Skip to main content

In one of the recent Defender version updates, Microsoft changed the syntax used for the mdatp command line tool. We script this to determine Mac AV data via Extension Attributes.

This link has the release notes for Defender for Mac: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew

This link is a good reference for the command line options: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-resources#configuring-from-the-command-line

Below are some of the scripts we use to build these attributes in case anyone is looking for the updated syntax. The first one is interesting since the definitions date used to be exported in epoch time and is now in a human-readable format.

#!/bin/sh

# If Microsoft ATP is installed, then get ATP definitions date



if [ -f "/usr/local/bin/mdatp" ]; then

    result=`sudo mdatp health --field definitions_updated`

    dateresult=`date -j -f "%b %d, %Y at %H:%M:%S %p" "$result" +"%Y-%m-%d"`

    echo "<result>$dateresult</result>"

else

    echo "<result>Not Installed</result>"

fi
#!/bin/sh



# If Microsoft ATP is installed, then get ATP real-time protection status



if [ -f "/usr/local/bin/mdatp" ]; then

    result=`sudo mdatp health --field real_time_protection_enabled`

    echo "<result>$result</result>"

else

    echo "<result>Not Installed</result>"

fi
#!/bin/sh

# If Microsoft ATP is installed, then get health status



if [ -f "/usr/local/bin/mdatp" ]; then

    result=`sudo mdatp health --field healthy`

    echo "<result>$result</result>"

else

    echo "<result>Not Installed</result>"

fi

Spot on and works well, many thanks 

The definitions date script was failing on some Macs and possibly changing the date on the system. The date command has been updated above to include the -j argument which will not attempt to set the date.

@levans  FYI

 

-f      Use input_fmt as the format string to parse the new_date provided rather than using the default [[[mm]dd]HH]MM[[cc]yy][.ss] format.

	     Parsing is done using strptime(3).



-j      Do not try to set the date.  This allows you to use the -f flag in addition to the + option to convert one date format to another.

 

@reidg Great stuff, many thanks for the update 😉 

I've just been echoing pretty much everything from mdatp health into an extension attribute:

#!/bin/sh

type mdatp &> /dev/null
mdatpFound=$?

if [ $mdatpFound -eq 0 ]
then
defenderStatus=$(mdatp health | awk '{print $1 " : " $3}')
echo "<result>$defenderStatus</result>"
else
echo "<result>mdatp not found</result>"
fi

 

Then I use smart groups with regex and other conditions to pull out the info I care about. For example:

 

 

 

 

 

 

 

It's not as elegant as reidg's extensions but so far it's let me ignore the syntax change.

@reidg  thanks so much. for those that do not want the extra quotes in the output you can add the following to the end of the command: 

  

result=`mdatp health --field real_time_protection_enabled | awk -F '"' '{print $2}'`   

 

That's  awk -F grave tick quote grave tick and back tick after '{print $2}'

I've just been echoing pretty much everything from mdatp health into an extension attribute:

#!/bin/sh

type mdatp &> /dev/null
mdatpFound=$?

if [ $mdatpFound -eq 0 ]
then
defenderStatus=$(mdatp health | awk '{print $1 " : " $3}')
echo "<result>$defenderStatus</result>"
else
echo "<result>mdatp not found</result>"
fi

 

Then I use smart groups with regex and other conditions to pull out the info I care about. For example:

 

 

 

 

 

 

 

It's not as elegant as reidg's extensions but so far it's let me ignore the syntax change.


@uuajcurran Was just looking for a way to pull all the health info for Defender. You saved me a bunch of time. Thanks so much!

We're just moving to Defender now.  Thanks for this.  Exactly what I was hoping for.

Reply


Terms & ConditionsCookie settings