cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender API - Live Response Session Logging

StephenMcc
Brass Contributor

‎Jun 24 2019 03:18 AM

‎Jun 24 2019 03:18 AM

Microsoft Defender API - Live Response Session Logging

Hello, are there any plans to expose the Live Response session data via the API?

The data I'd be particularly interested in would be:
Command logs, who created the session, when the session started, and the duration of the session.


We currently track incident investigation in a third party tool, if an analyst was required to open a Live Response session as part of remediation efforts, we'd ideally like to pull all resulting command logs into that ticket. This would also be great for longer term reporting and auditing purposes, e.g. pulling ALL Live Response session data into a log aggregation platform like ELK/QRadar/Splunk etc.

I think it would be a great addition to the other machine actions that are exposed here: https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-atp/machineac...

 

Property: type
Description: Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"

3,996 Views
5 Likes
4 Replies
Reply
4 Replies
Heike Ritter

‎Jun 25 2019 08:37 AM

‎Jun 25 2019 08:37 AM

Re: Microsoft Defender API - Live Response Session Logging

@Dan Michelson - have a look please!

0 Likes
Reply
simonepatonico

‎Mar 17 2020 03:13 AM

‎Mar 17 2020 03:13 AM

Re: Microsoft Defender API - Live Response Session Logging

@StephenMcc are there any news about your question?

I would also like to track and export all the commands that are executed in the "Live response" tool.

As far as I know it is only possible to visualize current session commands.

Thank you in advance

0 Likes
Reply
StephenMcc

‎Mar 25 2020 06:20 AM

‎Mar 25 2020 06:20 AM

Re: Microsoft Defender API - Live Response Session Logging

@simonepatonico never got a reply unfortunately. After reviewing the current API docs, it doesn't look like live response session logging is exposed yet.

0 Likes
Reply
simonepatonico

‎Mar 25 2020 06:33 AM

‎Mar 25 2020 06:33 AM

Re: Microsoft Defender API - Live Response Session Logging

@StephenMcc Thank you very much for your answer!

1 Like
Reply