Run Query
Run an advanced One of the following permissions is required to run this action:
AdvancedQuery.Read.AllAdvancedQuery.Read
External Documentation
To learn more, visit the Microsoft Defender For Endpoints documentation.
Parameters
| Parameter | Description |
|---|---|
| Query | Your advanced hunting query. |
Example Output
{
"Schema": [
{
"Name": "Timestamp",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
},
{
"Name": "DeviceId",
"Type": "String"
}
],
"Results": [
{
"Timestamp": "2020-02-05T01:10:26.2648757Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
},
{
"Timestamp": "2020-02-05T01:10:26.5614772Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
}
]
}
Workflow Library Example
Run Query with Microsoft Defender for Endpoints and Send Results Via Email
Preview this Workflow on desktop