Microsoft Defender for Endpoint (MDE) Live Response and Performance Script.
Importance of MDE Live Response and Scripts Live Response is crucial for incident response and forensic investigations. It enables analysts to: Collect evidence remotely. Run diagnostics without interrupting users. Remediate threats in real time. For more information on MDE Live Response visit the below documentation. Investigate entities on devices using live response in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn PowerShell scripts enhance this capability by automating tasks such as: Performance monitoring. Log collection. Configuration validation. This automation improves efficiency, consistency, and accuracy in security operations. For more details on running performance analyzer visit the below link. Performance analyzer for Microsoft Defender Antivirus - Microsoft Defender for Endpoint | Microsoft Learn While performance analyzer is run locally on the system to collect Microsoft Defender Anti-Virus performance details , in this document we are describing on running the performance analyzer from MDE Live Response console. This is a situation where Security administrators do not have access to the servers managed by Infra administrators. Prerequisites Required Roles and Permissions To use Live Response in Microsoft Defender for Endpoint (MDE), specific roles and permissions are necessary. The Security Administrator role, or an equivalent custom role, is typically required to enable Live Response within the portal. Users must possess the “Manage Portal Settings” permission to activate Live Response features. Permissions Needed for Live Response Actions Active Remediation Actions under Security Operations: Take response actions Approve or dismiss pending remediation actions Manage allowed/blocked lists for automation and indicators Unified Role-Based Access Control (URBAC): From 16/02/2025, new customers must use URBAC. Roles are assigned to Microsoft Entra groups. Access must be assigned to device groups for Live Response to function properly. Setup Requirements Enable Live Response: Navigate to Advanced Features in the Defender portal. Only users with the “Manage Portal Settings” permission can enable this feature. Supported Operating System Versions: Windows 10/11 (Version 1909 or later) Windows Server (2012 R2 with KB5005292, 2016 with KB5005292, 2019, 2022, 2025) macOS and Linux (specific minimum versions apply) Actual Script Details and Usage The following PowerShell script records Microsoft Defender performance for 60 seconds and saves the output to a temporary file: # Get the default temp folder for the current user $tempPath = [System.IO.Path]::GetTempPath() $outputFile = Join-Path -Path $tempPath -ChildPath "DefenderTrace.etl" $durationSeconds = 60 try { Write-Host "Starting Microsoft Defender performance recording for $durationSeconds seconds..." Write-Host "Recording will be saved to: $outputFile" # Start performance recording with duration New-MpPerformanceRecording -RecordTo $outputFile -Seconds $durationSeconds Write-Host "Recording completed. Output saved to $outputFile" } catch { Write-Host "Failed to start or complete performance recording: $_" } 🔧 Usage Notes: Run this script in an elevated PowerShell session. Ensure Defender is active, and the system supports performance recording. The output .etl file can be analyzed using performance tools like Windows Performance Analyzer. Steps to Initiate Live Response Session and Run the script. Below are the steps to initiate a Live Response session from Security.Microsoft.com portal. Below screenshot shows that console session is established. Then upload the script file to console library from your local system. Type “Library” to list the files. You can see that script got uploaded to Library. Now you execute the script by “run <file name>” command. Output of the script gets saved in the Library. Run “getfile <path of the file>” to get the file downloaded to your local system download folder. Then you can run Get-MpPerformanceReport command from your local system PowerShell as shown below to generate the report from the output file collected in above steps. Summary and Benefits This document outlines the use of MDE Live Response and PowerShell scripting for performance diagnostics. The provided script helps security teams monitor Defender performance efficiently. Similar scripts can be executed from Live Response console including signature updates , start/stop services etc. These scripts are required as a part of security investigation or MDE performance troubleshooting process. Benefits: Faster incident response through remote diagnostics. Improved visibility into endpoint behaviour. Automation of routine performance checks. Enhanced forensic capabilities with minimal user disruption.Recent Logic Apps Failures with Defender ATP Steps – "TimeGenerated" No Longer Recognized
Hi everyone, I’ve recently encountered an issue with Logic Apps failing on Defender ATP steps. Requests containing the TimeGenerated parameter no longer work—the column seems to be unrecognized. My code hasn’t changed at all, and the same queries run successfully in Defender 365’s Advanced Hunting. For example, this basic KQL query: DeviceLogonEvents | where TimeGenerated >= ago(30d) | where LogonType != "Local" | where DeviceName !contains ".fr" | where DeviceName !contains "shared-" | where DeviceName !contains "gdc-" | where DeviceName !contains "mon-" | distinct DeviceName Now throws the error: Failed to resolve column or scalar expression named 'TimeGenerated'. Fix semantic errors in your query. Removing TimeGenerated makes the query work again, but this isn’t a viable solution. Notably, the identical query still functions in Defender 365’s Advanced Hunting UI. This issue started affecting a Logic App that runs weekly—it worked on May 11th but failed on May 18th. Questions: Has there been a recent schema change or deprecation of TimeGenerated in Defender ATP's KQL for Logic Apps? Is there an alternative column or syntax we should use now? Are others experiencing this? Any insights or workarounds would be greatly appreciated!
ATPHandler: Unexpected ConfigurationType, error when trying to onboard to Defender ATP using MECM
I am trying to onboard machines using the Microsoft Defender ATP Policies deployment. I specified the onboarding file which I downloaded from Defender ATP, and I also specified the workspace ID an workspace key. I defined both the file and key because I am targeting both up level and down level clients in my collection. In the ATPHandler.log file I see the following error messages: ATPHandler: Unexpected ConfigurationType, ATPHandler 16-12-2020 20:55:35 3552 (0x0DE0) ATPHandler: Failure in CATPHandler::HandleUIPolicy: 0x80070057 ATPHandler 16-12-2020 20:55:35 3552 (0x0DE0) This is on a down level client (Windows Server 2012 R2). I followed the recommended steps from this manual: https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection?redirectedfrom=MSDN Edit: on a 2016 machine I get the same error message. The site version is: 5.00.9012.1000 The client version is: 5.00.9012.1052 So far I tried to recreate the entire policy, I even did a fresh download of the onboarding file. What can I do to further troubleshoot this? There is not much information to be found about this error message. I found one forum post here, but that does not provide a solution for me.
Defender detected powershell_ise.exe as 'Trojan:PowerShell/Mountsi.A!ml'
One of our users is experiencing a problem when it comes to creating scripts in the powershell ISE, when they are autosaved to appdata, it blocks them on his machine and does not create an alert/incident in the defender ATP portal. However one has managed to appear in the portal (see screenshot). We only recently implemented Defender ATP so im not 100% sure how to interpret the alert, and since this behaviour isnt happening on anyone elses machine I dont know if white listing powershell_ise.exe is a good idea (i assume not), or if theres a better explanation for it? The current defender ATP settings are the stock standard for GPO as stated in the deployment guide. Appreciate any help with this!Export Microsoft Defender event data to a log analytics workspace
In the Defender ATP portal (securitycenter.windows.com) it is possible to create custom detections, but the smallest time frame is 1 hour. Even though 1 hour is better than the mean time to detection of a breach reported via Ponemon, Verizon, etc. I'm trying to cut that down even further by piecing together different Azure cloud services i.e. Event Hubs, Blob Storage, Search Services, Log Analytics, etc. Is there a way to leverage the raw streaming API and perform searching with a log analytics workspace? This would speed up detection to within 5 minutes of an event occurring rather than 1 hour
Defender ATP GUI on servers
Hello, Have Defender ATP on all machines via Intune MEM and servers onboarded via Azure Security Center (Microsoft Monitoring Agent) Couldn't figure out how to do a full scan on servers, I found https://t.co/bpnI4hpjHN?amp=1docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016 not sure if this can work in parallel with Defender ATP as the GUI shows free AV.
