Forum Discussion

StephenMcc's avatar
StephenMcc
Brass Contributor
Jun 24, 2019

Microsoft Defender API - Live Response Session Logging

Hello, are there any plans to expose the Live Response session data via the API?

The data I'd be particularly interested in would be:
Command logs, who created the session, when the session started, and the duration of the session.


We currently track incident investigation in a third party tool, if an analyst was required to open a Live Response session as part of remediation efforts, we'd ideally like to pull all resulting command logs into that ticket. This would also be great for longer term reporting and auditing purposes, e.g. pulling ALL Live Response session data into a log aggregation platform like ELK/QRadar/Splunk etc.

I think it would be a great addition to the other machine actions that are exposed here: https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-atp/machineaction

 

Property: type
Description: Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"

Resources