Forum Discussion
Use Powershell to get data from Defender Advanced Hunting Queries
Hi,
I have an advanced query on Defender to extract the number of vulnerabilities by it's severity type, which is this one:
DeviceTvmSoftwareVulnerabilities
| summarize count() by VulnerabilitySeverityLevel
| order by VulnerabilitySeverityLevelBasically this produces a very simple table with this data:
Critical - 1000
High - 1000
Medium - 1000
Low - 1000
Is there any way to get this query from Powershell, so then I can some extra tasks after?
Thanks
- 403 is usually permissions - check the token as it's either expired or doesn't contain all relevant scopes.
8 Replies
- You can try the Start-MgSecurityHuntingQuery cmdlet from the Microsoft Graph SDK for PowerShell. Or better yet, run the underlying Graph API query directly: https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-beta&tabs=http
I'm having some issues on my tries to use the Microsoft Graph API query directly, which was my first attempt. So usually I call the request like this:
$vulnResponse = Invoke-WebRequest -Method Get -Uri $vulnUrl -Headers $headers -ErrorAction StopSo, according to the documentation I have to build out a query like this:
https://graph.microsoft.com/beta/security/runHuntingQuery { "query": "DeviceTvmSoftwareVulnerabilities | summarize count() by VulnerabilitySeverityLevel" }"But when I run the web request I get a 401 (Unauthorized), which is strange, because on the permissions side I got the Ti.Read.All allowed, and also, if I run a query to the Microsoft Defender API (https://api-eu.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities?) I can run it without any permission issues.
This is what I have configured on the API permissions:
What am I missing here?
Thanks- This is a Graph method, so you need to add the corresponding Graph permissions (ThreatHunting.Read.All) - you cannot just rely on exiting permissions for a different API.
