defender-endpoint-evidences
Get evidences for specified alert from Endpoint for Microsoft Defender service.
defender-endpoint-evidences profile=PROFILE id=ID
- profile=PROFILE
- Defender endpoint connect profile code
- id=ID
- Alert ID
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| profile | String | Connect profile | |
| evidence_time | Date | Evidence time | |
| entity_type | String | Entity Type | e.g. Ip, Url, User, Process, Registry |
| ip | IP address | IP address | |
| url | String | URL | |
| nt_domain | String | NT domain | e.g. AzureAD |
| nt_user | String | NT user | |
| user_sid | String | User SID | |
| detection_status | String | Detection status | e.g. Detected |
| file_path | String | File path | |
| file_name | String | File name | |
| ppid | Long | PPID | Parent process ID |
| parent_image_path | String | Parent image path | e.g. C:\Windows\System32 |
| parent_image | String | Parent image | e.g. cmd.exe |
| pid | Long | PID | Process ID |
| image_path | String | Image path | e.g. C:\Windows\System32\WindowsPowerShell\v1.0 |
| image | String | Image | e.g. powershell.exe |
| cmd_line | String | Command line | |
| sha1 | String | SHA-1 | |
| sha256 | String | SHA-256 | |
| parent_process_ctime | Date | Parent process creation time | |
| reg_hive | String | Registry hive | e.g. HKEY_CURRENT_USER |
| reg_key | String | Registry key | e.g. SID\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| reg_value_type | String | Registry value type | e.g. Unknown |
| reg_value_name | String | Registry value name | |
| reg_value | String | Registry value | |
| entra_user_id | String | Entra user ID | GUID format |
| user_principal_name | String | User principal name | e.g. demo@logpresso.com |