Forum Discussion
Microsoft Defender API - Live Response Session Logging
Hello, are there any plans to expose the Live Response session data via the API?
The data I'd be particularly interested in would be:
Command logs, who created the session, when the session started, and the duration of the session.
We currently track incident investigation in a third party tool, if an analyst was required to open a Live Response session as part of remediation efforts, we'd ideally like to pull all resulting command logs into that ticket. This would also be great for longer term reporting and auditing purposes, e.g. pulling ALL Live Response session data into a log aggregation platform like ELK/QRadar/Splunk etc.
I think it would be a great addition to the other machine actions that are exposed here: https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-atp/machineaction
Property: type
Description: Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"
- HeikeRitterMicrosoft
Dan Michelson - have a look please!
- simonepatonicoBrass Contributor
StephenMcc are there any news about your question?
I would also like to track and export all the commands that are executed in the "Live response" tool.
As far as I know it is only possible to visualize current session commands.
Thank you in advance
- StephenMccBrass Contributor
simonepatonico never got a reply unfortunately. After reviewing the current API docs, it doesn't look like live response session logging is exposed yet.
- simonepatonicoBrass Contributor
StephenMcc Thank you very much for your answer!