Live response API – build your custom playbooks
PUBLIC PREVIEW FEATURE
We have been able to use Live Response for some time now. It’s really great and we can take the response actions we find necessary and download data from the endpoint through the browser session.
Here is a very high level of how the architecture looks for the live response feature

Some things which may be difficult today with the limitations of single session is we can only connect to one machine at the time and automation does not apply for a browser session
If a machine is compromised in any way it’s useful, but if we want to automate the responses or run the same custom playbook for multiple devices we need to use the API
The API can be used both to collect necessary artefacts from devices, and also take remediation actions.
On some events, we’ve presented how to use the Live Response to dump memory and export the dmp files to Azure storage as an example how powerful it is.

Requirements
Requirements and limitations
- Rate limitations for this API are 10 calls per minute (additional requests are responded with HTTP 429).
- 25 concurrently running sessions (requests exceeding the throttling limit will receive a “429 – Too many requests” response).
- If the machine is not available, the session will be queued for up to 3 days.
- RunScript command timeouts after 10 minutes.
- Live response commands cannot be queued up and can only be executed one at a time.
- If the machine that you are trying to run this API call is in an RBAC device group that does not have an automated remediation level assigned to it, you’ll need to at least enable the minimum Remediation Level for a given Device Group.
- Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions will not be executed.
Minimum Requirements
Before you can initiate a session on a device, make sure you fulfill the following requirements:
- Verify that you’re running a supported version of Windows.Devices must be running one of the following versions of Windows
- Windows 11
- Windows 10
- Version 1909 or later
- Version 1903 with KB4515384
- Version 1809 (RS 5) with with KB4537818
- Version 1803 (RS 4) with KB4537795
- Version 1709 (RS 3) with KB4537816
- Windows Server 2019 – Only applicable for Public preview
- Windows Server 2022
Set up service principle with API access

Sample code to connect with the service principle
Connecting to M365Defender

Connect to MDE API ( which applies to this case)

Request
Header
Name | Type | Description |
---|---|---|
Authorization | String | Bearer<token>. Required. |
Content-Type | string | application/json. Required. |
Body
Parameter | Type | Description |
---|---|---|
Comment | String | Comment to associate with the action. |
Commands | Array | Commands to run. Allowed values are PutFile, RunScript, GetFile. |
Available commands
Command Type | Parameters | Description |
---|---|---|
PutFile | Key: FileNameValue: <file name> | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
RunScript | Key: ScriptName Value: <Script from library>Key: Args Value: <Script arguments> | Runs a script from the library on a device.The Args parameter is passed to your script.Timeouts after 10 minutes. |
GetFile | Key: Path Value: <File path> | Collect file from a device. NOTE: Backslashes in path must be escaped. |
Sample Live response request body
Use can upload your own scripts to the library and call the scripts in a similar way as when you use interactive Live Response
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runliveresponse
{
"Commands":[
{
"type":"RunScript",
"params":[
{
"key":"ScriptName",
"value":"minidump.ps1"
},
{
"key":"Args",
"value":"OfficeClickToRun"
}
]
},
{
"type":"GetFile",
"params":[
{
"key":"Path",
"value":"C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
}
]
}
],
"Comment":"Testing Live Response API"
}
For further reading, please visit
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-live-response
Happy Hunting!