Created
September 28, 2020 21:02
-
-
Save nicolonsky/ac80d1cc89c9b42c2ed8099592e5c2bc to your computer and use it in GitHub Desktop.
Endpoint analytics detection script for recent Defender quick scan
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Configure remediation threshold, e.g. 1 day | |
# Diduct this value from current datetime | |
$thresholdDateTime = (Get-Date).AddDays(-1) | |
# Get defender eventlog entries which indicate successful scan | |
$mostRecentScan = Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object { $_.ID -in @(1001) } | Select-Object -First 1 | |
if ($mostRecentScan.TimeCreated -lt $thresholdDateTime) { | |
Write-Warning "No Microsoft Defender Antivirus scan has been completed sine `"$thresholdDateTime`"" | |
Exit 1 | |
} | |
else { | |
Write-Output "Last Microsoft Defender Antivirus scan completed on `"$([datetime]$mostRecentScan.TimeCreated)`"" | |
Exit 0 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment