Forum Discussion
Incomplete Defender for Endpoint API call via Powershell
Hello! I'm trying to export data from my assets via Powershell, using this api: https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 My script seems...
jdyett Hi, I think there's an inconsistency with the id parameter in that api (https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07) as well as this one: https://api.securitycenter.microsoft.com/api/machines/id/software. The API expects the "Device id" you can find in the Defender GUI when viewing a single machine. But, this is not the same as the "id" parameter returned by this api: https://api.securitycenter.microsoft.com/api/machines. I haven't yet found a way to get the correct id, that is the "Device id" from the securitycenter API. Maybe someone can help with this?
JimBjo What you describe is not what I see in my org's MDE UI and API, from what I see and use the deviceId value is consistent across all of the points you mention.
- Very interesting, when experimenting further I can see that for some machines I get more than one match by matching on DNS, 3 in one case, and one of these have an id (that is the name of the property in the returned json) that matches "Device id". I clearly need to examine this further.
- Oh, I did not think of that. We do have a subset of inactive devices in MDE where the authentication token was reset due to a bug in the 22H2 upgrade. Those have 2 listings if we look them up by hostname, so that could cause confusion if we got the deviceId mixed up. In those cases though I would expect to get the data from the last update to the old deviceId before the reset. Interesting, I will bear that possibility in mind if we see anything like you describe.