In dynamic investigation environments, preparation and agility are key. Security analysts working with live response in Microsoft Defender often rely on scripts and tools to triage, investigate, and remediate threats. Until now, these assets had to be uploaded during active sessions, limiting manageability and increasing time to action.
Recognizing the need for better readiness and control, Defender now introduces a more proactive and efficient way to manage these assets: library management.
The new library management experience in Defender brings powerful enhancements to how security teams manage scripts and files used in live response. With this centralized and streamlined interface, analysts no longer need to wait for an active session to organize their investigation tools everything can now be managed proactively, directly from the portal. This enhancement in Defender’s live response tooling improves operational readiness, enhances visibility and control, and helps streamline response workflows across SOC teams.
What’s new in library management?
Centralized script and file management – Security teams can now upload, manage, and clean up their entire collection of Live Response scripts and files outside of an active investigation. This proactive approach allows better preparation and alignment across analysts.
Upload in advance – Easily upload PowerShell scripts, batch files, or other response tools ahead of time, so they're immediately accessible when needed during an investigation.
View script contents in the portal – No need to switch tools, analysts can review script contents directly within the Defender UI to validate logic and confirm functionality before execution.
Clean and organize – Outdated or redundant scripts can be deleted with a click, keeping your library lean, relevant, and audit-friendly.
Boost analyst understanding with Copilot – Understanding unfamiliar scripts can slow down investigations. That’s where Microsoft Security Copilot comes in.
Copilot automatically analyzes scripts in the library and provides:
- Summarized behavior descriptions
- Security-relevant insights
- Execution risk context
This makes it easier for analysts—especially those new to a team or handling inherited tools—to assess what a script does before running it, reducing errors and increasing confidence.
Get started today
You can access the Library Management experience from the live response page in the Microsoft Defender portal. Start uploading your investigation tools, explore script previews, and let Copilot assist in surfacing the intent and behavior of your scripts.
Microsoft