# Run Live Response & Queries via Akto ## Overview You can use **Microsoft Defender Run Queries** in Akto Atlas to discover agentic activity and endpoints directly from employee devices. To access this feature, navigate to: **Akto Atlas → Connectors → Microsoft Defender → Run Queries**

This integration allows you to: * Run scripts on endpoints (**Live Response**) * Query Defender telemetry (**KQL / Advanced Hunting**) Both methods help you uncover API usage, shadow endpoints, and external services used across your organisation. ### What You Use This For in Akto This feature has two clear purposes:

Option	Usecase
Deploy Guardrails (Live Response)	Remotely install Akto scripts for guardrails on endpoint devices.
Detect Agentic Applications (KQL Queries)	Identify AI tools like Cursor, Claude, and similar applications running on endpoints.

## 1. **Set Up Microsoft Defender Connector** Before running queries or deploying guardrails, you need to connect Microsoft Defender to Akto. You can find this setup in: **Akto Atlas → Connectors → Microsoft Defender for Endpoint** In the connector setup screen, provide the following: * **Tenant ID** * **Client ID** * **Client Secret** * **Data Ingestion Service URL** * **Polling Interval (seconds)**

### Credentials & Permissions (Required) Your Microsoft Defender API credentials must be configured with the following permissions for Live Response and KQL queries to function properly..

Permission Required

Your Microsoft Defender API token must include the following permissions:

Permission	Why it is required
`Machine.Scan`	Allows scanning of endpoint devices to collect relevant security and system data
`Ti.Read.All`	Enables reading threat intelligence data for enrichment and analysis
`User.Read.All`	Provides visibility into user context associated with endpoint activity
`Machine.ReadWrite.All`	Allows managing and interacting with machines (required for executing actions like scripts)
`Ti.ReadWrite.All`	Enables updating and managing threat intelligence indicators if needed
`Machine.LiveResponse`	Critical — allows running Live Response scripts to deploy Akto guardrails
`Machine.RestrictExecution`	Allows restricting execution on endpoints if guardrails require enforcement actions
`Machine.StopAndQuarantine`	Enables stopping or quarantining potentially risky processes if detected
`Alert.Read.All`	Allows reading alerts generated by Defender for visibility into endpoint risks
`Software.Read.All`	Critical — required to detect installed software (used for identifying agentic apps like Cursor, Claude)
`File.Read.All`	Allows access to file-level metadata for deeper inspection if needed
`Library.Manage`	Enables managing the Live Response script library (uploading guardrail scripts)
`Machine.Read.All`	Provides basic read access to device inventory and metadata
`Alert.ReadWrite.All`	Allows updating or managing alerts if workflows require it
`AdvancedQuery.Read.All`	Critical — required to run KQL queries for detecting agentic applications

## Option 1: Run Live Response Scripts You run scripts on selected devices to actively collect data. Use this when you want to: * Deploy Akto collectors * Extract API traffic or logs * Gather system/network metadata from endpoints

### Steps to Run {% stepper %} {% step %} **Select Live Response** Choose **Live Response** from the Run Queries screen. {% endstep %} {% step %} **Select Devices** Search and select the devices where you want to run your script. * You can select multiple devices * Scripts will run sequentially on each device {% endstep %} {% step %} **Add Your Script** You have two options: * **Upload new script** * **Use existing library script** Supported formats: * `.ps1` (Windows) * `.sh` (macOS/Linux) * `.bat` {% endstep %} {% step %} **(Optional) Add Script Parameters** You can pass parameters to your script at runtime. Example: ``` AKTO_PROXY_URL=https://example.ngrok-free.dev/v1 ``` {% endstep %} {% step %} **Run the Script** Click **Run on Selected Devices** to execute the script. {% endstep %} {% endstepper %} ### What Happens Next * The script runs remotely via Microsoft Defender * Guardrails are installed on each selected device * Execution happens sequentially per endpoint ### Example Use Cases You use Live Response primarily to: * Deploy **Akto guardrails** across endpoint devices * Enforce safe usage policies for agentic AI tools * Standardize security controls across your organization ## Option 2: Run KQL Queries You can query existing Microsoft Defender telemetry using Kusto Query Language (KQL). You use KQL queries to: * Detect installations of agentic tools such as: * Cursor * Claude * Other AI-assisted development tools * Identify which devices are running these applications * Monitor adoption and potential risk exposure

### Steps to Run {% stepper %} {% step %} **Select KQL Query** Switch to the **KQL Query** tab. {% endstep %} {% step %} **Enter Your Query** Example: ```kql DeviceNetworkEvents | where RemotePort == 443 | project DeviceName, RemoteIP, RemoteUrl | limit 100 ``` {% endstep %} {% step %} **Run Query** Click **Run Query** to execute. {% endstep %} {% endstepper %} ## What You Get You’ll receive structured results showing: * Devices with agentic tools installed * Software versions * Visibility into tool distribution across your organization #### Best Practices for You * Always filter results to keep queries fast * Use `limit` to control output size * Focus on relevant fields like `RemoteUrl` * Start simple, then refine queries ## What Next Now that you’ve configured and used Microsoft Defender Run Queries, you can proceed with: * **Deploy via Microsoft Defender Endpoints**\ Continue setting up endpoint-level integration and guardrail deployment: [](https://ai-security-docs.akto.io/akto-atlas-agentic-ai-security-for-employee-endpoints/endpoints-discovery-agents/deploy-via-microsoft-defender "mention") * **Need Help?**\ Reach out to the Akto team or explore support resources: [support](https://ai-security-docs.akto.io/troubleshooting/support "mention")