defender-endpoint-alerts
Get alerts from Microsoft Defender for Endpoint service.
defender-endpoint-alerts [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [order=ORDER]
- profile=PROFILE
- Defender endpoint connect profile code
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example,
10smeans data from 10 seconds earlier. - from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format
- order=ORDER
- asc or desc. desc by default.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| profile | String | Connect profile | |
| event_time | Date | Event time | |
| severity | String | Severity | e.g. Informational, Low, Medium, High |
| hostname | String | Hostname | |
| nt_domain | String | NT domain | e.g. AzureAD |
| nt_user | String | NT user | |
| status | String | Status | e.g. New, InProgress, Resolved |
| investigation_state | String | Investigation state | e.g. UnsupportedAlertType, SuccessfullyRemediated |
| category | String | Category | e.g. Malware, Execution, Exploit, Discovery, DefenseEvasion, CredentialAccess |
| signature | String | Signature | e.g. PUADlManager:Win32/OfferCore |
| title | Long | Title | e.g. Unusual number of failed sign-in attempts |
| mitre_techniques | String | MITRE Techniques | e.g. T1110 |
| description | String | Description | |
| alert_id | Long | Alert ID | |
| tenant_id | String | Tenant ID | |
| threat_family_name | String | Threat Family Name | e.g. EICAR_Test_File |
| first_seen | Date | First Seen | |
| last_seen | Date | Last Seen | |
| detection_source | String | Detection Source | e.g. WindowsDefenderAtp |
| detector_id | String | Detector ID | |
| machine_id | String | Machine ID | |
| incident_id | String | Incident ID | |
| investigation_id | String | Investigation ID | |
| last_update_time | Date | Last update time | |
| resolved_time | Date | Resolved time |