Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Microsoft Adds Live Response Capabilities to Defender ATP

In an effort to to help security teams more easily investigate incidents on remote machines, Microsoft has added live response capabilities to its Microsoft Defender ATP offering.

In an effort to to help security teams more easily investigate incidents on remote machines, Microsoft has added live response capabilities to its Microsoft Defender ATP offering.

Now available in public preview, the live response capabilities can provide instantaneous access to a compromised machine regardless of where it is located and enabling security teams to quickly gather forensic information.

“Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time,” Microsoft explains.

The feature includes support for gathering a snapshot of connections, drivers, scheduled tasks, and services, and for searching for specific files or requesting file analysis to reach a verdict (clean, malicious, or suspicious), and downloading malware files for reverse-engineering. 

Furthermore, it enables security teams to create a tenant-level library of forensic tools, such as PowerShell scripts and third-party binaries, to gather forensic information like MFT tables, firewall logs, event logs, process memory dumps, and more. 

Additionally, security operations teams can run remediation activities, including the quarantine of file, process termination, registry and scheduled task removal, and more. 

“There are two roles that can be granted access to live response using RBAC, allowing users to run basic commands, or advanced commands like PowerShell scripts or binary tools, download files, etc.,” the Microsoft Defender ATP team notes in a blog post

All response commands are audited and recorded into the Action center, which also provides administrators with the possibility to reverse remediation actions, if applicable (for example, remove a file from quarantine). 

The new feature is available only for machines running Windows 10, version 18323 (also known as Windows 10 19H1) or later. To enable the live response capability, one should access the Advanced features settings page (only editable by users who manage security or global admin roles).

A list of supported commands, along with additional information on how to use the live response capability, can be found in this Microsoft article.

Related: Microsoft Introduces Security Configuration Framework

Related: Microsoft Launches Defender ATP Endpoint Security for macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...