-
Notifications
You must be signed in to change notification settings - Fork 61
Microsoft Defender for Endpoint
Cori Smith edited this page Jun 20, 2023
·
6 revisions
Nuances and common questions when using Microsoft Defender for Endpoint
Surveyor builds queries to fit the format
<INSERT_YOUR_QUERY_PARAMETERS>
| <INSERT_FILTERS>
| project DeviceName, AccountName, ProcessCommandLine, FolderPath, Timestamp
So when using the --query parameter or the query field in a definition file, you need to format your query to fill in the <INSERT_YOUR_PARAMETERS> section.
That is followed by the <INSERT_FILTERS> section which is populated if you use the --hostname, --username, or time filter parameters.
Yes, Microsoft outlines the limits here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/run-advanced-query-api?view=o365-worldwide#limitations