Get-DefenderThreatInfo

Windows: Retrieves information about threats detected by Windows Defender

Script

#Requires -Version 5.1
#Requires -Modules Defender

[CmdletBinding()]
Param (
    [int64]$ThreatID,

    [string]$ComputerName = $env:COMPUTERNAME,

    [pscredential]$Credential
)

Process {
    try {
        $session = $null
        $threatParams = @{
            'ErrorAction' = 'Stop'
        }
        if ($ThreatID -gt 0) {
            $threatParams.Add('ThreatID', $ThreatID)
        }

        if ($ComputerName -ne $env:COMPUTERNAME) {
            $sessionParams = @{
                'ComputerName' = $ComputerName
                'ErrorAction'  = 'Stop'
            }
            if ($null -ne $Credential) {
                $sessionParams.Add('Credential', $Credential)
            }
            $session = New-CimSession @sessionParams
            $threatParams.Add('CimSession', $session)
        }

        $threats = Get-MpThreat @threatParams

        $results = foreach ($t in $threats) {
            [PSCustomObject]@{
                ThreatName   = $t.ThreatName
                ThreatID     = $t.ThreatID
                SeverityID   = $t.SeverityID
                CategoryID   = $t.CategoryID
                TypeID       = $t.TypeID
                ComputerName = $ComputerName
            }
        }

        Write-Output ($results | Sort-Object ThreatName)
    }
    catch {
        throw
    }
    finally {
        if ($null -ne $session) {
            Remove-CimSession $session
        }
    }
}

Customize

ThreatID int64

Specifies the ID of a specific threat to retrieve.

ComputerName string

Specifies the name of the target computer. Defaults to the local computer.

env string

Credential pscredential

Specifies a PSCredential object for remote connection.