Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Dec 13, 2022
Solved

Use Powershell to get data from Defender Advanced Hunting Queries

Hi, I have an advanced query on Defender to extract the number of vulnerabilities by it's severity type, which is this one: DeviceTvmSoftwareVulnerabilities | summarize count() by Vulnerabili...
Windows PowerShell
  • VasilMichev's avatar
    VasilMichev
    Dec 17, 2022
    403 is usually permissions - check the token as it's either expired or doesn't contain all relevant scopes.
  • dmarquesgn's avatar
    dmarquesgn
    Iron Contributor
    Dec 14, 2022

    VasilMichev 

    I'm having some issues on my tries to use the Microsoft Graph API query directly, which was my first attempt. So usually I call the request like this:

    $vulnResponse = Invoke-WebRequest -Method Get -Uri $vulnUrl -Headers $headers -ErrorAction Stop

    So, according to the documentation I have to build out a query like this:

    https://graph.microsoft.com/beta/security/runHuntingQuery { "query": "DeviceTvmSoftwareVulnerabilities | summarize count() by  VulnerabilitySeverityLevel" }"

    But when I run the web request I get a 401 (Unauthorized), which is strange, because on the permissions side I got the Ti.Read.All allowed, and also, if I run a query to the Microsoft Defender API (https://api-eu.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities?) I can run it without any permission issues.

    This is what I have configured on the API permissions:

    What am I missing here?

    Thanks

    • VasilMichev's avatar
      VasilMichev
      MVP
      Dec 14, 2022
      This is a Graph method, so you need to add the corresponding Graph permissions (ThreatHunting.Read.All) - you cannot just rely on exiting permissions for a different API.
      • dmarquesgn's avatar
        dmarquesgn
        Iron Contributor
        Dec 15, 2022

        VasilMichev 

        You're totally right. I misconfused Ti.Read.All with ThreatHuning.Read.All

        Now I've overcome the 401, but I get a 400 error. This is my actual code:

        $tenantId = 'redacted' ### Tenant ID
$appId = 'redacted' ### Paste your Application ID here
$appSecret = 'redacted' ### Paste your Application secret here

#$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$resourceAppIdUri = 'https://graph.microsoft.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
     resource = "$resourceAppIdUri"
     client_id = "$appId"
     client_secret = "$appSecret"
     grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
#NOTE: This returns your access token, and below we pull out the token that will be used as the authorization token going forward. 
$token = $authResponse.access_token

$headers = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $token" 
}

$vulnUrl = 'https://graph.microsoft.com/beta/security/runHuntingQuery { "query": "DeviceTvmSoftwareVulnerabilities | summarize count() by  VulnerabilitySeverityLevel" }'
$vulnResponse = Invoke-WebRequest -Method Post -Uri $vulnUrl -Headers $headers -ErrorAction Stop

        The error shown is this: 
        Invoke-WebRequest : The remote server returned an error: (400) Bad Request.

         

        Any idea of what might be doing wrong here? 

        Thanks

Resources