MSFT_MpThreatDetection class

This is a class that represents the current detailed state of a threat

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.

Syntax

class MSFT_MpThreatDetection : BaseStatus
{
  string   DetectionID;
  sint64   ThreatID;
  string   ProcessName;
  string   DomainUser;
  uint8    DetectionSourceTypeID;
  string   Resources[];
  DateTime InitialDetectionTime;
  DateTime LastThreatStatusChangeTime;
  DateTime RemediationTime;
  uint8    CurrentThreatExecutionStatusID;
  uint8    ThreatStatusID;
  sint32   ThreatStatusErrorCode;
  uint8    CleaningActionID;
  string   AMProductVersion = tatusID;
  boolean  ActionSuccess = false;
  Uint32   AdditionalActionsBitMask;
};

Members

The MSFT_MpThreatDetection class has these types of members:

• Properties

Properties

The MSFT_MpThreatDetection class has these properties.

ActionSuccess

Data type: boolean

Access type: Read-only

Specifies if the cleaning action was successful

AdditionalActionsBitMask

Data type: Uint32

Access type: Read-only

Additional actions required to complete remediation - Enumeration

None (0)

FullScanRequired (4)

RebootRequired (8)

FullScanAndRebootRequired (12)

ManualStepsRequired (16)

FullScanAndManualStepsRequired (20)

RebootAndManualStepsRequired (24)

FullScanAndRebootAndManualStepsRequired (28)

OfflineScanRequired (32768)

FullScanAndOfflineScanRequired (32772)

RebootAndOfflineScanRequired (32776)

FullScanAndRebootAndOfflineScanRequired (32780)

ManualStepsAndOfflineScanRequired (32784)

FullScanAndManualStepsAndOfflineScanRequired (32788)

RebootAndManualStepsAndOfflineScanRequired (32792)

FullScanAndRebootAndManualStepsAndOfflineScanRequired (32796 )

AMProductVersion

Data type: string

Access type: Read-only

Product version (major, minor, build, revision)

CleaningActionID

Data type: uint8

Access type: Read-only

The cleaning action - Enumeration

CurrentThreatExecutionStatusID

Data type: uint8

Access type: Read-only

Execution Status ID - Enumeration

Unknown (0)

Blocked (1)

Allowed (2)

Executing (3)

NotExecuting (4)

DetectionID

Data type: string

Access type: Read-only

Qualifiers: Key

Unique Detection ID

DetectionSourceTypeID

Data type: uint8

Access type: Read-only

Detection Source Type ID - Enumeration

Unknown (0)

User (1)

System (2)

Real-time (3)

IOAV (4)

NRI (5)

ELAM (7)

LocalAttestation (8)

RemoteAttestation (9)

DomainUser

Data type: string

Access type: Read-only

The user who requested remediation

InitialDetectionTime

Data type: DateTime

Access type: Read-only

The initial threat detection time

LastThreatStatusChangeTime

Data type: DateTime

Access type: Read-only

The most recent time of the threat status change

ProcessName

Data type: string

Access type: Read-only

The name of the process involved

RemediationTime

Data type: DateTime

Access type: Read-only

The time of the remediation.

Resources

Data type: string array

Access type: Read-only

List of resources affected by the detection

ThreatID

Data type: sint64

Access type: Read-only

Qualifiers: Key

Unique Threat ID

ThreatStatusErrorCode

Data type: sint32

Access type: Read-only

The threat status error code

ThreatStatusID

Data type: uint8

Access type: Read-only

The Threat Status ID - Enumeration

Unknown (0)

Detected (1)

Cleaned (2)

Quarantined (3)

Removed (4)

Allowed (5)

Blocked (6)

CleanFailed (Blocked)

QuarantineFailed (102)

RemoveFailed (103)

AllowFailed (104)

Abondoned (105)

BlockedFailed (107)

Requirements

Minimum supported client	Windows 8.1 [desktop apps only]
Minimum supported server	Windows Server 2012 R2 [desktop apps only]
Namespace	Root\Microsoft\Windows\Defender
MOF	ProtectionManagement.mof
DLL	ProtectionManagement.dll