Microsoft Defender Advanced Threat Protection (MDATP, an endpoint detection and resposnse (EDR)) - LiveResponse

Thanks for your interest in Microsoft Defender ATP (MDATP)!

This repository hosts Powershell (PoSh) script samples for "Live Response" in your Microsoft Defender ATP (a part of the Microsoft 365 Threat Protection (MTP)).

Any scripts that further this goal are welcome.

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Resources

Windows 10 versions that are supported:

2004 (20H1)

1909 (19H2)

1903 (19H1)

1809 (RS5)

1803 (RS4)

1709 (RS3)

Windows 10 and the hotfixes that are needed:

1903 (19H1): KB4515384

1809 (RS5): KB4537818

1803 (RS4): KB4537795

1709 (RS3): KB4537816

Enabling Live Response in MDATP Portal

Live response

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-features#live-response

Autoresolve remediated alerts

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-features#live-response-unsigned-script-execution

Permissions required for Live Response

Take response actions on a file

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts

All about Live Reponse

Investigate entities on devices using live response

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/live-response

Starting a Live Response session

Initiate Live Response Session

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#initiate-live-response-session

Troubleshooting Live Response session

Troubleshoot Microsoft Defender Advanced Threat Protection live response issues

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.