Blog Post

Microsoft Defender for Endpoint Blog
6 MIN READ

WDATP API “Hello World” (or using a simple PowerShell script to pull alerts via WDATP APIs)

Raviv Tamir's avatar
Raviv Tamir
Icon for Microsoft rankMicrosoft
Jan 28, 2019
5 Minutes  Low complexity   Applying a security solution in an enterprise environment can be a complex endeavor. Customers deploy various layers of protection solutions, investigation ...
Updated Sep 16, 2020
Version 8.0
apis
Haim Goldshtein's avatar
Haim Goldshtein
Icon for Microsoft rankMicrosoft
Mar 06, 2019

Hey Deleted ,

 

As you probably saw, the alert includes only machine id and if you want to enrich that data with machine name you need to call another API method Get machine by ID   which returns lots of information about the machine.

you can see in our second blog Ticketing system integration how we pull alerts and iterate through the alerts to use the alert id to update the ticketing system. you can use the same logic to get the machine information and enrich the alert. your script can look like:

# Returns Alerts created in the past 4 hours.
# Setting a place holder for a code to open a ticket in external ticketing system.

$token = .\Get-Token.ps1

$dateTime = (Get-Date).ToUniversalTime().AddHours(-400).ToString("o")


$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"

$headers = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $token" 
}

$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers -ErrorAction Stop

#foreach alert, get the machineId and alertId and isloate machine while writing the alert ID in the isolation comments. 

foreach ($alert in $response.value)
{ 
    $alertId = $alert.id
	$machineId = $alert.machineId
	
	$url = "https://api.securitycenter.windows.com/api/machines/$machineId" 
	
	$body = @{}

	$headers = @{		
		Authorization = "Bearer $token" 
	} 
	
	$machineInfoResponse = Invoke-WebRequest -Method Get -Uri $url -Body $body -Headers $headers -ErrorAction Stop 
	
	#check the isolatino request code and write to log file. 
	if($machineInfoResponse.StatusCode -eq 200) { 
        $machineInfo =  $machineInfoResponse | select -Expand Content | ConvertFrom-Json
        $machineName = $machineInfo.computerDnsName

		# replace the next line with your code to take the alerts data and enrich it with machine info.
        [System.Windows.MessageBox]::Show("Alert ID - $alertId. MachineName - $machineName")
	} 
	else { 
		[System.Windows.MessageBox]::Show("Failed to get machine info for machien id - $machineId")
	} 
}

We are working on a Powershell module which should ease the use of the API from Powershell.

 

Please reply if the answer answers your issue.