Listen to this Post

Introduction:
In modern Security Operations Centers (SOCs), detection without response is merely noise. Microsoft Defender for Endpoint bridges this gap by transforming analysts from passive observers into active threat hunters capable of containing breaches in real time. This article dissects the core response actions available in Defender for Endpoint, providing verified command-line procedures, API integrations, and cross-platform hardening techniques essential for the SC-200 certification and real-world purple team exercises.
Learning Objectives:
- Execute remote containment and forensic acquisition on Windows and Linux endpoints using Microsoft Defender for Endpoint.
- Deploy Live Response sessions to remediate active threats with PowerShell and Bash commands.
- Harden cloud-connected endpoints through attack surface reduction rules and application restriction policies.
You Should Know:
1. Network Containment: Isolating Devices Without Burning Bridges
Isolation is the digital equivalent of dropping a blast shield—it severs all network communication except the vital heartbeat channel to Defender.
Step‑by‑step guide – Portal Method:
- Navigate to Microsoft 365 Defender → Assets → Devices.
2. Select the compromised device → Isolate device.
3. Choose isolation type:
- Full isolation – blocks all external traffic.
- Selective isolation – allows Defender and update services only.
PowerShell Automation (requires Device.ReadWrite.All permission):
$token = Get-AzAccessToken -ResourceUrl "https://api.security.microsoft.com"
$headers = @{Authorization = "Bearer $($token.Token)"}
$body = @{
Comment = "Ransomware containment – CRITICAL"
IsolationType = "Full"
} | ConvertTo-Json
Invoke-RestMethod -Method Post -Uri "https://api.security.microsoft.com/api/machines/{machineId}/isolate" -Headers $headers -Body $body -ContentType "application/json"
Linux Equivalent (Defender for Endpoint on Linux):
mdatp config network-isolation --type full --value enabled mdatp health --field network_isolation_status Verify isolation state
2. Forensic Deep Dive: Collecting an Investigation Package
When an incident escalates, you need artifacts—not assumptions. The investigation package harvests registry hives, prefetch files, event logs, and memory dumps.
Step‑by‑step guide – Automated Collection:
- From the device page, select Collect investigation package.
- Microsoft 365 Defender compresses the data into a .cab file.
- Download and analyze using EZViewer or Zimmerman’s Tools.
Manual Collection via Live Response:
From within Live Response session Get-File -Path "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db" Get-File -Path "C:\Windows\Prefetch.pf" Get-File -Path "C:\Windows\System32\winevt\Logs\Security.evtx"
Linux Artifact Collection:
sudo mdatp diagnostic create --path /tmp/defender_diagnostic.tar.gz sudo tar -czvf /tmp/linux_forensics.tar.gz /var/log /etc/passwd /etc/shadow /tmp/defender_diagnostic.tar.gz
3. Immediate Remediation: Kicking Off an Antivirus Scan
Sometimes the quickest path to remediation is letting the engine do its job—centrally triggered, agent‑executed.
Portal Execution:
Device page → Run antivirus scan → Quick / Full / Custom.
PowerShell API Trigger:
$body = @{
Comment = "Post-infection sweep"
ScanType = "FullScan"
} | ConvertTo-Json
Invoke-RestMethod -Method Post -Uri "https://api.security.microsoft.com/api/machines/{machineId}/runAntivirusScan" -Headers $headers -Body $body
Local Command (for validation):
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
ScanType 1 = quick, 2 = full, 3 = file/directory custom.
4. Real‑Time Triage: Mastering Live Response Sessions
Live Response grants a remote, kernel‑level command shell—no RDP, no VPN, just raw investigative power.
Initiating a Session:
1. Device page → Initiate Live Response.
2. Choose Advanced mode for full PowerShell/cmd access.
Essential Live Response Commands:
| Command | Purpose | Example |
|–|||
| `Get-Process` / `ps` | List running processes | `Get-Process -Name “suspicious”` |
| `Get-Service` / `services` | Enumerate services | `Get-Service | Where Status -eq “Running”` |
| `Get-File` | Download artifact | `Get-File -Path “C:\temp\malware.exe”` |
| `Put-File` | Upload tool to endpoint | `Put-File -FileName “ProcDump.exe”` |
| `Run` | Execute script | `Run -ScriptBlock {ipconfig /all}` |
Linux Live Response:
mdatp session start mdatp process list | grep -i suspicious mdatp file upload --file /tmp/malicious_script.sh
5. Attack Surface Reduction: Restricting Application Execution
Before you finish the investigation, prevent the bad guys from doubling down. Application restriction stops unsigned/blocklisted binaries from launching.
Portal Configuration:
Device page → Restrict app execution → Enable.
Effect: Only Microsoft‑signed applications and those in the allowlist can run.
PowerShell via Graph API:
$body = @{
Comment = "Containment: block non-Microsoft binaries"
RestrictionType = "OnlyMicrosoftSigned"
} | ConvertTo-Json
Invoke-RestMethod -Method Post -Uri "https://api.security.microsoft.com/api/machines/{machineId}/restrictAppExecution" -Headers $headers -Body $body
Local Enforcement (via Windows Defender Firewall / AppLocker):
Set-AppLockerPolicy -Policy .\AppLockerAuditOnly.xml -Merge Convert to Enforced later
6. Cloud Hardening: Indicator Management and Threat Intelligence
Beyond immediate response, proactive defenders feed indicators of compromise (IoCs) back into Defender.
Creating an IoC via API:
$iocBody = @{
indicatorValue = "https://malicious-panel.net/beacon"
indicatorType = "Url"
action = "BlockAndRemediate"
title = "C2 callback domain"
severity = "High"
description = "Observed in phishing campaign"
} | ConvertTo-Json
Invoke-RestMethod -Method Post -Uri "https://api.security.microsoft.com/api/indicators" -Headers $headers -Body $iocBody
Verification on Windows Endpoint:
Get-MpPreference | Select-Object -Property PUA, BlockAtFirstSeen
What Undercode Say:
- Containment is cheaper than cleanup. Isolating a host within seconds can reduce incident cost by over 60% by preventing ransomware encryption blast radius.
- Live Response is the SOC’s surgical scalpel. Mastering its command line—on both Windows and Linux—turns generic alerts into confirmed compromise timelines.
- Automation is non‑negotiable. The API examples above should be woven into SOAR playbooks; manual clicking doesn’t scale in cloud‑first environments.
Analysis:
Microsoft Defender for Endpoint is no longer just an AV—it’s a remote incident response platform. The shift from “detect” to “act” requires SOC teams to think like system administrators with kill‑switch authority. The commands and API calls detailed here are the difference between a contained breach and a headline breach. As Defender expands to macOS and Linux, cross‑platform proficiency will separate elite defenders from ticket‑pushers. Start scripting these actions today; your future self (and your CISO) will thank you.
Prediction:
In the next 18 months, cloud‑native response will replace on‑prem tools entirely. Expect Microsoft to merge Defender for Endpoint actions directly into Copilot for Security, allowing natural‑language isolation (“Isolate the host that just tried to connect to ransom‑site.ru”). The SOC analyst’s job will shift from typing commands to approving AI‑generated remediation plans—but only those who understand the underlying mechanics will remain trusted to push the button.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Antondawson On – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


