As part of our ongoing effort to provide a rich set of APIs to allow customers and partners to benefit from the power of the Microsoft Defender for Endpoint platform, we are happy to announce the public preview of the live response API.
live response API request example
Time plays a critical role when collecting forensic evidence. Due to frequent changes that occur in the memory and storage of a device, it's critical to collect forensic evidence swiftly. Forensic evidence must be gathered as soon as suspicious activity is identified on a device.
The live response APIs allow you to collect information and take real-time actions on a remote endpoint using APIs. These actions include the ability to upload and download files and execute scripts on the endpoint.
The live response APIs are currently supported on Windows 10 and Windows Server 2019, support for other platforms is coming very soon.
In fact, the new functionality inevitably includes a number of new APIs that join the Microsoft Defender for Endpoint scheme. These include:
Check out the tutorial below where you’ll be guided on how to use the live response API to export and collect artifacts from a compromised device.
How to use the live response API
In this tutorial we will show you how to use the live response API to collect forensic evidence, that indicates the current state of the device such as running processes, scheduled tasks etc. You can later set the script to run automatically when a specific alert is raised, so you can investigate threats and respond in real time.
Step 1 – Create/download a script that collects any artifact that may interest you. For basic usage, you can use the sample script below.
We’re excited to hear your feedback as you explore the new APIs and we will continue to update the documentation throughout the preview. Our mission is to provide you a generic platform that allows you to develop a customized IR solution on top of it. Additional new capabilities are expected to be released soon, such as managing the live response library via API, and support for macOS and Linux.
If you’ve enabled public preview features, you can check out the new live response APIs today! If not, we encourage you to turn on preview features for Microsoft Defender for Endpoint to get access to the newest capabilities. These features can be turned on in the Microsoft Defender Security Center or the Microsoft 365 security center.
Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.