Skip to main content
Run an advanced The following permissions are required to run this action:
  • Alert.Read.All
  • Alert.ReadWrite.All
External DocumentationTo learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
QueryYour advanced hunting query.

Example Output

{
	"Schema": [
		{
			"Name": "Timestamp",
			"Type": "DateTime"
		},
		{
			"Name": "FileName",
			"Type": "String"
		},
		{
			"Name": "InitiatingProcessFileName",
			"Type": "String"
		},
		{
			"Name": "DeviceId",
			"Type": "String"
		}
	],
	"Results": [
		{
			"Timestamp": "2020-02-05T01:10:26.2648757Z",
			"FileName": "csc.exe",
			"InitiatingProcessFileName": "powershell.exe",
			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
		},
		{
			"Timestamp": "2020-02-05T01:10:26.5614772Z",
			"FileName": "csc.exe",
			"InitiatingProcessFileName": "powershell.exe",
			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
		}
	]
}

Workflow Library Example

Run Query with Microsoft Defender for Endpoints and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop
I