Skip to main content

Invoke-MtGraphSecurityQuery

SYNOPSIS

Execute KQL query in Microsoft 365 Defender Advanced Hunting by using Graph API Security endpoint to get results programmatically.

SYNTAX

Invoke-MtGraphSecurityQuery [-Query] <String> [-Timespan <String>] [-ProgressAction <ActionPreference>]
[<CommonParameters>]

DESCRIPTION

This cmdlet allows you to execute KQL queries against the Microsoft 365 Defender Advanced Hunting API. It simplifies the process of querying and retrieving data from the Microsoft Defender XDR for integration of Maester checks.

EXAMPLES

EXAMPLE 1

Invoke-MtGraphSecurityQuery -Query "IdentityInfo | where isnotempty(PrivilegedEntraPimRoles)" -Timespan "P14D"

Get identities with eligible Entra roles of the last 14 days

PARAMETERS

-Query

Valid KQL query

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-Timespan

Lookback/timespan for KQL query in ISO 8601 duration, e.g. P14D, PT6H, P2DT3H

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: P14D
Accept pipeline input: False
Accept wildcard characters: False

-ProgressAction

{{ Fill ProgressAction Description }}

Type: ActionPreference
Parameter Sets: (All)
Aliases: proga

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

https://maester.dev/docs/commands/Invoke-MtGraphSecurityQuery