Microsoft Defender Advanced Threat Protection
Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection (ATP)) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
Endpoint · Microsoft Defender for Endpoint
Configuration parameters
endpoint_type— Endpoint Type_auth_id_encrypted—_tenant_id_encrypted—_auth_id— ID_tenant_id— Tokencredentials—creds_certificate— Certificate Thumbprintcertificate_thumbprint— Certificate Thumbprintprivate_key— Private Keyauth_type— Authentication Typeredirect_uri— Application redirect URI (for authorization code mode)auth_code— Authorization codemanaged_identities_client_id—Reliability— Source ReliabilityisFetch— Fetch incidentsincidentType— Incident typefetch_status— Status for fetching alerts as incidents. Comma-separated lists are supported, e.g., New,Resolved.fetch_detectionsource— DetectionSource to filter out alerts for fetching as incidents.fetch_severity— Severity for fetching alerts as incidents. Comma-separated lists are supported, e.g., Medium,High.max_fetch— Maximum number of incidents to fetchurl— Server URL (e.g., https://api.securitycenter.microsoft.com)self_deployed— Use a self-deployed Azure Applicationinsecure— Trust any certificate (not secure)fetch_evidence— Fetch alert evidenceproxy— Use system proxy settingsfirst_fetch_timestamp— First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)is_gcc— Using Microsoft GCC? (Deprecated)auth_id— ID (received from the admin consent - see Detailed Instructions (?) section) (Deprecated)tenant_id— Token (received from the admin consent - see Detailed Instructions (?) (Deprecated) section)enc_key— Key (received from the admin consent - see Detailed Instructions (?) section) (Deprecated)
Commands (81)
-
endpointGets machines that have communicated with Microsoft Defender for Endpoint cloud. At least one of the following arguments is required - IP, hostname, or ID. Otherwise, an error appears.
-
fileChecks the file reputation of the specified hash.
-
microsoft-atp-add-remove-machine-tagAdds or removes a tag on a specific machine.
-
microsoft-atp-advanced-huntingDeprecatedDeprecated. Use the 'msg-advanced-hunting' command in the 'Microsoft Graph Security' integration instead.
-
microsoft-atp-advanced-hunting-cover-upDetects cover up actions. When you select a “query_purpose” argument, a designated query template is used.
-
microsoft-atp-advanced-hunting-file-originIndicates how the file got on the machine. Possible details are "dropped_file" - Was the file dropped? From where? "created_file" - Created by another File (script, compiled binary). "network_shared" - Shared via network. "execution_chain" - What is the process execution chain.
-
microsoft-atp-advanced-hunting-lateral-movement-evidenceDetects evidence of attempted lateral movement. When you select a “query_purpose” argument, a designated query template is used.
-
microsoft-atp-advanced-hunting-network-connectionsDetects network connections. When you select a “query_purpose” argument, a designated query template is used.
-
microsoft-atp-advanced-hunting-persistence-evidenceDetects evidence of persistence. When you select a “query_purpose” argument, a designated query template is used.
-
microsoft-atp-advanced-hunting-privilege-escalationDetects evidence of privilege escalation.
-
microsoft-atp-advanced-hunting-process-detailsDetects process details. When you select a “query_purpose” argument, a designated query template is used.
-
microsoft-atp-advanced-hunting-tamperingDetects evidence of MSDE agent/sensor manipulation.
-
microsoft-atp-auth-resetRun this command if for some reason you need to rerun the authentication process.
-
microsoft-atp-collect-investigation-packageCollect an investigation package from a machine.
-
microsoft-atp-create-alertDeprecatedDeprecated. No available replacement.
-
microsoft-atp-generate-login-urlGenerate the login url used for Authorization code flow.
-
microsoft-atp-get-alert-by-idDeprecatedDeprecated. Use 'msg-get-alert-details' in the 'Microsoft Graph Security' integration instead.
-
microsoft-atp-get-alert-related-domainsDeprecatedDeprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration to retrieve `DomainName` as part of the alert details.
-
microsoft-atp-get-alert-related-filesDeprecatedDeprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration, which can retrieve `fileDetails` as part of the alert details.
-
microsoft-atp-get-alert-related-ipsDeprecatedDeprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration, which can retrieve `IpAddress` as part of the alert details.
-
microsoft-atp-get-alert-related-userDeprecatedDeprecated. An alternative is to use the 'msg-get-alert-details' command in the 'Microsoft Graph Security' integration, which can retrieve `userAccount` information as part of the alert details.
-
microsoft-atp-get-domain-alertsDeprecatedDeprecated. No available replacement.
-
microsoft-atp-get-domain-machinesRetrieves a collection of machines that have communicated to or from a given domain address.
-
microsoft-atp-get-domain-statisticsRetrieves statistics on the given domain.
-
microsoft-atp-get-file-alertsDeprecatedDeprecated. No available replacement.
-
microsoft-atp-get-file-infoRetrieves file information by a file hash (SHA1 or SHA256).
-
microsoft-atp-get-file-related-machinesGets a collection of machines with a given file SHA1 hash.
-
microsoft-atp-get-file-statisticsRetrieves statistics for the given file.
-
microsoft-atp-get-investigation-package-sas-uriGets a URI that allows downloading an investigation package.
-
microsoft-atp-get-ip-alertsDeprecatedDeprecated. No available replacement.
-
microsoft-atp-get-ip-statisticsRetrieves statistics for a given IP.
-
microsoft-atp-get-machine-alertsDeprecatedDeprecated. No available replacement.
-
microsoft-atp-get-machine-by-ipFind Machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.
-
microsoft-atp-get-machine-detailsGet a machine's details by its identity.
-
microsoft-atp-get-machine-missing-kbsGet the specific machine's missing security updates (KBs).
-
microsoft-atp-get-machine-softwareGet the specific machine's software details.
-
microsoft-atp-get-machine-usersRetrieves a collection of logged on users on a specific device.
-
microsoft-atp-get-machine-vulnerabilitiesGet the specific machine's vulnerabilities.
-
microsoft-atp-get-machinesRetrieves a collection of machines that communicated with WDATP cloud in the last 30 days. Note - only IP or hostname can be a comma-separated list. If both are given as lists, an error will appear.
-
microsoft-atp-get-user-alertsDeprecatedDeprecated. No available replacement.
-
microsoft-atp-get-user-machinesRetrieves a collection of machines related to a given user ID.
-
microsoft-atp-indicator-batch-updateUpdates a batch of indicators. If an indicator does not exist, a new indicator is created.
-
microsoft-atp-indicator-create-fileDeprecatedDeprecated. Use the microsoft-atp-sc-indicator-create command instead. Creates a file indicator.
-
microsoft-atp-indicator-create-networkDeprecatedDeprecated. Use the microsoft-atp-sc-indicator-create command instead. Creates a network indicator.
-
microsoft-atp-indicator-deleteDeprecatedDeprecated. Use the microsoft-atp-sc-indicator-delete command instead. Deletes the specified indicator.
-
microsoft-atp-indicator-get-by-idDeprecatedDeprecated. Use the microsoft-atp-sc-indicator-get-by-id command instead. Gets an indicator by its ID.
-
microsoft-atp-indicator-listDeprecatedDeprecated. Use the microsoft-atp-sc-indicator-list command instead. Lists all indicators by the ID that the system creates when the indicator is ingested.
-
microsoft-atp-indicator-updateDeprecatedDeprecated. Use the microsoft-atp-sc-indicator-update command instead. Updates the specified indicator.
-
microsoft-atp-isolate-machineIsolates a machine from accessing external networks.
-
microsoft-atp-list-alertsDeprecatedDeprecated. Use the 'msg-search-alerts' command in the 'Microsoft Graph Security' integration instead.
-
microsoft-atp-list-auth-permissionsThis command gets the permissions from the currently configured credentials. Use for debugging and detecting permission issues.
-
microsoft-atp-list-investigationsRetrieves a collection of investigations or retrieves a specific investigation by its ID.
-
microsoft-atp-list-machine-actions-detailsReturn the machine's actions. If you set an action ID, it returns the info on the specific action. Filtering can be done only on one argument.
-
microsoft-atp-list-machines-by-softwareRetrieve a list of device references that has this software installed.
-
microsoft-atp-list-machines-by-vulnerabilityRetrieves a list of machines affected by a vulnerability.
-
microsoft-atp-list-missing-kb-by-softwareRetrieves missing KBs (security updates) by software ID.
-
microsoft-atp-list-softwareRetrieves the organization software inventory.
-
microsoft-atp-list-software-version-distributionRetrieves a list of your organization's software version distribution.
-
microsoft-atp-list-vulnerabilitiesRetrieves a list of all vulnerabilities.
-
microsoft-atp-list-vulnerabilities-by-machineRetrieves a list of all the vulnerabilities affecting the organization per machine.
-
microsoft-atp-list-vulnerabilities-by-softwareRetrieves a list of all the vulnerabilities affecting the organization per software.
-
microsoft-atp-live-response-cancel-actionCancels an action with an unfinished status.
-
microsoft-atp-live-response-get-fileCollects a file from a device. Note: Backslashes in the path must be escaped.
-
microsoft-atp-live-response-put-filePuts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default.
-
microsoft-atp-live-response-resultGets a result file for a specified action.
-
microsoft-atp-live-response-run-scriptRuns a script from the library on a device. The Args parameter is passed to your script. Timeouts after 10 minutes.
-
microsoft-atp-offboard-machineOffboard a machine from Microsoft Defender for Endpoint.
-
microsoft-atp-remove-app-restrictionEnable the execution of any application on the machine.
-
microsoft-atp-request-and-download-investigation-packageCollect and download an investigation package from a machine.
-
microsoft-atp-restrict-app-executionRestricts the execution of all applications on the machine except for a predefined set.
-
microsoft-atp-run-antivirus-scanInitiate a Microsoft Defender Antivirus scan on a machine.
-
microsoft-atp-sc-indicator-createCreates a new indicator.
-
microsoft-atp-sc-indicator-deleteDeletes the specified indicator.
-
microsoft-atp-sc-indicator-get-by-idGets an indicator by its ID.
-
microsoft-atp-sc-indicator-listLists all indicators by the ID that the system creates when the indicator is ingested.
-
microsoft-atp-sc-indicator-updateUpdates the specified indicator.
-
microsoft-atp-start-investigationStarts an automated investigation on a machine.
-
microsoft-atp-stop-and-quarantine-fileStop the execution of a file on a machine and delete it.
-
microsoft-atp-testTests connectivity to Microsoft Defender for Endpoint.
-
microsoft-atp-unisolate-machineUndo an isolation of a machine.
-
microsoft-atp-update-alertDeprecatedDeprecated. Use the 'msg-update-alert' command in the 'Microsoft Graph Security' integration instead.