internal/functions/other/ConvertFrom-AdvancedQuery.ps1
function ConvertFrom-AdvancedQuery { <# .SYNOPSIS Converts the output of an Advanced Hunting Query into something PowerShell compatible. .DESCRIPTION Converts the output of an Advanced Hunting Query into something PowerShell compatible. .PARAMETER Result The result of the Invoke-MdeAdvancedQuery command. .EXAMPLE PS C:\> Invoke-MdeRequest -Path $__path -Method post -Body $__body -Query $__query -RequiredScopes 'AdvancedQuery.Read' | ConvertFrom-AdvancedQuery Processes the return values provided by the advanced query. #> [CmdletBinding()] param ( [Parameter(ValueFromPipeline = $true)] [AllowNull()] $Result ) begin { $typeMapping = @{ String = '<direct>' Double = '<direct>' SByte = { $_ -as [bool] } DateTime = '<direct>' Object = '<direct>' } } process { if (-not $Result) { return } $properties = foreach ($item in $Result.Schema) { if ((-not $typeMapping[$item.Type]) -or $typeMapping[$item.Type] -eq '<direct>') { $item.Name continue } @{ Name = $item.Name Expression = $typeMapping[$item.Type] } } $Result.Results | Select-Object $properties | ForEach-Object { $_.PSObject.TypeNames.Insert(0, 'DefenderAPI.AdvancedQuery.Result') $_ } } } |