Microsoft Defender Script Library with Copilot Analysis

Microsoft Defender for Endpoint now offers Library Management for live response scripts and tools. Security teams upload, organize, and analyze investigation assets proactively from the portal. No more mid-session uploads during active incidents.

The feature launched February 16, 2026. Analysts previously uploaded PowerShell scripts and executables during live sessions. This slowed response times and created inconsistency across teams.

Now teams pre-stage tools centrally. Copilot analyzes scripts automatically for behavior summaries and security risks. Everything stays organized and audit-ready before alerts trigger.

Ami Barayev, Principal Product Manager, stated: “This enhancement improves operational readiness, enhances visibility and control, and streamlines SOC workflows.” Full announcement

Library Management Features

Centralized management covers upload, preview, and cleanup. Analysts handle scripts outside active investigations. Pre-uploaded tools activate instantly during incidents.

Core capabilities:

• Pre-stage PowerShell, batch files, executables
• Portal-based script content preview
• One-click deletion of obsolete tools
• Team-wide consistency across analysts

Copilot integration transforms unknown scripts into actionable insights. It generates summaries, flags risks, and maps MITRE ATT&CK techniques automatically.

Junior analysts gain confidence with natural language explanations. No PowerShell expertise needed to understand inherited toolsets.

Copilot Script Analysis

Copilot processes library scripts for instant analysis:

• Behavior summaries: What each script does
• Security insights: Risky commands or techniques
• MITRE mapping: ATT&CK tactics used
• Execution context: Safe vs dangerous operations

Analysts review Copilot output directly in the portal. Reduces execution errors during high-pressure incidents.

Sample Copilot output:

Script: cleanup_logs.ps1
Behavior: Clears Windows event logs
Risks: May hinder forensic investigation
ATT&CK: T1070.001 – Clear Event Logs
Recommendation: Use only post-containment

Technical Implementation

Access from Live Response page in Defender portal. Preview status: Available now.

Workflow:

1. Navigate to Library Management
2. Upload investigation scripts/tools
3. Copilot analyzes automatically
4. Review summaries, delete unneeded
5. Tools ready for any live session

No external editors needed. Portal handles all management.

SOC Team Benefits

Preparation: Tools ready before incidents
Consistency: Standardized script library
Speed: Zero upload delays
Safety: Copilot risk analysis
Audit: Clean history and approvals

Junior analysts ramp up faster. Senior engineers focus on response, not tool management.

Comparison: Before vs After

Aspect	Previous	Library Management
Upload Timing	During live session	Pre-staged
Organization	Per-analyst	Centralized
Script Review	External editors	Portal + Copilot
Team Consistency	Variable	Standardized
Cleanup	Manual	One-click
Analysis	None	Copilot + MITRE

Rollout and Access

Status: Preview available February 16, 2026
Location: Defender portal > Live Response > Library Management
Requirements: Microsoft Defender for Endpoint license

Teams build libraries immediately. Copilot analysis works on existing uploads.

Best Practices

• Categorize: Tag scripts by function (triage, remediation, forensics)
• Document: Add Copilot summaries to runbooks
• Review: Monthly cleanup of unused tools
• Train: Onboard analysts to library workflow
• Audit: Track script usage patterns

FAQ