[ { "choices": [ ], "data_type": "string", "default_value": null, "description": "", "display_name": "Defender App Version", "field_name": "defender_app_version_fwcomp_pack", "is_global": true, "metadata": { "macos": { "extension": "sh", "must_exit_zero": false, "replace_line_feed": false, "source": "#!/bin/zsh\n#read app version\n\n/usr/local/bin/mdatp health | grep app_version | cut -d':' -f2 | tr -d '\"' | tr -d ' '\n\nexit 0" }, "windows": { "extension": "ps1", "must_exit_zero": false, "replace_line_feed": false, "source": "#There are several versions, but AntiMalware seems to be the main one\n\n$my_version = Get-MpComputerStatus | select AMProductVersion | Format-Table -HideTableHeaders | Format-List\n$my_version = ($my_version | Out-String).Trim()\n\n$my_version\n\nexit 0" } }, "provider": 1, "to_be_deleted": false, "used_in_workflows": false }, { "choices": [ ], "data_type": "datetime", "default_value": null, "description": "", "display_name": "Defender Defs Date", "field_name": "defender_defs_fwcomp_pack", "is_global": true, "metadata": { "macos": { "extension": "sh", "must_exit_zero": false, "replace_line_feed": false, "source": "#!/bin/zsh\n#use defender commands to read virus def version\n\ndate -j -f \"%b %d, %Y at %H:%M:%S\" \"$(/usr/local/bin/mdatp health --field definitions_updated)\" +%FT%T%Z > /tmp/defs.txt\n\ncat /tmp/defs.txt | grep -v Warning\n\nexit 0" }, "windows": { "extension": "ps1", "must_exit_zero": false, "replace_line_feed": false, "source": "#collect defender defs info\n\n$mydefs = Get-MpComputerStatus | select AntivirusSignatureLastUpdated | Format-Table -HideTableHeaders | Format-List\n$mydefs=($mydefs | Out-String).Trim()\n\nGet-Date -Date $mydefs -Format \"o\"\nexit 0" } }, "provider": 1, "to_be_deleted": false, "used_in_workflows": false }, { "choices": [ ], "data_type": "string", "default_value": null, "description": "", "display_name": "Defender Defs Version", "field_name": "defender_defs_version_fwcomp_pack", "is_global": true, "metadata": { "macos": { "extension": "sh", "must_exit_zero": false, "replace_line_feed": false, "source": "#!/bin/zsh\n#read defender details\n\n/usr/local/bin/mdatp health | grep definitions_version | cut -d':' -f2 | tr -d '\"' | tr -d ' '\n\nexit 0" }, "windows": { "extension": "ps1", "must_exit_zero": false, "replace_line_feed": false, "source": "#AV Version\n\n$my_version = Get-MpComputerStatus | select AntivirusSignatureVersion | Format-Table -HideTableHeaders | Format-List\n$my_version = ($my_version | Out-String).Trim()\n\n$my_version\n\nexit 0" } }, "provider": 1, "to_be_deleted": false, "used_in_workflows": false }, { "choices": [ ], "data_type": "string", "default_value": null, "description": "", "display_name": "Defender Engine Version", "field_name": "defender_engine_version_fwcomp_pack", "is_global": true, "metadata": { "macos": { "extension": "sh", "must_exit_zero": false, "replace_line_feed": false, "source": "#!/bin/zsh\n#read defender details\n\n/usr/local/bin/mdatp health | grep engine_version | cut -d':' -f2 | tr -d '\"' | tr -d ' '\n\nexit 0" }, "windows": { "extension": "ps1", "must_exit_zero": false, "replace_line_feed": false, "source": "#There are several engine versions, but AntiMalware Engine seems to be the main one\n\n$my_version = Get-MpComputerStatus | select AMEngineVersion | Format-Table -HideTableHeaders | Format-List\n$my_version = ($my_version | Out-String).Trim()\n\n$my_version\n\nexit 0" } }, "provider": 1, "to_be_deleted": false, "used_in_workflows": false }, { "choices": [ ], "data_type": "bool", "default_value": null, "description": "", "display_name": "Defender Healthy", "field_name": "defender_healthy_fwcomp_pack", "is_global": true, "metadata": { "macos": { "extension": "sh", "must_exit_zero": false, "replace_line_feed": false, "source": "#!/bin/zsh\n#read defender health status\n#assumption made here that \"healthy\" field can be used\n\n/usr/local/bin/mdatp health --field healthy\n\nexit 0" }, "windows": { "extension": "ps1", "must_exit_zero": false, "replace_line_feed": false, "source": "#defender on Windows is more complex, because there isn't just one field to read\n#we'll need to look at each service and at defs state and compare\n\n$status=Get-MpComputerStatus\n\n$my_am = $status | select AMServiceEnabled | Format-Table -HideTableHeaders | Format-List\n$my_am=($my_am | Out-String).Trim()\n\n$my_as = $status | select AntiSpywareEnabled | Format-Table -HideTableHeaders | Format-List\n$my_as=($my_as | Out-String).Trim()\n\n$my_av = $status | select AntivirusEnabled | Format-Table -HideTableHeaders | Format-List\n$my_av=($my_av | Out-String).Trim()\n\n$my_dsood = $status | select DefenderSignaturesOutofDate | Format-Table -HideTableHeaders | Format-List\n$my_dsood=($my_dsood | Out-String).Trim()\n\n$my_nis = $status | select NISEnabled | Format-Table -HideTableHeaders | Format-List\n$my_nis=($my_nis | Out-String).Trim()\n\n$my_oap = $status | select OnAccessProtectionEnabled | Format-Table -HideTableHeaders | Format-List\n$my_oap=($my_oap | Out-String).Trim()\n\n$my_rtp = $status | select RealTimeProtectionEnabled | Format-Table -HideTableHeaders | Format-List\n$my_rtp=($my_rtp | Out-String).Trim()\n\n#now we just test that the services are all running and defs aren't out of date\n\nif ($my_am -and $my_as -and $my_av -and ($my_dsood -eq \"False\") -and $my_nis -and $my_oap -and $my_rtp) {\n echo true\n } else {\n echo false\n }\n\nexit 0" } }, "provider": 1, "to_be_deleted": false, "used_in_workflows": false }, { "choices": [ ], "data_type": "string", "default_value": null, "description": "", "display_name": "Defender Status Details", "field_name": "defender_status_fwcomp_pack", "is_global": true, "metadata": { "macos": { "extension": "sh", "must_exit_zero": false, "replace_line_feed": false, "source": "#!/bin/zsh\n#read defender status details\n\n/usr/local/bin/mdatp health | grep 'product_expiration\\|real_time_protection_enabled\\|network_protection_status\n\\|data_loss_prevention_status\\|full_disk_access_enabled'\n\nexit 0" }, "windows": { "extension": "ps1", "must_exit_zero": false, "replace_line_feed": false, "source": "#defender on Windows is more complex, because there isn't just one field to read\n#we'll need to look at each service and at defs state and compare\n\n$details = Get-MpComputerStatus | select AMServiceEnabled, AntiSpywareEnabled, AntivirusEnabled, DefenderSignaturesOutofDate, NISEnabled, OnAccessProtectionEnabled, RealTimeProtectionEnabled | Format-List\n\n$details = ($details | Out-String).Trim()\n\n$details\n\nexit 0" } }, "provider": 1, "to_be_deleted": false, "used_in_workflows": false }, { "choices": [ ], "data_type": "string", "default_value": null, "description": "", "display_name": "Defender Threats Detected", "field_name": "defender_threats_detected_fwcomp_pack", "is_global": true, "metadata": { "macos": { "extension": "sh", "must_exit_zero": false, "replace_line_feed": false, "source": "#!/bin/zsh\n#read defender quarantine\n\n/usr/local/bin/mdatp threat quarantine list\n\nexit 0" }, "windows": { "extension": "ps1", "must_exit_zero": false, "replace_line_feed": false, "source": "#read threats detected\n\n$details = Get-MpThreat | Format-List\n\n$details = ($details | Out-String).Trim()\n\n$details\n\nexit 0" } }, "provider": 1, "to_be_deleted": false, "used_in_workflows": false } ]