Collect support logs in Microsoft Defender for Endpoint using live response

Applies to:

• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender XDR

Want to experience Defender for Endpoint? Sign up for a free trial.

When contacting support, you might be asked to provide the output package of the Microsoft Defender for Endpoint Client Analyzer tool.

This article provides instructions on how to run the tool via Live Response on Windows and on Linux machines.

Windows

1. Download and fetch the required scripts available from within the Tools subdirectory of the Microsoft Defender for Endpoint Client Analyzer.

   For example, to get the basic sensor and device health logs, fetch ..\Tools\MDELiveAnalyzer.ps1.

   If you also require Microsoft Defender Antivirus support logs (MpSupportFiles.cab), then fetch ..\Tools\MDELiveAnalyzerAV.ps1.

2. Initiate a Live Response session on the machine you need to investigate.

3. Select Upload file to library.

   

4. Select Choose file.

   

5. Select the downloaded file named MDELiveAnalyzer.ps1, and then select on Confirm.

   

6. While still in the LiveResponse session, use the following commands to run the analyzer and collect the resulting file.

   Run MDELiveAnalyzer.ps1
   GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
   

   

Additional information

• The latest preview version of MDEClientAnalyzer can be downloaded here: https://aka.ms/Betamdeanalyzer.

• If you can't allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script:

  PutFile MDEClientAnalyzerPreview.zip -overwrite
  Run MDELiveAnalyzer.ps1
  GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip"
  

• For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or doesn't appear in Microsoft Defender for Endpoint portal as expected, see Verify client connectivity to Microsoft Defender for Endpoint service URLs.

• As described in Live response command examples, you might want to use the & symbol at the end of the command to collect logs as a background action:

  Run MDELiveAnalyzer.ps1&
  

Linux

The XMDE Client Analyzer tool can be downloaded as a binary or Python package that can be extracted and executed on Linux machines. Both versions of the XMDE Client Analyzer can be executed during a Live Response session.

Prerequisites

• For installation the unzip package is required.

• For execution the acl package is required.

Installing the XMDE Client Analyzer

Both versions of XMDE Client Analyzer, binary and Python, a self-contained package that must be downloaded and extracted before executing, and the complete set of steps for this process can be found:

• Running the Binary version of the Client Analyzer

• Running the Python version of the Client Analyzer

Due to the limited commands available in Live Response the steps detailed must be executed in a bash script, and by splitting the installation and execution portion of these commands it's possible to run the install script once, while running the execution script multiple times.

Binary Client Analyzer Install Script

The following script performs the first six steps of the Running the Binary version of the Client Analyzer. When complete, the XMDE Client Analyzer binary is available from the /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer directory.

1. Create a bash file InstallXMDEClientAnalyzer.sh and paste the following content into it.

   #! /usr/bin/bash
   
   echo "Starting Client Analyzer Script. Running As:"
   whoami
   
   echo "Getting XMDEClientAnalyzerBinary"
   wget --quiet -O /tmp/XMDEClientAnalyzerBinary.zip https://aka.ms/XMDEClientAnalyzerBinary
   echo '9D0552DBBD1693D2E2ED55F36147019CFECFDC009E76BAC4186CF03CD691B469 /tmp/XMDEClientAnalyzerBinary.zip' | sha256sum -c
   
   echo "Unzipping XMDEClientAnalyzerBinary.zip"
   unzip -q /tmp/XMDEClientAnalyzerBinary.zip -d /tmp/XMDEClientAnalyzerBinary
   
   echo "Unzipping SupportToolLinuxBinary.zip"
   unzip -q /tmp/XMDEClientAnalyzerBinary/SupportToolLinuxBinary.zip -d /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
   
   echo "MDESupportTool installed at /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer"
   
   

Python Client Analyzer Install Script

The following script performs the first six steps of the Running the Python version of the Client Analyzer. When complete, the XMDE Client Analyzer Python scripts are available from the /tmp/XMDEClientAnalyzer directory.

1. Create a bash file InstallXMDEClientAnalyzer.sh and paste the following content into it.

   #! /usr/bin/bash
   
   echo "Starting Client Analyzer Install Script. Running As:"
   whoami
   
   echo "Getting XMDEClientAnalyzer.zip"
   wget --quiet -O XMDEClientAnalyzer.zip https://aka.ms/XMDEClientAnalyzer 
   echo '36C2B13AE657456119F3DC2A898FD9D354499A33F65015670CE2CD8A937F3C66 XMDEClientAnalyzer.zip' | sha256sum -c  
   
   echo "Unzipping XMDEClientAnalyzer.zip"
   unzip -q XMDEClientAnalyzer.zip -d /tmp/XMDEClientAnalyzer  
   
   echo "Setting execute permissions on mde_support_tool.sh script"
   cd /tmp/XMDEClientAnalyzer 
   chmod a+x mde_support_tool.sh  
   
   echo "Performing final support tool setup"
   ./mde_support_tool.sh
   
   

Running the Client Analyzer Install Scripts

1. Initiate a Live Response session on the machine you need to investigate.

2. Select Upload file to library.

3. Select Choose file.

4. Select the downloaded file named InstallXMDEClientAnalyzer.sh, and then select Confirm.

5. While still in the LiveResponse session, use the following commands to install the analyzer:

   run InstallXMDEClientAnalyzer.sh
   

Running the XMDE Client Analyzer

Live Response doesn't support running the XMDE Client Analyzer or Python directly, so an execution script is necessary.

Binary Client Analyzer Run Script

The Binary Client Analyzer accepts command line parameters to perform different analysis tests. To provide similar capabilities during Live Response the execution script takes advantage of the $@ bash variable to pass all input parameters provided to the script to the XMDE Client Analyzer.

1. Create a bash file MDESupportTool.sh and paste the following content into it.

   #! /usr/bin/bash
   
   echo "cd /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer"
   cd /tmp/XMDEClientAnalyzerBinary/ClientAnalyzer
   
   echo "Running MDESupportTool"
   ./MDESupportTool $@
   
   

Python Client Analyzer Run Script

The Python Client Analyzer accepts command line parameters to perform different analysis tests. To provide similar capabilities during Live Response the execution script takes advantage of the $@ bash variable to pass all input parameters provided to the script to the XMDE Client Analyzer.

1. Create a bash file MDESupportTool.sh and paste the following content into it.

   #! /usr/bin/bash  
   
   echo "cd /tmp/XMDEClientAnalyzer"
   cd /tmp/XMDEClientAnalyzer 
   
   echo "Running mde_support_tool"
   ./mde_support_tool.sh $@
   
   

Running the Client Analyzer Script

1. Initiate a Live Response session on the machine you need to investigate.

2. Select Upload file to library.

3. Select Choose file.

4. Select the downloaded file named MDESupportTool.sh, and then select Confirm.

5. While still in the Live Response session, use the following commands to run the analyzer and collect the resulting file.

   run MDESupportTool.sh -parameters "--bypass-disclaimer -d"
   GetFile "/tmp/your_archive_file_name_here.zip"
   

See also

• Client analyzer overview
• Download and run the client analyzer
• Run the client analyzer on Windows
• Run the client analyzer on macOS or Linux
• Data collection for advanced troubleshooting on Windows
• Understand the analyzer HTML report