Defender for Endpoint

Download 23
Last updated Jun 30, 2024

defender-endpoint-alerts

Get alerts from Microsoft Defender for Endpoint service.

defender-endpoint-alerts [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss] [order=ORDER]
profile=PROFILE
Defender endpoint connect profile code
duration=NUM{mon|w|d|h|m|s}
Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.
from=yyyyMMddHHmmss
Start time of range. yyyyMMddHHmmss format
to=yyyyMMddHHmmss
End time of range. yyyyMMddHHmmss format
order=ORDER
asc or desc. desc by default.

Output Fields

FieldTypeNameDescription
profileStringConnect profile
event_timeDateEvent time
severityStringSeveritye.g. Informational, Low, Medium, High
hostnameStringHostname
nt_domainStringNT domaine.g. AzureAD
nt_userStringNT user
statusStringStatuse.g. New, InProgress, Resolved
investigation_stateStringInvestigation statee.g. UnsupportedAlertType, SuccessfullyRemediated
categoryStringCategorye.g. Malware, Execution, Exploit, Discovery, DefenseEvasion, CredentialAccess
signatureStringSignaturee.g. PUADlManager:Win32/OfferCore
titleLongTitlee.g. Unusual number of failed sign-in attempts
mitre_techniquesStringMITRE Techniquese.g. T1110
descriptionStringDescription
alert_idLongAlert ID
tenant_idStringTenant ID
threat_family_nameStringThreat Family Namee.g. EICAR_Test_File
first_seenDateFirst Seen
last_seenDateLast Seen
detection_sourceStringDetection Sourcee.g. WindowsDefenderAtp
detector_idStringDetector ID
machine_idStringMachine ID
incident_idStringIncident ID
investigation_idStringInvestigation ID
last_update_timeDateLast update time
resolved_timeDateResolved time