Get users most active machine by querying Defender endpoint via Powershell.

%3CLINGO-SUB%20id%3D%22lingo-sub-3055104%22%20slang%3D%22en-US%22%3EGet%20users%20most%20active%20machine%20by%20querying%20Defender%20endpoint%20via%20Powershell.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3055104%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20to%20query%20MS%20Defender%20endpoint%20info%20with%20Powershell.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20wondering%20is%20this%20simply%20a%20module%20add%20on%20and%20authentication%20or%20is%20more%20involved%20or%20not%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20example%20is%20I%20wish%20to%20get%20the%20most%20active%20computer%20and%20any%20outstanding%20alert's%20for%20this%20computer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20I'm%20curious%20as%20to%20whether%20Powershell%20can%20call%20an%20existing%20KQL%20query%20and%20receive%20its%20results%20into%20the%20script.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3055104%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Automation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Intune%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20PowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Visitor

Hi

 

I'm looking to query MS Defender endpoint info with Powershell.

 

I'm wondering is this simply a module add on and authentication or is more involved or not possible.

 

One example is I wish to get the most active computer and any outstanding alert's for this computer.

 

Also I'm curious as to whether Powershell can call an existing KQL query and receive its results into the script.

 

Thanks

1 Reply