Microsoft has introduced a new Library Management experience in Microsoft Defender for Endpoint, designed to fundamentally transform how security analysts manage the scripts and tools they rely on during live response investigations.
Announced on February 16, 2026, the enhancement addresses a long-standing operational pain point: analysts previously had to upload scripts and executables mid-session, slowing incident response and limiting cross-team consistency.
In dynamic investigation environments, preparation and agility are key. Security analysts working with live response in Microsoft Defender often rely on scripts and tools to triage, investigate, and remediate threats. Until now, these assets had to be uploaded during active sessions, limiting manageability and increasing time to action.
Recognizing the need for better readiness and control, Defender now introduces a more proactive and efficient way to manage these assets through library management. “This enhancement in Defender’s live response tooling improves operational readiness, enhances visibility and control, and helps streamline response workflows across SOC teams,” said Ami Barayev, Principal Product Manager at Microsoft.
The new library management experience brings powerful enhancements to how security teams manage scripts and files used in live response. With this centralized and streamlined interface, analysts no longer need to wait for an active session to organize their investigation tools everything can now be managed proactively, directly from the portal.
What’s New in Library Management
The feature ships with a focused set of capabilities built to reduce friction across the entire live response workflow:
- Centralized script and file management — Security teams can upload, manage, and clean up their entire collection of Live Response scripts and files outside of an active investigation, enabling better preparation and alignment across analysts.
- Upload in advance — PowerShell scripts, batch files, or other response tools can be pre-staged so they are immediately accessible when needed during a critical investigation.
- View script contents in the portal — Analysts can review script logic and confirm functionality directly within the Defender UI, without switching to external tools or editors.
- Clean and organize — Outdated or redundant scripts can be deleted in a single click, keeping the library lean, relevant, and audit-friendly.
Understanding unfamiliar scripts can slow down investigations, especially for analysts who are new to a team or working with inherited toolsets. That is where Microsoft Security Copilot becomes a force multiplier within the library management workflow.
Copilot automatically analyzes scripts stored in the library and delivers summarized behavior descriptions, security-relevant insights, and execution risk context. This AI-driven layer reduces the chance of errors during execution and increases analyst confidence when handling unknown or complex scripts.
Microsoft’s existing script analysis capability already extends to MITRE ATT&CK technique mapping, allowing analysts to understand the tactics and techniques a script may leverage within their environment.
For junior analysts unfamiliar with PowerShell or inherited toolsets, Copilot’s natural language explanations are especially valuable, effectively bridging the skills gap that is common in large SOC environments.
The Library Management experience is accessible directly from the live response page within the Microsoft Defender portal, and is currently available in preview.
Security teams can begin uploading investigation tools, exploring script previews, and leveraging Copilot to surface the intent and behavior of their scripts, building a more organized, auditable, and intelligence-ready response toolkit before the next alert fires.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
