This chapter covers Microsoft Defender for Endpoint Live Response, a critical capability for incident response and forensic investigation. Live Response allows security analysts to remotely connect to Windows devices and execute commands in real-time, enabling swift containment and evidence collection. On the SC-200 exam, Live Response appears in approximately 5-10% of questions, often in scenario-based items where you must choose the appropriate response action. Understanding the prerequisites, command set, session lifecycle, and integration with other Defender features is essential for both the exam and real-world security operations.
Jump to a section
Imagine a remote surgery system where a specialist at a central hospital can operate on a patient in a rural clinic. The specialist doesn't just watch a video feed—they control robotic instruments directly. They can make incisions, take tissue samples, and administer drugs in real-time. The connection is secured, authenticated, and every action is logged. If the connection drops, the system immediately halts the instruments to prevent unintended damage. Similarly, Microsoft Defender for Endpoint Live Response gives a security analyst remote, real-time command-line access to a Windows device. The analyst can run scripts, collect forensic data, kill processes, and quarantine files—all while the device remains operational. The session is encrypted, requires explicit approval, and has a timeout of 30 minutes of inactivity. Every command is audited. If the session is terminated, any running actions are stopped. This is fundamentally different from just pulling logs later; it's active, interactive forensics.
What is Defender for Endpoint Live Response?
Microsoft Defender for Endpoint (MDE) Live Response is a feature that provides security analysts with a remote, interactive command-line interface (CLI) to Windows devices onboarded to MDE. Unlike automated investigation and remediation (AIR), Live Response requires manual initiation by an analyst with appropriate permissions. It is designed for scenarios where immediate, hands-on action is needed—such as hunting for indicators of compromise (IOCs), collecting specific files, or terminating malicious processes.
Why Live Response Exists
Traditional incident response often involves either deploying agents to collect data post-incident or physically accessing the machine. Both are slow and may miss volatile data (e.g., running processes, network connections). Live Response enables real-time interactivity: analysts can run PowerShell scripts, execute built-in commands, and transfer files to/from the device. This reduces mean-time-to-respond (MTTR) and allows containment actions like isolating the device from the network.
How Live Response Works Internally
When an analyst initiates a Live Response session from the MDE portal (security.microsoft.com), the following sequence occurs:
Authentication and Authorization: The analyst must have the 'Live Response' permission in Azure AD (part of the Security Administrator or a custom role). MDE verifies the user's identity and that the target device is onboarded and active.
Session Initiation: MDE sends a command to the device via the cloud-based MDE sensor. The sensor, running as a service (MsSense.exe), establishes a secure channel using HTTPS (port 443) to the MDE backend. The session is encrypted with TLS 1.2+.
Interactive Shell: The analyst is presented with a command prompt that resembles a Windows Command Prompt or PowerShell console. However, the commands are executed on the device via the sensor, and output is streamed back in real-time.
Command Execution: Each command is sent as a JSON payload over the secure channel. The sensor executes the command locally (as SYSTEM or in the context of the sensor), captures stdout/stderr, and returns the output. For example, processes lists all running processes; the sensor calls CreateToolhelp32Snapshot and returns the list.
File Transfer: Files can be uploaded to the device (e.g., a custom script) or downloaded from the device (e.g., a suspicious file). These transfers are chunked and encrypted.
Session Termination: The session ends when the analyst disconnects, or after 30 minutes of inactivity. A timeout warning is shown at 25 minutes. If the device goes offline, the session is terminated.
Key Components, Values, Defaults, and Timers
- Supported Operating Systems: Windows 10 (version 1709+), Windows 11, Windows Server 2016+ (with Microsoft Defender for Endpoint Server). Not supported on Linux or macOS.
- Permissions: Requires 'Live Response' permission in Azure AD. Can be assigned via MDE RBAC (Role-Based Access Control) or Azure AD roles.
- Session Duration: Maximum 30 minutes of inactivity. Active commands reset the timer. The total session length is not limited as long as activity continues.
- Concurrent Sessions: An analyst can have up to 10 concurrent Live Response sessions.
- Command Set: Built-in commands include:
- background – List background processes.
- connections – Show active network connections.
- dir – List directory contents.
- fileinfo – Get metadata of a file.
- find – Search for files.
- getfile – Download a file from the device.
- kill – Terminate a process by PID or name.
- list – List files in the current directory.
- log – View the command history.
- processes – List running processes.
- putfile – Upload a file to the device (max 1 GB).
- registry – Query registry keys.
- scheduledtask – List scheduled tasks.
- services – List services.
- trace – Set logging verbosity.
- undo – Undo a putfile operation.
- Audit Logging: Every command and its output are logged in MDE's Advanced Hunting under DeviceEvents with ActionType like 'LiveResponseCommand'. This is critical for compliance and investigation.
Configuration and Verification Commands
To use Live Response, ensure the device is onboarded to MDE and has internet connectivity. No additional installation is required—the sensor includes the Live Response component.
To check if Live Response is enabled on a device:
In the MDE portal, navigate to the device page. Under 'Manage', look for 'Start Live Response'. If greyed out, check permissions and device connectivity.
To verify sensor connectivity from the device:
Run Test-MdeSensorConnection from an elevated PowerShell prompt (if available). This tests the connection to the MDE cloud.
To initiate a Live Response session:
Go to Microsoft 365 Defender > Assets > Devices.
Select a device.
Click 'Start Live Response'.
Choose whether to run with standard or advanced library commands.
To run a PowerShell script:
Use run command followed by script name (if uploaded) or inline script using run with -ScriptBlock parameter (in advanced mode).
Interaction with Related Technologies
Automated Investigation and Remediation (AIR): Live Response is a manual complement to AIR. While AIR automatically investigates and remediates alerts, Live Response allows deeper investigation when automation is insufficient.
Advanced Hunting: Live Response sessions are logged in Advanced Hunting, allowing retrospective analysis of analyst actions.
Microsoft Defender for Identity (MDI): In hybrid environments, MDI can provide context about user activity, which can be correlated with Live Response actions.
Azure AD Conditional Access: Can restrict Live Response initiation based on conditions like location or device compliance.
Microsoft 365 Defender APIs: Live Response can be initiated programmatically via the Microsoft 365 Defender API, enabling automation in SOAR platforms.
Security and Best Practices
Principle of Least Privilege: Assign Live Response permissions only to analysts who need it. Use MDE RBAC to scope access to specific device groups.
Session Monitoring: Use Advanced Hunting to monitor Live Response sessions. Look for unusual commands like kill on critical processes or getfile on sensitive files.
Audit Logging: Enable auditing of Live Response commands. Logs are retained as per MDE retention policy (default 30 days, extendable).
Network Isolation: If a device is suspected compromised, use 'Isolate device' from the MDE portal before starting Live Response to prevent lateral movement.
Common Pitfalls
Timeout: Analysts may forget to interact, causing session drop. Use log to see history; re-establish session if needed.
File Size Limits: getfile has a default limit of 1 GB. For larger files, use alternative methods like Azure Storage.
Unsupported OS: Attempting Live Response on Linux or macOS will fail. Use the 'Run antivirus scan' action instead.
Permission Errors: Even with global admin, if MDE RBAC is configured, the analyst must have the 'Live Response' permission in the scope of the device group.
Verify Prerequisites
Before initiating Live Response, ensure the target device is running a supported Windows version (Windows 10 1709+, Windows 11, Windows Server 2016+), is onboarded to MDE, and has internet connectivity. The analyst must have the 'Live Response' permission assigned via Azure AD or MDE RBAC. Also verify that the device is not already in an isolated state (if isolated, you must first de-isolate). In the MDE portal, navigate to the device page; if 'Start Live Response' is not greyed out, prerequisites are met. If greyed, hover over to see the reason—often due to unsupported OS or no permission.
Initiate Live Response Session
From the Microsoft 365 Defender portal, go to Assets > Devices, select the target device, and click 'Start Live Response'. A dialog appears asking whether to use 'Standard' or 'Advanced' library. Standard uses a predefined set of commands; Advanced allows PowerShell scripts and custom commands. Choose based on the task. Once initiated, the MDE backend sends a command to the device sensor, which establishes a secure TLS 1.2+ channel over HTTPS (port 443). The session appears in the portal as a command-line interface. The analyst is now connected in real-time.
Execute Built-in Commands
With the session active, the analyst can run built-in commands like `processes`, `connections`, `dir`, `registry`, `services`, and `scheduledtask`. Each command is sent as a JSON payload to the sensor, which executes it locally (typically as SYSTEM) and returns output. For example, `connections` uses the Windows API `GetExtendedTcpTable` and `GetExtendedUdpTable` to enumerate all network connections. The output is displayed in the portal. The analyst can use `help` to see available commands. Commands are logged in Advanced Hunting under DeviceEvents with ActionType 'LiveResponseCommand'.
Collect and Transfer Files
To collect evidence, use `getfile <filepath>` to download a file from the device to the MDE cloud. The file is compressed and encrypted during transfer. Maximum file size is 1 GB. For larger files, consider alternative methods. To upload a script or tool, use `putfile` (max 1 GB). Uploaded files are stored temporarily in the MDE cloud and can be referenced in scripts. Use `undo` to remove an uploaded file. All file transfers are audited. After download, the file can be analyzed in the MDE portal or downloaded to the analyst's machine via the 'Download' button in the session history.
Perform Remediation Actions
Live Response supports remediation commands like `kill <PID or process name>` to terminate a malicious process, `isolate` (though isolation is better done from the device page), and `quarantine` (for files). For example, `kill 1234` terminates PID 1234. Use `connections` to find suspicious outbound connections, then `kill` the associated process. Note that `kill` may not terminate critical system processes. After remediation, consider running `processes` again to confirm. All actions are logged. For persistence removal, use `registry` to delete keys or `scheduledtask` to disable tasks.
Terminate the Session
When finished, close the Live Response session by clicking 'Disconnect' in the portal. The session also terminates after 30 minutes of inactivity (a warning appears at 25 minutes). If the device goes offline, the session ends. Upon termination, the secure channel is torn down. The session log (including all commands and output) is saved and can be reviewed later in the device page under 'Live Response sessions'. It is also available in Advanced Hunting for up to 30 days (default retention). Always disconnect properly to release resources.
Enterprise Scenario 1: Ransomware Containment
A financial institution detects ransomware on a workstation via an MDE alert. The SOC analyst initiates Live Response on the affected device. First, they run connections to identify any C2 communication. They see an outbound connection to a known malicious IP. They run kill on the process ID associated with that connection. Then they use processes to check for other suspicious processes. They find a PowerShell process running obfuscated commands and kill it as well. Next, they run getfile to collect the ransomware binary and any scripts for further analysis. Finally, they use the MDE portal to isolate the device from the network to prevent lateral movement. The entire response takes under 10 minutes, significantly reducing impact. The collected files are handed to the threat intelligence team.
Enterprise Scenario 2: Insider Threat Investigation
A healthcare organization suspects an employee of exfiltrating patient data. The security team initiates Live Response on the employee's device. They use registry to check for USB device usage history. They run dir to list recent files in the Documents folder. They use find to search for files containing 'PHI' or 'patient'. They also run scheduledtask to look for any data exfiltration scripts. The analyst downloads suspicious files via getfile. The session is fully audited, providing chain-of-custody evidence. The organization later uses the logs to terminate the employee and report the incident.
Performance and Scale Considerations
Live Response is designed for targeted, manual response, not mass deployment. In an enterprise with thousands of devices, analysts should prioritize critical devices. Concurrent sessions are limited to 10 per analyst. To scale, organizations use automation via the MDE API to trigger Live Response scripts in response to alerts. Network bandwidth is minimal (command output is text-based; file transfers are the main consumer). Misconfiguration often occurs when permissions are too broad—analysts may have Live Response access to all devices, increasing risk. Best practice is to scope permissions to device groups (e.g., 'Workstations', 'Servers') using MDE RBAC. Another common mistake is forgetting to monitor Live Response sessions; without auditing, malicious use of Live Response could go undetected.
What SC-200 Tests on Live Response
SC-200 objective 1.1 'Describe the capabilities of Microsoft 365 Defender' includes Live Response under Defender for Endpoint. The exam tests your ability to:
Identify when to use Live Response vs. automated investigation.
Understand prerequisites (OS version, permissions).
Recognize the command set and their purposes.
Interpret session logs in Advanced Hunting.
Know the session timeout (30 minutes).
Common Wrong Answers and Why Candidates Choose Them
'Live Response can be used on Linux devices.' Candidates confuse MDE's real-time response for Linux (which uses a different mechanism) with the Windows-only Live Response. The exam explicitly tests OS support.
'The session timeout is 60 minutes.' Many vendors use 60-minute timeouts; MDE uses 30. Candidates may guess based on other products.
'Live Response requires the device to be connected to the corporate network.' Actually, it works over the internet via the MDE cloud. Candidates think it's like on-premises remote desktop.
'You can run arbitrary PowerShell scripts without restriction.' While advanced mode allows scripts, there are size limits and execution policies; not all scripts run successfully. The exam may present a scenario where a script fails due to policy.
Specific Numbers, Values, and Terms on the Exam
Timeout: 30 minutes of inactivity.
Max file size for getfile/putfile: 1 GB.
Concurrent sessions per analyst: 10.
Permission name: 'Live Response'.
Commands: Know processes, connections, kill, getfile, putfile, registry, scheduledtask, services.
Advanced Hunting ActionType: 'LiveResponseCommand'.
Edge Cases and Exceptions
Device isolated: You cannot start Live Response on an isolated device. You must first de-isolate via the portal.
Device offline: Session cannot be initiated. The device must be online and communicating with MDE.
Server 2012 R2: Not supported (requires Server 2016+).
Custom RBAC: If RBAC is scoped, the analyst must have Live Response permission on the specific device group.
How to Eliminate Wrong Answers
If a question mentions automated response, it's likely not Live Response (which is manual).
If the scenario involves collecting a file from a Linux machine, eliminate Live Response.
If the question mentions a timeout, remember 30 minutes, not 60 or 90.
If the question asks about logging, look for 'DeviceEvents' and 'ActionType' 'LiveResponseCommand'.
Live Response provides real-time, interactive command-line access to Windows devices onboarded to MDE.
Supported only on Windows 10 (1709+), Windows 11, and Windows Server 2016+.
Requires the 'Live Response' permission assigned via Azure AD or MDE RBAC.
Session timeout is 30 minutes of inactivity, with a warning at 25 minutes.
Maximum file size for getfile and putfile is 1 GB.
An analyst can have up to 10 concurrent Live Response sessions.
All commands and output are logged in Advanced Hunting under DeviceEvents with ActionType 'LiveResponseCommand'.
Live Response cannot be started on an isolated device; de-isolate first.
Common built-in commands include processes, connections, kill, getfile, putfile, registry, scheduledtask, and services.
Live Response is a manual complement to Automated Investigation and Remediation (AIR).
These come up on the exam all the time. Here's how to tell them apart.
Live Response
Manual, interactive command-line access
Requires analyst initiation and permissions
Supports real-time commands (kill, getfile, etc.)
Session timeout of 30 minutes inactivity
Audited in Advanced Hunting as LiveResponseCommand
Automated Investigation (AIR)
Automated, triggered by alerts
Runs without manual intervention
Performs predefined investigation and remediation actions
No session timeout; runs to completion
Audited in Advanced Hunting as AutomatedInvestigation
Mistake
Live Response works on any operating system supported by MDE.
Correct
Live Response is only supported on Windows 10 (1709+), Windows 11, and Windows Server 2016+. Linux and macOS do not support Live Response; they use a different real-time response mechanism (e.g., running bash commands via API).
Mistake
The Live Response session never times out as long as the device is online.
Correct
The session times out after 30 minutes of inactivity, regardless of device connectivity. Active command execution resets the timer. A warning appears at 25 minutes.
Mistake
Any file on the device can be downloaded using getfile without size limits.
Correct
getfile has a 1 GB size limit. For files larger than 1 GB, alternative methods like Azure Storage or network shares must be used.
Mistake
Live Response commands are not audited and leave no trace.
Correct
Every command and its output are logged in Advanced Hunting under DeviceEvents with ActionType 'LiveResponseCommand'. This provides a full audit trail for compliance and investigation.
Mistake
Live Response can be initiated even if the device is isolated from the network.
Correct
If a device is isolated (network containment), Live Response cannot be started. You must first de-isolate the device via the MDE portal.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The target device must be running a supported Windows version (Windows 10 1709+, Windows 11, or Windows Server 2016+), be onboarded to MDE, and have internet connectivity. The analyst must have the 'Live Response' permission assigned via Azure AD or MDE RBAC. Additionally, the device must not be in an isolated state. For exam purposes, remember that Live Response is Windows-only and requires explicit permission.
A Live Response session remains active as long as there is activity. After 30 minutes of inactivity, the session automatically terminates. A warning is displayed at the 25-minute mark. If you need more time, simply run a command to reset the timer. The session also ends if the device goes offline. For the exam, remember the 30-minute timeout.
No, the getfile command has a 1 GB size limit. For larger files, you need to use alternative methods such as copying the file to a network share or using Azure Storage. The putfile command also has a 1 GB limit. For the exam, know the 1 GB limit is a key constraint.
No, Live Response is only supported on Windows devices. For Linux and macOS, Defender for Endpoint provides real-time response capabilities through other means, such as running shell commands via the MDE API, but the interactive Live Response console is Windows-only. The exam often tests this distinction.
Every command executed during a Live Response session, along with its output, is logged in Advanced Hunting. The events appear in the DeviceEvents table with ActionType 'LiveResponseCommand'. This provides a complete audit trail for security and compliance. For the exam, remember that Live Response commands are logged and can be queried in Advanced Hunting.
No, you cannot initiate a Live Response session on a device that is in network isolation. You must first de-isolate the device via the MDE portal. Once de-isolated, you can start a session. This is a common exam scenario.
Live Response is a manual, interactive tool that allows analysts to run commands in real-time on a device. Automated Investigation (AIR) is triggered automatically by alerts and runs predefined investigation and remediation steps without human intervention. Live Response is used when deeper investigation is needed beyond what automation provides. The exam tests when to use each.
You've just covered Defender for Endpoint Live Response — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?