Forum Discussion
Incomplete Defender for Endpoint API call via Powershell
Hello!
I'm trying to export data from my assets via Powershell, using this api:
https://api.securitycenter.microsoft.com/api/machines
My script seems to be working fine but unfortunately the JSON-Response doesn't contain all the IP-Addresses displayed in the defender for endpoint portal for each device. Certain addresses are missing. Is there any reason or explanation for that?
Also when using this API to access the data for one device:
https://api.securitycenter.microsoft.com/api/machines/{id}
the response is always null, although the inserted id is correct and the script is the same that works for all machines. When adding vulnerabilities to the same URI: https://api.securitycenter.microsoft.com/api/machines/{id}/vulnerabilities the API endpoint works again.
Has anyone experienced anything like this before?
Thanks in advance for any hints or ideas on what I could be doing wrong! 🙂
This is my Powershell script:
5 Replies
jdyett Hi, I think there's an inconsistency with the id parameter in that api (https://api.securitycenter.microsoft.com/api/machines/{id}) as well as this one: https://api.securitycenter.microsoft.com/api/machines/{id}/software. The API expects the "Device id" you can find in the Defender GUI when viewing a single machine. But, this is not the same as the "id" parameter returned by this api: https://api.securitycenter.microsoft.com/api/machines. I haven't yet found a way to get the correct id, that is the "Device id" from the securitycenter API. Maybe someone can help with this?
- Very interesting, when experimenting further I can see that for some machines I get more than one match by matching on DNS, 3 in one case, and one of these have an id (that is the name of the property in the returned json) that matches "Device id". I clearly need to examine this further.
