Microsoft Defender for Endpoint for Mac - New Command Line Syntax

reidg
New Contributor III

In one of the recent Defender version updates, Microsoft changed the syntax used for the mdatp command line tool. We script this to determine Mac AV data via Extension Attributes.

This link has the release notes for Defender for Mac: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-whats...

This link is a good reference for the command line options: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resou...

Below are some of the scripts we use to build these attributes in case anyone is looking for the updated syntax. The first one is interesting since the definitions date used to be exported in epoch time and is now in a human-readable format.

#!/bin/sh
# If Microsoft ATP is installed, then get ATP definitions date

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field definitions_updated`
    dateresult=`date -j -f "%b %d, %Y at %H:%M:%S %p" "$result" +"%Y-%m-%d"`
    echo "<result>$dateresult</result>"
else
    echo "<result>Not Installed</result>"
fi
#!/bin/sh

# If Microsoft ATP is installed, then get ATP real-time protection status

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field real_time_protection_enabled`
    echo "<result>$result</result>"
else
    echo "<result>Not Installed</result>"
fi
#!/bin/sh
# If Microsoft ATP is installed, then get health status

if [ -f "/usr/local/bin/mdatp" ]; then
    result=`sudo mdatp health --field healthy`
    echo "<result>$result</result>"
else
    echo "<result>Not Installed</result>"
fi
7 REPLIES 7

levans
New Contributor II

Spot on and works well, many thanks 

reidg
New Contributor III

The definitions date script was failing on some Macs and possibly changing the date on the system. The date command has been updated above to include the -j argument which will not attempt to set the date.

@levans  FYI

 

-f      Use input_fmt as the format string to parse the new_date provided rather than using the default [[[mm]dd]HH]MM[[cc]yy][.ss] format.
	     Parsing is done using strptime(3).

-j      Do not try to set the date.  This allows you to use the -f flag in addition to the + option to convert one date format to another.

 

levans
New Contributor II

@reidg Great stuff, many thanks for the update 😉 

uuajcurran
New Contributor

I've just been echoing pretty much everything from mdatp health into an extension attribute:

#!/bin/sh

type mdatp &> /dev/null
mdatpFound=$?

if [ $mdatpFound -eq 0 ]
then
	defenderStatus=$(mdatp health | awk '{print $1 " : " $3}')
	echo "<result>$defenderStatus</result>"
else
	echo "<result>mdatp not found</result>"
fi

 

Then I use smart groups with regex and other conditions to pull out the info I care about. For example:
smartgroup.png

 

 

 

 

 

 

 

It's not as elegant as reidg's extensions but so far it's let me ignore the syntax change.

@uuajcurran Was just looking for a way to pull all the health info for Defender. You saved me a bunch of time. Thanks so much!

efil4xiN
Contributor II

@reidg  thanks so much. for those that do not want the extra quotes in the output you can add the following to the end of the command: 

  

result=`mdatp health --field real_time_protection_enabled | awk -F '"' '{print $2}'`   

 

That's  awk -F grave tick quote grave tick and back tick after '{print $2}'

dugnl
Contributor

We're just moving to Defender now.  Thanks for this.  Exactly what I was hoping for.