Live Response is a crucial tool for Incident Responders, and we are strong believers that Live Response should and could be used in ways that helps organizations to automate and orchestrate containment and response actions.
With that in mind, and following-up on last year's Live response public preview announcement, we are happy to share that we continue to expand support of existing APIs across all of our supported platforms in Microsoft Defender for Endpoint, alongside announcing new ones that will help simplify and augment organization's response automation and orchestration.
First, Live Response API is now available in Public Preview for Linux, providing a path for real-time actions against these platforms, with built-in capabilities to upload and download files and execute scripts. Customers that are already using Live Response API for Windows 10, Windows Server 2019 and other supported OS versions will see no change in the actual API schema. Just ensure that you select the correct scripts to be executed :)
Here are the links for the existing Microsoft Defender for Endpoint Live Response APIs documentation, if you haven't yet had a chance to read it before:
To check how to use Live Response API, please refer to the initial announcement of Live Response API, referenced at the beginning of this article.
Last, but not least, we are now also making available in Public Preview, the new API that will allow you to manage the Live Response Library (storage within the service to host scripts and other relevant tools for Incident Responders).
How to use the Live Response Library API
In this tutorial we will show you how to use the Live Response Library API to upload a file and then list existing files available in the library.
Step 1 - Upload file to Live Response Library
Request (HTTP POST)
POST https://api.securitycenter.microsoft.com/api/libraryfiles
And here is an example of a curl command, to upload a file (mdatp1.png), with a given description and finally with the option to override the file if it already exists in the library.
curl -X POST https://api.securitycenter.microsoft.com/api/libraryfiles -H
"Authorization: Bearer \$token" -F "file=\@mdatp1.png" -F
"ParametersDescription=test"
-F "HasParameters=true" -F "OverrideIfExists=true" -F "Description=test
description"
Step 2 - Listing existing files in the library
Request (HTTP GET)
GET https://api.securitycenter.microsoft.com/api/libraryfiles
Here is a response example:
HTTP/1.1 200 Ok
Content-type: application/json
{
"\@odata.context": "https://api.securitycenter.microsoft.com
/api/\$metadata\#LibraryFiles",
"value": [
{
"fileName": "script1.ps1",
"sha256":
"6e212a0db618507c44e4ec8ee7499dfef7e5767e5f8d31144df3b96fd1145caf",
"description": null,
"creationTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedTime": "2019-10-24T10:54:23.2009016Z",
"createdBy": "admin",
"hasParameters": true,
"parametersDescription": "test"
},
{
"fileName": "script.sh",
"sha256":
"d0f3e3b0641dbf88ee39c822516e81a909d1d06d22341dd9b1f12aa5e5c027a2",
"description": null,
"creationTime": "2018-10-24T11:15:35.3688259Z",
"lastUpdatedTime": "2018-10-24T11:15:35.3688259Z",
"createdBy": "username",
"hasParameters": false
},
{
"fileName": "memdump.exe",
"sha256":
"fa70b87730290c0d30fe255d1dfb65de82f96286ebfeeb1d88ed3cc831329825",
"description": "Process memory dump",
"creationTime": "2018-10-24T10:54:23.2009016Z",
"lastUpdatedTime": "2018-10-24T10:54:23.2009016Z",
"createdBy": "admin",
"hasParameters": false
}
]
}
Summary
We're excited to hear your feedback as you explore the new APIs and their new scope, so don't hesitate in reaching out!
Documentation will continue to be updated and improved throughout the preview.
If you’ve enabled public preview features, you can check out the new Live Response APIs and Live Response Library API today! If not, we encourage you to turn on preview features for Microsoft Defender for Endpoint to get access to the newest capabilities.
From our end, we would like to extend a big Thank You to all of our customers and promise you that we will continue to bring you new and improved features and capabilities that will definitely delight you.
Keep safe!
The Microsoft Defender for Endpoint team
