Runs a script from the library on a device. The Arguments parameter is passed to your script. If not completed, the script will time out after 10 minutes.

The following permission is required to run this action:

  • Machine.LiveResponse

External Documentation

To learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
ArgumentsThe program arguments the script will receive.
CommentComment to associate with the action.
Machine IDThe ID of the machine. Can be obtained using the List Machines action.
Script NameThe name of the script from the library you would like to run on the machine.

Example Output

{
	"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
	"id": "{machine_action_id}",
	"type": "LiveResponse",
	"requestor": "analyst@microsoft.com",
	"requestorComment": "Testing Live Response API",
	"status": "Pending",
	"machineId": "{machine_id}",
	"computerDnsName": "hostname",
	"creationDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"lastUpdateDateTimeUtc": "2021-02-04T15:36:52.7788848Z",
	"errorHResult": 0,
	"commands": [
		{
			"index": 0,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "RunScript",
				"params": [
					{
						"key": "ScriptName",
						"value": "minidump.ps1"
					},
					{
						"key": "Args",
						"value": "OfficeClickToRun"
					}
				]
			}
		},
		{
			"index": 1,
			"startTime": null,
			"endTime": null,
			"commandStatus": "Created",
			"errors": [],
			"command": {
				"type": "GetFile",
				"params": [
					{
						"key": "Path",
						"value": "C:\\windows\\TEMP\\OfficeClickToRun.dmp.zip"
					}
				]
			}
		}
	]
}

Workflow Library Example

Run Script on Machine with Microsoft Defender for Endpoints and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?

Run QueryUpdate Alert