Defender for Endpoint

Download 13
Last updated Jun 30, 2024

defender-endpoint-evidences

Get evidences for specified alert from Endpoint for Microsoft Defender service.

defender-endpoint-evidences profile=PROFILE id=ID
profile=PROFILE
Defender endpoint connect profile code
id=ID
Alert ID

Output Fields

FieldTypeNameDescription
profileStringConnect profile
evidence_timeDateEvidence time
entity_typeStringEntity Typee.g. Ip, Url, User, Process, Registry
ipIP addressIP address
urlStringURL
nt_domainStringNT domaine.g. AzureAD
nt_userStringNT user
user_sidStringUser SID
detection_statusStringDetection statuse.g. Detected
file_pathStringFile path
file_nameStringFile name
ppidLongPPIDParent process ID
parent_image_pathStringParent image pathe.g. C:\Windows\System32
parent_imageStringParent imagee.g. cmd.exe
pidLongPIDProcess ID
image_pathStringImage pathe.g. C:\Windows\System32\WindowsPowerShell\v1.0
imageStringImagee.g. powershell.exe
cmd_lineStringCommand line
sha1StringSHA-1
sha256StringSHA-256
parent_process_ctimeDateParent process creation time
reg_hiveStringRegistry hivee.g. HKEY_CURRENT_USER
reg_keyStringRegistry keye.g. SID\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg_value_typeStringRegistry value typee.g. Unknown
reg_value_nameStringRegistry value name
reg_valueStringRegistry value
entra_user_idStringEntra user IDGUID format
user_principal_nameStringUser principal namee.g. demo@logpresso.com