Microsoft Defender Advanced Threat Protection

Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.

Endpoint · Microsoft Defender for Endpoint

Configuration parameters

  • endpoint_type — Endpoint Type
  • _auth_id_encrypted
  • _tenant_id_encrypted
  • _auth_id — ID
  • _tenant_id — Token
  • credentials
  • creds_certificate — Certificate Thumbprint
  • certificate_thumbprint — Certificate Thumbprint
  • private_key — Private Key
  • auth_type — Authentication Type
  • redirect_uri — Application redirect URI (for authorization code mode)
  • auth_code — Authorization code
  • managed_identities_client_id
  • Reliability — Source Reliability
  • isFetch — Fetch incidents
  • incidentType — Incident type
  • fetch_status — Status for fetching alerts as incidents. Comma-separated lists are supported, e.g., New,Resolved.
  • fetch_detectionsource — DetectionSource to filter out alerts for fetching as incidents.
  • fetch_severity — Severity for fetching alerts as incidents. Comma-separated lists are supported, e.g., Medium,High.
  • max_fetch — Maximum number of incidents to fetch
  • url — Server URL (e.g., https://api.securitycenter.microsoft.com)
  • self_deployed — Use a self-deployed Azure Application
  • insecure — Trust any certificate (not secure)
  • fetch_evidence — Fetch alert evidence
  • proxy — Use system proxy settings
  • first_fetch_timestamp — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
  • is_gcc — Using Microsoft GCC? (Deprecated)
  • auth_id — ID (received from the admin consent - see Detailed Instructions (?) section) (Deprecated)
  • tenant_id — Token (received from the admin consent - see Detailed Instructions (?) (Deprecated) section)
  • enc_key — Key (received from the admin consent - see Detailed Instructions (?) section) (Deprecated)

Commands (81)

  • endpoint

    Gets machines that have communicated with Microsoft Defender for Endpoint cloud. At least one of the following arguments is required - IP, hostname, or ID. Otherwise, an error appears.

  • file

    Checks the file reputation of the specified hash.

  • microsoft-atp-add-remove-machine-tag

    Adds or removes a tag on a specific machine.

  • microsoft-atp-advanced-hunting Deprecated

    Deprecated. Use the 'msg-advanced-hunting' command in the 'Microsoft Graph Security' integration instead.

  • microsoft-atp-advanced-hunting-cover-up

    Detects cover up actions. When you select a “query_purpose” argument, a designated query template is used.

  • microsoft-atp-advanced-hunting-file-origin

    Indicates how the file got on the machine. Possible details are "dropped_file" - Was the file dropped? From where? "created_file" - Created by another File (script, compiled binary). "network_shared" - Shared via network. "execution_chain" - What is the process execution chain.

  • microsoft-atp-advanced-hunting-lateral-movement-evidence

    Detects evidence of attempted lateral movement. When you select a “query_purpose” argument, a designated query template is used.

  • microsoft-atp-advanced-hunting-network-connections

    Detects network connections. When you select a “query_purpose” argument, a designated query template is used.

  • microsoft-atp-advanced-hunting-persistence-evidence

    Detects evidence of persistence. When you select a “query_purpose” argument, a designated query template is used.

  • microsoft-atp-advanced-hunting-privilege-escalation

    Detects evidence of privilege escalation.

  • microsoft-atp-advanced-hunting-process-details

    Detects process details. When you select a “query_purpose” argument, a designated query template is used.

  • microsoft-atp-advanced-hunting-tampering

    Detects evidence of MSDE agent/sensor manipulation.

  • microsoft-atp-auth-reset

    Run this command if for some reason you need to rerun the authentication process.

  • microsoft-atp-collect-investigation-package

    Collect an investigation package from a machine.

  • microsoft-atp-create-alert Deprecated

    Deprecated. No available replacement.

  • microsoft-atp-generate-login-url

    Generate the login url used for Authorization code flow.

  • microsoft-atp-get-alert-by-id Deprecated

    Deprecated. Use 'msg-get-alert-details' in the 'Microsoft Graph Security' integration instead.

  • microsoft-atp-get-alert-related-domains Deprecated

    Deprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration to retrieve `DomainName` as part of the alert details.

  • microsoft-atp-get-alert-related-files Deprecated

    Deprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration, which can retrieve `fileDetails` as part of the alert details.

  • microsoft-atp-get-alert-related-ips Deprecated

    Deprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration, which can retrieve `IpAddress` as part of the alert details.

  • microsoft-atp-get-alert-related-user Deprecated

    Deprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration, which can retrieve `userAccount` information as part of the alert details.

  • microsoft-atp-get-domain-alerts Deprecated

    Deprecated. No available replacement.

  • microsoft-atp-get-domain-machines

    Retrieves a collection of machines that have communicated to or from a given domain address.

  • microsoft-atp-get-domain-statistics

    Retrieves statistics on the given domain.

  • microsoft-atp-get-file-alerts Deprecated

    Deprecated. No available replacement.

  • microsoft-atp-get-file-info

    Retrieves file information by a file hash (SHA1 or SHA256).

  • microsoft-atp-get-file-related-machines

    Gets a collection of machines with a given file SHA1 hash.

  • microsoft-atp-get-file-statistics

    Retrieves statistics for the given file.

  • microsoft-atp-get-investigation-package-sas-uri

    Gets a URI that allows downloading an investigation package.

  • microsoft-atp-get-ip-alerts Deprecated

    Deprecated. No available replacement.

  • microsoft-atp-get-ip-statistics

    Retrieves statistics for a given IP.

  • microsoft-atp-get-machine-alerts Deprecated

    Deprecated. No available replacement.

  • microsoft-atp-get-machine-by-ip

    Find Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.

  • microsoft-atp-get-machine-details

    Get a machine's details by its identity.

  • microsoft-atp-get-machine-missing-kbs

    Get the specific machine's missing security updates (KBs).

  • microsoft-atp-get-machine-software

    Get the specific machine's software details.

  • microsoft-atp-get-machine-users

    Retrieves a collection of logged on users on a specific device.

  • microsoft-atp-get-machine-vulnerabilities

    Get the specific machine's vulnerabilities.

  • microsoft-atp-get-machines

    Retrieves a collection of machines that communicated with WDATP cloud in the last 30 days. Note - only IP or hostname can be a comma-separated list. If both are given as lists, an error will appear.

  • microsoft-atp-get-user-alerts Deprecated

    Deprecated. No available replacement.

  • microsoft-atp-get-user-machines

    Retrieves a collection of machines related to a given user ID.

  • microsoft-atp-indicator-batch-update

    Updates a batch of indicators. If an indicator does not exist, a new indicator is created.

  • microsoft-atp-indicator-create-file Deprecated

    Deprecated. Use the microsoft-atp-sc-indicator-create command instead. Creates a file indicator.

  • microsoft-atp-indicator-create-network Deprecated

    Deprecated. Use the microsoft-atp-sc-indicator-create command instead. Creates a network indicator.

  • microsoft-atp-indicator-delete Deprecated

    Deprecated. Use the microsoft-atp-sc-indicator-delete command instead. Deletes the specified indicator.

  • microsoft-atp-indicator-get-by-id Deprecated

    Deprecated. Use the microsoft-atp-sc-indicator-get-by-id command instead. Gets an indicator by its ID.

  • microsoft-atp-indicator-list Deprecated

    Deprecated. Use the microsoft-atp-sc-indicator-list command instead. Lists all indicators by the ID that the system creates when the indicator is ingested.

  • microsoft-atp-indicator-update Deprecated

    Deprecated. Use the microsoft-atp-sc-indicator-update command instead. Updates the specified indicator.

  • microsoft-atp-isolate-machine

    Isolates a machine from accessing external networks.

  • microsoft-atp-list-alerts Deprecated

    Deprecated. Use the 'msg-search-alerts' command in the 'Microsoft Graph Security' integration instead.

  • microsoft-atp-list-auth-permissions

    This command gets the permissions from the currently configured credentials. Use for debugging and detecting permission issues.

  • microsoft-atp-list-investigations

    Retrieves a collection of investigations or retrieves a specific investigation by its ID.

  • microsoft-atp-list-machine-actions-details

    Return the machine's actions. If you set an action ID, it returns the info on the specific action. Filtering can be done only on one argument.

  • microsoft-atp-list-machines-by-software

    Retrieve a list of device references that has this software installed.

  • microsoft-atp-list-machines-by-vulnerability

    Retrieves a list of machines affected by a vulnerability.

  • microsoft-atp-list-missing-kb-by-software

    Retrieves missing KBs (security updates) by software ID.

  • microsoft-atp-list-software

    Retrieves the organization software inventory.

  • microsoft-atp-list-software-version-distribution

    Retrieves a list of your organization's software version distribution.

  • microsoft-atp-list-vulnerabilities

    Retrieves a list of all vulnerabilities.

  • microsoft-atp-list-vulnerabilities-by-machine

    Retrieves a list of all the vulnerabilities affecting the organization per machine.

  • microsoft-atp-list-vulnerabilities-by-software

    Retrieves a list of all the vulnerabilities affecting the organization per software.

  • microsoft-atp-live-response-cancel-action

    Cancels an action with an unfinished status.

  • microsoft-atp-live-response-get-file

    Collects a file from a device. Note: Backslashes in the path must be escaped.

  • microsoft-atp-live-response-put-file

    Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.

  • microsoft-atp-live-response-result

    Gets a result file for a specified action.

  • microsoft-atp-live-response-run-script

    Runs a script from the library on a device. The Args parameter is passed to your script. Timeouts after 10 minutes.

  • microsoft-atp-offboard-machine

    Offboard a machine from Microsoft Defender for Endpoint.

  • microsoft-atp-remove-app-restriction

    Enable the execution of any application on the machine.

  • microsoft-atp-request-and-download-investigation-package

    Collect and download an investigation package from a machine.

  • microsoft-atp-restrict-app-execution

    Restricts the execution of all applications on the machine except for a predefined set.

  • microsoft-atp-run-antivirus-scan

    Initiate a Microsoft Defender Antivirus scan on a machine.

  • microsoft-atp-sc-indicator-create

    Creates a new indicator.

  • microsoft-atp-sc-indicator-delete

    Deletes the specified indicator.

  • microsoft-atp-sc-indicator-get-by-id

    Gets an indicator by its ID.

  • microsoft-atp-sc-indicator-list

    Lists all indicators by the ID that the system creates when the indicator is ingested.

  • microsoft-atp-sc-indicator-update

    Updates the specified indicator.

  • microsoft-atp-start-investigation

    Starts an automated investigation on a machine.

  • microsoft-atp-stop-and-quarantine-file

    Stop the execution of a file on a machine and delete it.

  • microsoft-atp-test

    Tests connectivity to Microsoft Defender for Endpoint.

  • microsoft-atp-unisolate-machine

    Undo an isolation of a machine.

  • microsoft-atp-update-alert Deprecated

    Deprecated. Use the 'msg-update-alert' command in the 'Microsoft Graph Security' integration instead.