Microsoft Defender API - Live Response Session Logging

%3CLINGO-SUB%20id%3D%22lingo-sub-716831%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20API%20-%20Live%20Response%20Session%20Logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-716831%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%20are%20there%20any%20plans%20to%20expose%20the%20Live%20Response%20session%20data%20via%20the%20API%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThe%20data%20I'd%20be%20particularly%20interested%20in%20would%20be%3A%3CBR%20%2F%3ECommand%20logs%2C%20who%20created%20the%20session%2C%20when%20the%20session%20started%2C%20and%20the%20duration%20of%20the%20session.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWe%20currently%20track%20incident%20investigation%20in%20a%20third%20party%20tool%2C%20if%20an%20analyst%20was%20required%20to%20open%20a%20Live%20Response%20session%20as%20part%20of%20remediation%20efforts%2C%20we'd%20ideally%20like%20to%20pull%20all%20resulting%20command%20logs%20into%20that%20ticket.%20This%20would%20also%20be%20great%20for%20longer%20term%20reporting%20and%20auditing%20purposes%2C%20e.g.%20pulling%20ALL%20Live%20Response%20session%20data%20into%20a%20log%20aggregation%20platform%20like%20ELK%2FQRadar%2FSplunk%20etc.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20think%20it%20would%20be%20a%20great%20addition%20to%20the%20other%20machine%20actions%20that%20are%20exposed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmachineaction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmachineaction%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProperty%3A%20type%3CBR%20%2F%3EDescription%3A%20Type%20of%20the%20action.%20Possible%20values%20are%3A%20%22RunAntiVirusScan%22%2C%20%22Offboard%22%2C%20%22CollectInvestigationPackage%22%2C%20%22Isolate%22%2C%20%22Unisolate%22%2C%20%22StopAndQuarantineFile%22%2C%20%22RestrictCodeExecution%22%20and%20%22UnrestrictCodeExecution%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-716831%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Estephen.mccrea%40prudential.com%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-719864%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20API%20-%20Live%20Response%20Session%20Logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-719864%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F183190%22%20target%3D%22_blank%22%3E%40Dan%20Michelson%3C%2FA%3E%20-%20have%20a%20look%20please!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232217%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20API%20-%20Live%20Response%20Session%20Logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232217%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308995%22%20target%3D%22_blank%22%3E%40StephenMcc%3C%2FA%3E%26nbsp%3Bare%20there%20any%20news%20about%20your%20question%3F%3C%2FP%3E%3CP%3EI%20would%20also%20like%20to%20track%20and%20export%20all%20the%20commands%20that%20are%20executed%20in%20the%20%22Live%20response%22%20tool.%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20know%20it%20is%20only%20possible%20to%20visualize%20current%20session%20commands.%3C%2FP%3E%3CP%3EThank%20you%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252155%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20API%20-%20Live%20Response%20Session%20Logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252155%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F545761%22%20target%3D%22_blank%22%3E%40simonepatonico%3C%2FA%3E%26nbsp%3Bnever%20got%20a%20reply%20unfortunately.%20After%20reviewing%20the%20current%20API%20docs%2C%20it%20doesn't%20look%20like%20live%20response%20session%20logging%20is%20exposed%20yet.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252189%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20API%20-%20Live%20Response%20Session%20Logging%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252189%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308995%22%20target%3D%22_blank%22%3E%40StephenMcc%3C%2FA%3E%26nbsp%3BThank%20you%20very%20much%20for%20your%20answer!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello, are there any plans to expose the Live Response session data via the API?

The data I'd be particularly interested in would be:
Command logs, who created the session, when the session started, and the duration of the session.


We currently track incident investigation in a third party tool, if an analyst was required to open a Live Response session as part of remediation efforts, we'd ideally like to pull all resulting command logs into that ticket. This would also be great for longer term reporting and auditing purposes, e.g. pulling ALL Live Response session data into a log aggregation platform like ELK/QRadar/Splunk etc.

I think it would be a great addition to the other machine actions that are exposed here: https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-atp/machineac...

 

Property: type
Description: Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"

4 Replies
Highlighted
Highlighted

@StephenMcc are there any news about your question?

I would also like to track and export all the commands that are executed in the "Live response" tool.

As far as I know it is only possible to visualize current session commands.

Thank you in advance

Highlighted

@simonepatonico never got a reply unfortunately. After reviewing the current API docs, it doesn't look like live response session logging is exposed yet.

Highlighted

@StephenMcc Thank you very much for your answer!