devices not enrolled in Intune can be controlled if they report to MDE.
      – Security Best Practices: Always encrypt sensitive scripts and audit API access logs.

      Linux/Win Commands for Incident Response:

       Linux: Memory Dump (LiME) 
sudo insmod lime.ko "path=/tmp/memdump.lime format=lime"

Windows: Process Investigation 
tasklist /v 
logman query providers  Check ETW providers

      Expected Output:

      A fully automated Live Response workflow that integrates with SIEMs like Splunk or Azure Sentinel, reducing mean time to remediation (MTTR) by 70%.

      🔗 Further Reading:

      References:

      Reported By: Burak Celik – Hackers Feeds
      Extra Hub: Undercode MoN
      Basic Verification: Pass ✅

      Join Our Cyber World:

      💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: