Investigate entities on devices using live response in Microsoft Defender for Endpoint

Before you begin

Before you can initiate a session on a device, make sure you fulfill the following requirements:

Verify that you're running a supported version of Windows .

Devices must be running one of the following versions of Windows

Windows 10 & 11

Version 1909 or later

Version 1903 with KB4515384

Version 1809 (RS 5) with KB4537818

Version 1803 (RS 4) with KB4537795

Version 1709 (RS 3) with KB4537816

macOS - Minimum required version: 101.43.84 . Supported for Intel-based and ARM-based macOS devices.

Linux - Minimum required version: 101.45.13

Windows Server 2012 R2 - with KB5005292

Windows Server 2016 - with KB5005292

For Windows Server 2012 R2 or Windows Server 2016, you must have the Unified Agent installed, and it is recommended to patch to latest sensor version with KB5005292. Live response doesn't work as expected for offline down-level servers onboarded using the streamlined method, because of the static proxy. Consider using a system proxy instead.

Windows Server 2019

Version 1903 or (with KB4515384 ) later

Version 1809 (with KB4537818 )

Windows Server 2022

Windows Server 2025

Azure Stack HCI OS, version 23H2 and later

Enable live response from the advanced settings page .

You need to enable the live response capability in the Advanced features settings page.

Only admins and users who have "Manage Portal Settings" permissions can enable live response.

Enable live response for servers from the advanced settings page (recommended).

Only admins and users who have "Manage Portal Settings" permissions can enable live response.

Enable live response unsigned script execution (optional).

Important

Signature verification only applies for PowerShell scripts.

Warning

Allowing the use of unsigned scripts may increase your exposure to threats.

Running unsigned scripts isn't recommended as it can increase your exposure to threats. If you must use them however, you need to enable the setting in the Advanced features settings page.

Ensure that you have the appropriate permissions .

Only users who are provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see Create and manage roles .

Important

The option to upload a file to the library is only available to users with "Manage Security Settings" permission. The button is greyed out for users with only delegated permissions.

Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.

Live response dashboard overview

When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:

Who created the session

When the session started

The duration of the session

The dashboard also gives you access to:

Disconnect session

Upload files to the library

Command console

Command log

Initiate a live response session on a device

Live response actions initiated from the Device page are not available in the MachineActions API.

Navigate to Endpoints > Device inventory and select a device to investigate. The devices page opens.

Launch the live response session by selecting Initiate live response session . A command console is displayed. Wait while the session connects to the device.

Use the built-in commands to do investigative work. For more information, see Live response commands .

After completing your investigation, select Disconnect session , then select Confirm .

Live response commands

Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see Create and manage roles .

Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.

Basic commands

The following commands are available for user roles that are granted the ability to run basic live response commands. For more information on role assignments, see Create and manage roles .

Command Description Windows and Windows Server macOS Linux


     fg <command ID>

Place the specified job in the foreground, making it the current job. Note that

fg

takes a


     command ID

available from jobs, not a PID.


     fileinfo

Get information about a file.


     findfile

Locates files by a given name on the device.


     getfile <file_path>

Downloads a file. Provides help information for live response commands. Shows currently running jobs, their ID and status.


     persistence

Shows all known persistence methods on the device.


     processes

Shows all processes running on the device.


     registry

Shows registry values.


     scheduledtasks

Shows all scheduled tasks on the device.


     services

Shows all services on the device.


     startupfolders

Shows all known files in startup folders on the device.


     status

Shows the status and output of specific command.


     trace

Sets the terminal's logging mode to debug.

Advanced commands

The following commands are available for user roles that are granted the ability to run advanced live response commands. For more information on role assignments, see Create and manage roles .

Command Description Windows and Windows Server macOS Linux


     isolate

Disconnects the device from the network while retaining connectivity to the Defender for Endpoint service.


     release

Releases a device from network isolation. Runs a PowerShell script from the library on the device.


     library

Lists files that were uploaded to the live response library.


     putfile

Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.


     remediate

Remediates an entity on the device. The remediation action varies, depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file

This command has a prerequisite command. You can use the


     -auto

command in conjunction with remediate to automatically run the prerequisite command. Runs a quick antivirus scan to help identify and remediate malware. Restores an entity that was remediated.

Use live response commands

The commands that you can use in the console follow similar principles as Windows Commands .

The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.

Get a file from the device

For scenarios when you'd like get a file from a device you're investigating, you can use the getfile command. This allows you to save the file from the device for further investigation.

The following file size limits apply:


     getfile

limit: 3 GB


     fileinfo

limit: 30 GB


     library

limit: 250 MB

Download a file in the background

To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.

To download a file in the background, in the live response command console, type


     download <file_path> &

If you are waiting for a file to be downloaded, you can move it to the background by using Ctrl + Z.

To bring a file download to the foreground, in the live response command console, type


     fg <command_id>

Here are some examples:

Command What it does


    getfile "C:\windows\some_file.exe" &

Starts downloading a file named some_file.exe in the background.


    fg 1234

Returns a download with command ID 1234 to the foreground.

Put a file in the library

Live response has a library where you can put files into. The library stores files (such as scripts) that can be run in a live response session at the tenant level.

Live response allows PowerShell and Bash scripts to run; however, you must first put the files into the library before you can run them.

You can have a collection of PowerShell and Bash scripts that can run on devices that you initiate live response sessions with.

To upload a file in the library

There are restrictions on the characters that can be uploaded to the library. Use alphanumeric characters and some symbols (specifically, - , _ , or . ).

Select Upload file to library .

Select Browse and select the file.

Provide a brief description.

Specify if you'd like to overwrite a file with the same name.

If you'd like to be, know what parameters are needed for the script, select the script parameters check box. In the text field, enter an example and a description.

Select Confirm .

(Optional) To verify that the file was uploaded to the library, run the library command.

Cancel a command

Anytime during a session, you can cancel a command by pressing CTRL + C.

Warning

Using this shortcut doesn't stop the command in the agent side. It only cancels the command in the Microsoft Defender portal. So, changing operations such as "remediate" may continue, even if the command is canceled.

Run a script

Before you can run a PowerShell/Bash script, you must first upload it to the library.

After uploading the script to the library, use the run command to run the script.

If you plan to use an unsigned PowerShell script in the session, you'll need to enable the setting in the Advanced features settings page.

Warning

Allowing the use of unsigned scripts may increase your exposure to threats.

Apply command parameters

View the console help to learn about command parameters. To learn about an individual command, run:

help <command name>
When applying parameters to commands, note that parameters are handled based on a fixed order:
<command name> param1 param2
When specifying parameters outside of the fixed order, specify the name of the parameter with a hyphen before providing the value:
<command name> -param2_name param2
When using commands that have prerequisite commands, you can use flags:
<command name> -type file -id <file path> - auto
remediate file <file path> - auto`
Supported output types
Live response supports table and JSON format output types. For each command, there's a default output behavior. You can modify the output in your preferred output format using the following commands:
-output json
-output table
Fewer fields are shown in table format due to the limited space. To see more details in the output, you can use the JSON output command so that more details are shown.
Supported output pipes
Live response supports output piping to CLI and file. CLI is the default output behavior. You can pipe the output to a file using the following command: [command] > [filename].txt.
Example:
processes > output.txt
View the command log
Select the Command log tab to see the commands used on the device during a session. Each command is tracked with full details such as:
Command line
Duration
Status and input or output side bar
Limitations
Live response sessions are limited to 25 live response sessions at a time.
Live response session inactive timeout value is 30 minutes.
Individual live response commands have a time limit of 10 minutes, with the exception of getfile, findfile, and run, which have a limit of 30 minutes.
A user can initiate up to 10 concurrent sessions.
A device can only be in one session at a time.
The following file size limits apply:
getfile limit: 3 GB
fileinfo limit: 30 GB
library limit: 250 MB
Related article
Live response command examples
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community:  Microsoft Defender for Endpoint Tech Community.