CODEWITHSUNDEEP
powershellmicrosoft-graph-apiodatawindows-defender
Planet-9
Planet-9

Reputation: 37

Problem with returning only subset of machines from Microsoft Defender ATP through API call using filter

I'm trying to get a subset of machines from Microsoft Defender ATP through API calls using OData $filter queries following Microsoft's instructions (https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples) but regardless of what I do, I'm getting the same full set of machines which limits at 10,000.

So, some reason my following codes is not working as it should. What am I doing wrong? Also, how do I get more than 10,000 machines?

I removed tenantId, appId, and appSecret variables from the code below.

UPDATE: I noticed that when I check the value of $machinesUrl2 variable in the PowerShell ISE after running the script, it shows that "$filter" is missing from the URI. The following is the output of variable $machinesUrl2:

https://api.securitycenter.windows.com/api/machines?=healthStatus+eq+'Inactive'

What is causing the drop of "$filter"? is this normal behavior?

Thanks,

$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
    resource = "$resourceAppIdUri"
    client_id = "$appId"
    client_secret = "$appSecret"
    grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$aadToken = $authResponse.access_token

$machinesUrl2 =  "https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+eq+'Inactive'"

$headers = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $aadToken"
}

$machinesResponse = Invoke-WebRequest -Method Get -Uri $machinesUrl2 -Headers $headers -ErrorAction Stop
$machines =  ($machinesResponse | ConvertFrom-Json).value

Upvotes: 0

Views: 1221

Answers (1)

Planet-9
Planet-9

Reputation: 37

I found the answer while trying to figure out why the $filter was getting dropped out of the query string.

It needed to have a back-tick character (`) added to in front of the "$filter".

https://api.securitycenter.windows.com/api/machines?`$filter=healthStatus+eq+'Inactive'

After adding this character to the query string, the code on this Microsoft documentation started to work.

Upvotes: 0

Related Questions