Microsoft Defender for Endpoint for Mac - New Command Line Syntax

In one of the recent Defender version updates, Microsoft changed the syntax used for the mdatp command line tool. We script this to determine Mac AV data via Extension Attributes.

This link has the release notes for Defender for Mac: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew

This link is a good reference for the command line options: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resources#configuring-from-the-command-line

Below are some of the scripts we use to build these attributes in case anyone is looking for the updated syntax. The first one is interesting since the definitions date used to be exported in epoch time and is now in a human-readable format.

#!/bin/sh
# If Microsoft ATP is installed, then get ATP definitions date

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field definitions_updated`
    dateresult=`date -j -f "%b %d, %Y at %H:%M:%S %p" "$result" +"%Y-%m-%d"`
    echo "<result>$dateresult</result>"
else
    echo "<result>Not Installed</result>"
fi

#!/bin/sh

# If Microsoft ATP is installed, then get ATP real-time protection status

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field real_time_protection_enabled`
    echo "<result>$result</result>"
else
    echo "<result>Not Installed</result>"
fi

#!/bin/sh
# If Microsoft ATP is installed, then get health status

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field healthy`
    echo "<result>$result</result>"
else
    echo "<result>Not Installed</result>"
fi

Page 1 / 1

Spot on and works well, many thanks

The definitions date script was failing on some Macs and possibly changing the date on the system. The date command has been updated above to include the -j argument which will not attempt to set the date.

@levans FYI

-f      Use input_fmt as the format string to parse the new_date provided rather than using the default [[[mm]dd]HH]MM[[cc]yy][.ss] format.
	     Parsing is done using strptime(3).

-j      Do not try to set the date.  This allows you to use the -f flag in addition to the + option to convert one date format to another.

@reidg Great stuff, many thanks for the update 😉

I've just been echoing pretty much everything from mdatp health into an extension attribute:

#!/bin/sh

type mdatp &> /dev/null
mdatpFound=$?

if [ $mdatpFound -eq 0 ]
then
	defenderStatus=$(mdatp health | awk '{print $1 " : " $3}')
	echo "<result>$defenderStatus</result>"
else
	echo "<result>mdatp not found</result>"
fi

Then I use smart groups with regex and other conditions to pull out the info I care about. For example:

It's not as elegant as reidg's extensions but so far it's let me ignore the syntax change.

@reidg thanks so much. for those that do not want the extra quotes in the output you can add the following to the end of the command:

result=`mdatp health --field real_time_protection_enabled | awk -F '"' '{print $2}'`

That's awk -F grave tick quote grave tick and back tick after '{print $2}'

I've just been echoing pretty much everything from mdatp health into an extension attribute:

#!/bin/sh

type mdatp &> /dev/null
mdatpFound=$?

if [ $mdatpFound -eq 0 ]
then
	defenderStatus=$(mdatp health | awk '{print $1 " : " $3}')
	echo "<result>$defenderStatus</result>"
else
	echo "<result>mdatp not found</result>"
fi

Then I use smart groups with regex and other conditions to pull out the info I care about. For example:

It's not as elegant as reidg's extensions but so far it's let me ignore the syntax change.

@uuajcurran Was just looking for a way to pull all the health info for Defender. You saved me a bunch of time. Thanks so much!

We're just moving to Defender now. Thanks for this. Exactly what I was hoping for.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded