Microsoft Defender for Endpoint APIs using PowerShell

Artikel
04/24/2024

Applies to:

Important

Advanced hunting capabilities are not included in Defender for Business.

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Note

If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

Tip

For better performance, you can use server closer to your geo location:

api-us.securitycenter.microsoft.com
api-eu.securitycenter.microsoft.com
api-uk.securitycenter.microsoft.com
api-au.securitycenter.microsoft.com

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Full scenario using multiple APIs from Microsoft Defender for Endpoint.

In this section, we share PowerShell samples to

Retrieve a token
Use token to retrieve the latest alerts in Microsoft Defender for Endpoint
For each alert, if the alert has medium or high priority and is still in progress, check how many times the device has connected to suspicious URL.

Prerequisite: You first need to create an app.

Preparation instructions

Open a PowerShell window.
If your policy doesn't allow you to run the PowerShell commands, you can run the below command:
```
Set-ExecutionPolicy -ExecutionPolicy Bypass
```

For more information, see PowerShell documentation

Get token

Run the below:

$tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query is run on the data of this tenant)
$appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries' permission to Defender for Endpoint)
$appSecret: Secret of your Microsoft Entra app
$suspiciousUrl: The URL

$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here

$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
$oAuthUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"
$authBody = [Ordered] @{
    resource = "$resourceAppIdUri"
    client_id = "$appId"
    client_secret = "$appSecret"
    grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$aadToken = $authResponse.access_token


#Get latest alert
$alertUrl = "https://api.securitycenter.microsoft.com/api/alerts?`$top=10"
$headers = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $aadToken" 
}
$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
$alerts =  ($alertResponse | ConvertFrom-Json).value

$machinesToInvestigate = New-Object System.Collections.ArrayList

Foreach($alert in $alerts)
{
    #echo $alert.id $alert.machineId    $alert.severity $alert.status

    $isSevereAlert = $alert.severity -in 'Medium', 'High'
    $isOpenAlert = $alert.status -in 'InProgress', 'New'
    if($isOpenAlert -and $isSevereAlert)
    {
        if (-not $machinesToInvestigate.Contains($alert.machineId))
        {
            $machinesToInvestigate.Add($alert.machineId) > $null
        }
    }
}

$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')

$query = "NetworkCommunicationEvents
| where MachineId in ($commaSeparatedMachines)
| where RemoteUrl  == `"$suspiciousUrl`"
| summarize ConnectionsCount = count() by MachineId"

$queryUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries/run"

$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
$response =  ($queryResponse | ConvertFrom-Json).Results
$response

Microsoft Defender for Endpoint APIs using PowerShell

Preparation instructions

Get token

See also

Feedback

Feedback

Yderligere ressourcer