Microsoft Defender for Endpoint for Mac - New Command Line Syntax

reidg
New Contributor III

In one of the recent Defender version updates, Microsoft changed the syntax used for the mdatp command line tool. We script this to determine Mac AV data via Extension Attributes.

This link has the release notes for Defender for Mac: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-whats...

This link is a good reference for the command line options: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resou...

Below are some of the scripts we use to build these attributes in case anyone is looking for the updated syntax. The first one is interesting since the definitions date used to be exported in epoch time and is now in a human-readable format.

#!/bin/sh
# If Microsoft ATP is installed, then get ATP definitions date

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field definitions_updated`
    dateresult=`date -j -f "%b %d, %Y at %H:%M:%S %p" "$result" +"%Y-%m-%d"`
    echo "<result>$dateresult</result>"
else
    echo "<result>Not Installed</result>"
fi
#!/bin/sh

# If Microsoft ATP is installed, then get ATP real-time protection status

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field real_time_protection_enabled`
    echo "<result>$result</result>"
else
    echo "<result>Not Installed</result>"
fi
#!/bin/sh
# If Microsoft ATP is installed, then get health status

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field healthy`
    echo "<result>$result</result>"
else
    echo "<result>Not Installed</result>"
fi
3 REPLIES 3

levans
New Contributor II

Spot on and works well, many thanks 

reidg
New Contributor III

The definitions date script was failing on some Macs and possibly changing the date on the system. The date command has been updated above to include the -j argument which will not attempt to set the date.

@levans  FYI

 

-f      Use input_fmt as the format string to parse the new_date provided rather than using the default [[[mm]dd]HH]MM[[cc]yy][.ss] format.
	     Parsing is done using strptime(3).

-j      Do not try to set the date.  This allows you to use the -f flag in addition to the + option to convert one date format to another.

 

levans
New Contributor II

@reidg Great stuff, many thanks for the update 😉