Skip to main content
Runs a script from the library on a device. The Arguments parameter is passed to your script. If not completed, the script will time out after 10 minutes. The following permission is required to run this action:
  • Machine.LiveResponse
External DocumentationTo learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
ArgumentsThe program arguments the script will receive.
CommentComment to associate with the action.
Machine IDThe ID of the machine. Can be obtained using the List Machines action.
Script NameThe name of the script from the library you would like to run on the machine.

Example Output

{
	"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
	"id": "{machine_action_id}",
	"type": "LiveResponse",
	"requestor": "analyst@microsoft.com",
	"requestorComment": "Testing Live Response API",
	"status": "Pending",
	"machineId": "{machine_id}",
	"computerDnsName": "hostname",
	"creationDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"lastUpdateDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"errorHResult": 0,
	"commands": [
		{
			"index": 0,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "RunScript",
				"params": [
					{
						"key": "ScriptName",
						"value": "minidump.ps1"
					},
					{
						"key": "Args",
						"value": "OfficeClickToRun"
					}
				]
			}
		},
		{
			"index": 1,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "GetFile",
				"params": [
					{
						"key": "Path",
						"value": "C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
					}
				]
			}
		}
	]
}

Workflow Library Example

Run Script on Machine with Microsoft Defender for Endpoints and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop
I