0

I'm attempting to use this URI to find a specific machine ID so then we can query for the most recent logged on user. When I run this I get an output of all the devices in defender. I'm stuck and not sure where to go from here

https://api.securitycenter.microsoft.com/api/machines?$filter=computerDnsName eq 'computer name goes here"

VLAZ
  • 26,331
  • 9
  • 49
  • 67
John418
  • 33
  • 1
  • 6

3 Answers3

0

Find the machine id and use this api - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machine-log-on-users?view=o365-worldwide

https://api.securitycenter.microsoft.com/api/machines/'machine id'/logonuser

Phil
  • 1
  • 1
0

To find the ID based on device name use this API call.

https://api.securitycenter.microsoft.com/api/machines?$filter=computerDnsName eq 'Device Name goes here'. Once you get the device name you can then do the logged on user look up using this.

https://api.securitycenter.microsoft.com/api/machines/id

John418
  • 33
  • 1
  • 6
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 14 '22 at 21:29
0

The problem here is that the id you get for the machines from this api: https://api.securitycenter.microsoft.com/api/machines, cannot be used in the other api: https://api.securitycenter.microsoft.com/api/machines/{id}. So I think this is a valid question and I have not yet found a working solution.

In powershell this works:

$tenantId = '****' # Paste your directory (tenant) ID here
$clientId = '****' # Paste your application (client) ID here
$appSecret = '****' # Paste the thumbprint of your certificate here

$resourceAppIdUri = 'https://api.securitycenter.microsoft.com'
$oAuthUri = "https://login.windows.net/$tenantId/oauth2/token"
$authBody = [Ordered] @{
  resource = $resourceAppIdUri
  client_id = $clientId
  client_secret = $appSecret
  grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token

# Create the headers for the API request
$headers = @{
    "Authorization" = "Bearer $token"
    "Content-Type"  = "application/json"
}    
$uri = "https://api.securitycenter.microsoft.com/api/machines?`$filter=computerDnsName eq 'name.domain.com'"
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get
$id = $response.value[0].id

And that will give you and id say (005067aa02b68b884f2c2cf3ba2e678b8c717299), but not the id you want, there is no "machine id" returned and the "aadDeviceId" cannot be used, and it's also sometimes empty. The id listed as "Device id" in the Defender GUI is what you actually need for the second query. So this will return nothing:

$uri = "https://api.securitycenter.microsoft.com/api/machines/005067aa02b68b884f2c2cf3ba2e678b8c717299"
$response = Invoke-RestMethod -Uri $uri -Headers $headers -Method Get

If someone has a working example I would be very interested in seeing it and trying it myself. I have the same problem with this api: https://api.securitycenter.microsoft.com/api/machines/{id}/software. I don't know where to get the correct id, except copying it from the GUI. This seems like a bug in the API or I'm missing something obvious.

Jim Björklund
  • 103
  • 1
  • 5