Skip to content

burakclk1/Microsoft-Defender-Live-Response-Automation

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
Microsoft-Defender
Microsoft-Defender
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Defender Live Response Automation

This PowerShell automation script helps you deploy Microsoft Defender scripts across multiple devices simultaneously using the Defender API. It's built to handle real-world scenarios with proper error handling and retry logic.

Tip

You don't need to manually run commands on each device! This script handles everything from authentication to reporting. Just prepare your script once and deploy it everywhere.

Important

Don't forget to update the authentication variables at the top of the script with your own values before running, and store credentials securely in production environments.

Table of Contents

Overview

This script automates Microsoft Defender Live Response actions across your device fleet. I created it because running the same script on hundreds of devices manually is both time-consuming and error-prone. It handles authentication, uploads your script to the Defender library, runs it on each device in your CSV, and gives you a nice report when finished.

Features

  • Authentication Management: Handles Microsoft Defender API auth with fresh tokens
  • File Upload: One-time script upload to Defender library
  • Batch Processing: Run against as many devices as you need
  • Error Handling: Deals with offline devices, auth issues, etc.
  • Retry Logic: Multiple attempts with intelligent backoff
  • Session Management: Auto-detects and resolves active session conflicts
  • Detailed Reporting: CSV export of success/failure for each device

Prerequisites

  • Microsoft Defender for Endpoint with Live Response enabled
  • API permissions in Microsoft Defender ATP
  • Azure AD Application with correct permissions
  • PowerShell 5.1+ (works with both Windows PowerShell & PS Core)

Configuration

Update these variables at the beginning of the script:

$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
$fileName = "Your-Script-Name.ps1"
$scriptPath = "C:\Path\To\Your\Script.ps1"
$csvPath = "C:\Path\To\Devices.csv" 
$maxRetries = 3  # Adjust based on your environment

Usage

Set up your auth details and file paths Create your CSV with target devices Run it:

.\Defender-LiveResponse-Automation-Run-Script.ps1

Output & Logging Results are saved to: C:\Defender\Results-yyyyMMdd-HHmmss.csv

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages