# Manage Microsoft 365 Defender (XDR) via PowerShell

In case you are using Microsoft Defender you are familiar with the [security.microsoft.com](http://security.microsoft.com) portal. You also probably know that Microsoft also offers [API](https://learn.microsoft.com/en-us/defender-endpoint/api/exposed-apis-list) for this security solution.

Today I will show you some of my PowerShell commands ([M365DefenderStuff module](https://www.powershellgallery.com/packages/M365DefenderStuff/1.0.0)) with a focus on the '**Microsoft Defender Vulnerability Management**' part.

The main benefit of using my module instead of direct API calls is built-in support for **pagination**, **throttling**, **time-outs**, and other nasty things 😎.

---

# Prerequisites

* In general license for using Microsoft Defender solution
    
* Special license for using '**Microsoft Defender Vulnerability Management**' in case you want to see found vulnerabilities on your clients
    
    * [Official licensing FAQ](https://learn.microsoft.com/en-us/defender-vulnerability-management/defender-vulnerability-management-faq#defender-vulnerability-management-licensing-faqs)
        

---

# Before we begin

## **Install** M365DefenderStuff module

To be able to use my PowerShell commands, you must first install the [M365DefenderStuff](https://www.powershellgallery.com/packages/M365DefenderStuff/1.0.0) module from the PowerShell Gallery.

```powershell
Install-Module M365DefenderStuff
```

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">TIP: to get all available commands run the following command in your PowerShell console: <code>Get-Command -module M365DefenderStuff</code></div>
</div>

---

# **Control your M365 Defender via PowerShell**

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">TIP: to be able to use specific API, you need to have correct permissions. What permissions are needed is stated in the NOTES section of each function (<code>Get-Help &lt;functionname&gt; -Full</code>).</div>
</div>

## **Authenticate**

```powershell
Import-Module Az.Accounts

Connect-AzAccount
```

## Get all/selected machine

```powershell
# get all machines
Get-M365DefenderMachine

# get just specific machine
Get-M365DefenderMachine -machineId 'fff5e5e26cb0848d66bbb0bc83de6bceb4a1b2e1'
```

## Get the machine owner (the user who logs in)

```powershell
Get-M365DefenderMachineUser -machineId 'fff5e5e26cb0848d66bbb0bc83de6bceb4a1b2e1'
```

## Get detected software

```powershell
# get all detected applications
Get-M365DefenderSoftware

# get just specific application
Get-M365DefenderSoftware -softwareId 'adobe-_-creative_cloud'
```

## Get detected vulnerabilities

```powershell
# get all found vulnerabilities (can take several minutes to complete!)
Get-M365DefenderVulnerability

# get details of specific vulnerability
Get-M365DefenderVulnerability -vulnerabilityId 'CVE-2022-47926'
```

## Generate vulnerability report

```powershell
# get just software vulnerabilities of CTRITICAL type and group them by machine
Get-M365DefenderVulnerabilityReport -groupBy machine -skipOSVuln -severity Critical
```

## Invoke KQL query

```powershell
Invoke-M365DefenderAdvancedQuery -query "DeviceInfo | join kind = fullouter DeviceTvmSoftwareEvidenceBeta on DeviceId"
```

## Get software evidence

```powershell
# get all (100 000 at most) applications evidences
Invoke-M365DefenderSoftwareEvidenceQuery

# get all (100 000 at most) applications evidences related to JRE software
Invoke-M365DefenderSoftwareEvidenceQuery -appName JRE
```

## Get defender recommendations

```powershell
# get all security recommendations
Get-M365DefenderRecommendation

# get security recommendations just for Putty software.
Get-M365DefenderRecommendation -productName 'putty'

# get all security recommendations for given machine.
Get-M365DefenderRecommendation -machineId '43a802402664e76a021c8dda2e2aa7db6a09a5f1' 
```

## Get all vulnerabilities per machine and software

```powershell
# retrieves a list of all the vulnerabilities affecting the organization per machine and software.
Get-M365DefenderMachineVulnerability
```

That is all for now, but more functions will be added in the future to the [M365DefenderStuff module](https://www.powershellgallery.com/packages/M365DefenderStuff/1.0.0) don't worry 😉
