MSFT_MpEvent - powershell.one

This class is used for event queries and returned when threat events fire. There are no instances of this class that can be queried by Get-CimInstance.

Methods

MSFT_MpEvent has no methods.

Properties

MSFT_MpEvent returns 7 properties:

'AdditionalData','CategoryDiscriminant','ComputerNotificationsValue',
'NotificationTime','ScanNotificationsValue','SignatureNotificationsValue','ThreatNotificationsValue'

Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender -Property *

Most WMI classes return one or more instances.

When Get-CimInstance returns no result, then apparently no instances of class MSFT_MpEvent exist. This is normal behavior.

Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).

AdditionalData

UINT32

Additional Data. At the moment, the only use is when the CategoryDiscriminant is equal to ThreatStateNotificationsthen this value will contains the ThreatID

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property AdditionalData

CategoryDiscriminant

UINT32

Category of Notification.

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property CategoryDiscriminant

ComputerNotificationsValue

UINT32

Detailed Computer Notifications.

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property ComputerNotificationsValue

NotificationTime

DATETIME

Date and time the WMI Event was generated

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property NotificationTime

ScanNotificationsValue

UINT32

Detailed Scan Notifications.

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property ScanNotificationsValue

SignatureNotificationsValue

UINT32

Detailed Signature Notifications.

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property SignatureNotificationsValue

ThreatNotificationsValue

UINT32

Detailed Threat Notifications.

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property ThreatNotificationsValue

Examples

List all instances of MSFT_MpEvent

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender

Learn more about Get-CimInstance and the deprecated Get-WmiObject.

View all properties

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender -Property *

View key properties only

Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender -KeyOnly

Selecting Properties

To select only some properties, pipe the results to Select-Object -Property a,b,c with a comma-separated list of the properties you require. Wildcards are permitted.

Get-CimInstance always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object if you want to limit the visible properties, i.e. for reporting.

Selecting Properties

The code below lists all available properties. Remove the ones you do not need:

$properties = 'AdditionalData',
              'CategoryDiscriminant',
              'ComputerNotificationsValue',
              'NotificationTime',
              'ScanNotificationsValue',
              'SignatureNotificationsValue',
              'ThreatNotificationsValue'
Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender | Select-Object -Property $properties

Limiting Network Bandwidth

If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:

Get-CimInstance -Class MSFT_MpEvent -Namespace root/microsoft/windows/defender -Property $property | 
Select-Object -Property $property

Selecting Instances

To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).

The parameter -Filter runs a simple query.

Listing all instances where the property Caption starts with “A”

Get-CimInstance -Class MSFT_MpEvent -Namespace root/microsoft/windows/defender -Filter 'Caption LIKE "a%"' 

Using a WQL Query

The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:

Get-CimInstance -Query "SELECT CategoryDiscriminant, ThreatNotificationsValue, NotificationTime, SignatureNotificationsValue FROM MSFT_MpEvent WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender

Any property you did not specify is still present but empty. You might need to use Select-Object to remove all unwanted properties:

Get-CimInstance -Query "SELECT CategoryDiscriminant, ThreatNotificationsValue, NotificationTime, SignatureNotificationsValue FROM MSFT_MpEvent WHERE Caption LIKE 'a%'" -Namespace root/microsoft/windows/defender | Select-Object -Property CategoryDiscriminant, ThreatNotificationsValue, NotificationTime, SignatureNotificationsValue

Accessing Remote Computers

To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.

Authenticating as Current User

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with your current identity:
$result = Get-CimInstance -ClassName MSFT_MpEvent -Namespace root/microsoft/windows/defender -ComputerName $list 
$result

Authenticating as Different User

Use a CIMSession object to authenticate with a new identity:

# one or more computer names or IP addresses:
$list = 'server1', 'server2'

# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred

$result = Get-CimInstance MSFT_MpEvent -Namespace root/microsoft/windows/defender -CimSession $session

# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session

$result

Learn more about accessing remote computers.

Requirements

To use MSFT_MpEvent, the following requirements apply:

PowerShell

Get-CimInstance was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.

If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.

Operating System

MSFT_MpEvent was introduced on clients with Windows 8.1 [desktop apps only] and on servers with Windows Server 2012 R2 [desktop apps only].

Namespace

MSFT_MpEvent lives in the Namespace Root/Microsoft/Windows/Defender. This is not the default namespace. Use parameter -Namespace root/microsoft/windows/defender with all CIM cmdlets..

Implementation

MSFT_MpEvent is implemented in ProtectionManagement.dll and defined in ProtectionManagement.mof. Both files are located in the folder C:\Windows\system32\wbem:

explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\ProtectionManagement.mof

PREVIOUSArchive