Forum Discussion

jdyett's avatar
jdyett
Copper Contributor
Aug 07, 2023

Incomplete Defender for Endpoint API call via Powershell

Hello!

 

I'm trying to export data from my assets via Powershell, using this api:

https://api.securitycenter.microsoft.com/api/machines

 

My script seems to be working fine but unfortunately the JSON-Response doesn't contain all the IP-Addresses displayed in the defender for endpoint portal for each device. Certain addresses are missing. Is there any reason or explanation for that?

 

Also when using this API to access the data for one device:

https://api.securitycenter.microsoft.com/api/machines/{id}

the response is always null, although the inserted id is correct and the script is the same that works for all machines. When adding vulnerabilities to the same URI: https://api.securitycenter.microsoft.com/api/machines/{id}/vulnerabilities the API endpoint works again.

 

Has anyone experienced anything like this before?

Thanks in advance for any hints or ideas on what I could be doing wrong! 🙂

 

This is my Powershell script:

 

 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor

    jdyett  Have you looked at the raw response rather than the converted JSON? There might be a clue there.  My first thought for the blank response was that you might be getting multiple objects returned, but that shouldn't happen with device Id.

  • JimBjo's avatar
    JimBjo
    Copper Contributor

    jdyett Hi, I think there's an inconsistency with the id parameter in that api (https://api.securitycenter.microsoft.com/api/machines/{id}) as well as this one: https://api.securitycenter.microsoft.com/api/machines/{id}/software. The API expects the "Device id" you can find in the Defender GUI when viewing a single machine. But, this is not the same as the "id" parameter returned by this api: https://api.securitycenter.microsoft.com/api/machines. I haven't yet found a way to get the correct id, that is the "Device id" from the securitycenter API. Maybe someone can help with this?

    • jbmartin6's avatar
      jbmartin6
      Iron Contributor
      JimBjo What you describe is not what I see in my org's MDE UI and API, from what I see and use the deviceId value is consistent across all of the points you mention.
      • JimBjo's avatar
        JimBjo
        Copper Contributor
        Very interesting, when experimenting further I can see that for some machines I get more than one match by matching on DNS, 3 in one case, and one of these have an id (that is the name of the property in the returned json) that matches "Device id". I clearly need to examine this further.

Resources