Forum Discussion
Get Isolation Status through API
Is there any way to get a machine's current isolation status through API or even bulk isolation statuses of multiple machines?
2 Replies
Hi yitzhakb ,
You can absolutely pull this via the API either by a single machineId or in bulk, you just need to play around with the filters for the List MachineActions API, docs here.
I'm assuming you already have the app reg done and you have the client secret and id so let's jump right to request:
# Replace these variables with your own values $tenantId = "your-tenant-id" $clientId = "your-client-id" $clientSecret = "your-client-secret" # Step 1: Obtain an access token $tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" $body = @{ client_id = $clientId client_secret = $clientSecret grant_type = "client_credentials" scope = "https://api.securitycenter.microsoft.com/.default" } try { $response = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body -ErrorAction Stop $accessToken = $response.access_token } catch { Write-Host "Failed to obtain access token: $_" exit } # Step 2: Define the API endpoint to query machine actions # Play around with the filter to get what you need or remove it to get all MachineActions $apiUrl = "https://api.securitycenter.microsoft.com/api/machineactions?`$filter=type eq 'Isolate'" # Step 3: Set up the headers for the API request $headers = @{ "Authorization" = "Bearer $accessToken" "Content-Type" = "application/json" } # Step 4: Make the GET request to retrieve machine actions try { $response = Invoke-RestMethod -Uri $apiUrl -Method Get -Headers $headers -ErrorAction Stop } catch { Write-Host "Error retrieving machine actions: $_" exit } # Step 5: Assign the response value to a variable $machineActions = $response.value # Step 6: Output the all returned values $machineActions # Step 7: Example: Filter the results based on status = "Succeeded" or you can filter for "TimeOut" $filteredActions = $machineActions | Where-Object { $_.status -eq "Succeeded" } # Step 8: Example: Filter the results further based on Scope = "Full" or you can filter for "Selective" $filteredActionsWithScope = $filteredActions | Where-Object { $_.scope -eq "Full" } # Step 9: Example: Beautify the results a bit if ($filteredActionsWithScope) { foreach ($action in $filteredActionsWithScope) { Write-Host "Action ID: $($action.id)" Write-Host "Machine ID: $($action.machineId)" Write-Host "Action Type: $($action.type)" Write-Host "Action Status: $($action.status)" Write-Host "Scope: $($action.scope)" Write-Host "Created DateTime: $($action.creationDateTimeUtc)" Write-Host "-----------------------------" } } else { Write-Host "No matching machine actions found." }To play around and get a few specific machine ids you try something like this with the filtering:
$apiUrl = "https://api.securitycenter.microsoft.com/api/machineactions?`$filter=type eq 'Isolate' and machineId eq '28273829020...' or machineId eq '292747492sd...'"Again, play around, maybe put in a loop but this should give you a good starting point.
Hope this helps you get what you need.
Best regards,
Dylan
Hi, thanks for your answer.
I tried to achieve my needs with this approach but faced some issues.Imagine I have multiple machine IDs and a lot of actions were done on them (a lot of isolate/de-isolate) when I fetch those actions (I assume there is a limit for fetching amount of actions), knowing what their current status is (isolated or not) can be problematic, because among all the actions I need the last succeeded action of each machine ID, if I query a lot of machine IDs and 1 machine ID has a lot of actions, it can lead missing results of actions of other machines.
That's the reason I'm wondering if there is a different approach to getting the machine's current status than using the get machine actions API.
Thanks.
