'Combine PowerShell Defender outlets into a combined CSV file for monitoring
We cancelled our antivirus software (Kaspersky Anti-Virus, duh) and depend on the Windows Defender in the meantime.
We won’t be getting any SIEM server to log and monitor all our Agents Defender Status, so I'm trying to make my life a bit easier by writing a .bat file that combines two PowerShell commands and exports the findings into a CSV file.
Get-MpThreatDetection; Get-MPcomputerstatus | Select-Object -First 4 | Export-Csv c:\WindowsDefender.csv -notypeinformation -useculture
I know it’s kind of wonky as it stands, but the main goals are to:
- Have the current (and last) updated version of the Defender that is being shown by
Get-MPComputerstatus
- Have the last four incidents being shown in full via the PowerShell command
Get-MpThreatDetection
They both work well independently, but I'm just lost with the task to combine them and in the end, have the wanted information formatted for me in Excel.
On top of that, I'd finish it off with an automated email towards me and other support team members. Something along the lines of
$file = "c:\WindowsDefender.csv"
$smtpServer = "The smtp.server.com that is needed"
$att = New-Object Net.Mail.Attachment($file)
$msg = New-Object Net.Mail.MailMessage
$smtp = New-Object Net.Mail.SmtpClient($smtpServer)
$msg.From = "[email protected]"
$msg.To.Add("[email protected]")
$msg.Subject = "Win-Defender Update MSG"
$msg.Body = "Attached is the ServerName Security Logs report"
$msg.Attachments.Add($att)
$smtp.Send($msg)
$att.Dispose()
Obviously, the last part would happen when I combine all the CSV files together in the end in a single directory, so that I can get a full overview of our 60+ PCs.
Is this even possible? Am I daydreaming? Spending money for IT at our company is a no-no for now, so I won’t be getting any other chance to monitor Defender on all our clients :(
Update: After working around for a while I changed my approach a bit and am using now the Get-WinEvent
to filter those out. It works well with:
Get-WinEvent -FilterHashtable @{
logname="Microsoft-Windows-Windows Defender/Operational";id=1116,1117,2000}|`
Where-Object { $_.LevelDisplayName -ne "Information" } |`
Select-Object Message,ID,Level,Logname,MachineName,timecreated |`
Export-Csv c:\windowsdefender.csv -NoTypeInformation -UseCulture
But the issue is that the "Message" tab has all the information I want, but it’s all clumped together under "Messages" and is not formatted as it should be.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|