CategoriesDefenderMicrosoft SecurityUncategorized

WHAT IS M365DefenderStuff MODULE ?

Microsoft continues to enhance XDR capabilities every day. To use this comprehensive security solution more effectively, the M365DefenderStuff module has been developed, providing IT professionals and security managers with essential capabilities. In this article, we’ll delve into the capabilities, commands, and outputs of the M365DefenderStuff module.

Capabilities of the M365DefenderStuff Module

1. Threat Detection and Response

M365DefenderStuff enhances the threat detection and response capabilities provided by Microsoft 365 Defender. The module allows you to obtain detailed information about devices and software, helping to identify potential security vulnerabilities. For example, you can examine the security status of devices and detect weaknesses.

2. Advanced Reporting

The module offers comprehensive reporting features. You can generate detailed reports on security incidents, threats, and response actions. These reports can be customized for presentation to managers and stakeholders. Additionally, the module supports the automatic generation and email delivery of reports at specified intervals.

3. Automated Security Operations

M365DefenderStuff helps automate your security operations. For instance, when a specific threat is detected, you can ensure that certain actions are taken automatically. This might include locking user accounts, blocking specific IP addresses, or quarantining certain files.

4. Advanced Analysis

The module enables advanced threat analysis by analyzing data from Microsoft 365 Defender. It helps identify threat vectors, attack patterns, and potential vulnerabilities. These analyses allow you to enhance your security strategies to prevent future attacks.

Install M365DefenderStuff module

To be able to use my PowerShell commands, you must first install the M365DefenderStuff module from the PowerShell Gallery.

Install-Module M365DefenderStuff

TIP: to get all available commands run the following command in your PowerShell console: 

Get-Command -module M365DefenderStuff


Import-Module Az.Accounts

Commands of the M365DefenderStuff Module

The M365DefenderStuff module offers a wide range of commands. Here are the most commonly used commands and their descriptions:


This command lists all devices registered with Microsoft 365 Defender and provides detailed information about them. You can view the security status and other important details of the devices.


Get-M365DefenderMachine -MachineID 'c5fb6ee86d04e75e9ba1c96412d55e9108639952'


This command provides information about the users who have logged into a specific device. It is useful for tracking which users are logging into which devices.

Get-M365DefenderMachineUser -MachineId 'c5fb6ee86d04e75e9ba1c96412d55e9108639952'


This command lists the security vulnerabilities on a specific device. You can determine the weaknesses of the device and take necessary measures.

# get all found vulnerabilities (can take several minutes to complete!)

# get details of specific vulnerability
Get-M365DefenderVulnerability -vulnerabilityId 'c5fb6ee86d04e75e9ba1c96412d55e9108639952'

Generate vulnerability report

This command generates a detailed report on security vulnerabilities. The report includes details of the weaknesses and recommended actions to mitigate them.

# get just software vulnerabilities of CTRITICAL type and group them by machine
Get-M365DefenderVulnerabilityReport -groupBy machine -skipOSVuln -severity Critical


This command provides recommendations to improve security status and mitigate threats. You can view the security advice provided by Microsoft 365 Defender.

# get all security recommendations

# get security recommendations just for Putty software.
Get-M365DefenderRecommendation -productName 'putty'

# get all security recommendations for given machine.
Get-M365DefenderRecommendation -machineId 'c5fb6ee86d04e75e9ba1c96412d55e9108639952'


This command provides information about the software installed on devices. You can examine which software is installed and its security status.

# get all detected applications

# get just specific application
Get-M365DefenderSoftware -softwareId 'adobe-_-creative_cloud'


This command allows you to perform advanced queries in the Microsoft 365 Defender database. You can conduct detailed searches and analyses based on specific criteria.

Invoke-M365DefenderAdvancedQuery -Query "DeviceEvents | where Timestamp > ago(7d)"


This command allows you to query evidence and details related to specific software. You can evaluate the security status and potential threats of the software.

Invoke-M365DefenderSoftwareEvidenceQuery -appName JRE


This command creates the necessary authentication headers for communicating with Microsoft 365 Defender APIs. It ensures authentication in your API calls.

New-M365DefenderAuthHeader -ClientId "YourClientId" -ClientSecret "YourClientSecret" -TenantId "YourTenantId"

Outputs of the M365DefenderStuff Module

The M365DefenderStuff module generates various outputs that help improve your security operations:

  1. Threat Reports: Detailed reports on security incidents, providing information on the type, source, affected systems, and actions taken.
  2. Security Dashboard: Real-time security dashboards displaying all security threats and incidents on a single screen.
  3. Automated Alerts: The module sends immediate alerts when specific threats or anomalies are detected. These alerts can be delivered via email, SMS, or other communication channels.
  4. Analysis Reports: Advanced analysis reports providing in-depth information on attack vectors, vulnerabilities, and preventive measures.
  5. Incident Response Reports: Detailed reports on all actions taken during the incident response process and the outcomes of those actions.


The M365DefenderStuff module extends the capabilities of Microsoft 365 Defender, helping organizations protect more effectively against cyber threats. With advanced reporting, automated security operations, and detailed analyses, IT and security teams can adopt a more proactive approach. By using this module, you can enhance your organization’s security posture and respond more quickly and effectively to potential threats.

thanks to Doitpshway

Language »