In one of the recent Defender version updates, Microsoft changed the syntax used for the mdatp command line tool. We script this to determine Mac AV data via Extension Attributes.
This link has the release notes for Defender for Mac: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew
This link is a good reference for the command line options: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resources#configuring-from-the-command-line
Below are some of the scripts we use to build these attributes in case anyone is looking for the updated syntax. The first one is interesting since the definitions date used to be exported in epoch time and is now in a human-readable format.
#!/bin/sh # If Microsoft ATP is installed, then get ATP definitions date if [ -f "/usr/local/bin/mdatp" ]; then result=`sudo mdatp health --field definitions_updated` dateresult=`date -j -f "%b %d, %Y at %H:%M:%S %p" "$result" +"%Y-%m-%d"` echo "<result>$dateresult</result>" else echo "<result>Not Installed</result>" fi
#!/bin/sh # If Microsoft ATP is installed, then get ATP real-time protection status if [ -f "/usr/local/bin/mdatp" ]; then result=`sudo mdatp health --field real_time_protection_enabled` echo "<result>$result</result>" else echo "<result>Not Installed</result>" fi
#!/bin/sh # If Microsoft ATP is installed, then get health status if [ -f "/usr/local/bin/mdatp" ]; then result=`sudo mdatp health --field healthy` echo "<result>$result</result>" else echo "<result>Not Installed</result>" fi