alexverboon / psmdatp Goto Github PK

Add a function to set the device value
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/set-device-value?view=o365-worldwide

I have written an update to Add-MDATPIndicator to take into account the new API for passing a $True or $False to the generate alert flag. I have started to use the false setting for Informational level alerts. Let me know how you would like the code changes.

Hi,

How about I help with encryption of the conf json file ?

Possible options are ConvertTo-SecureString for the entire file, but then only the user that encrypted it can read it

or

Some sort of obfuscation to avoid plain text passwords.

Momchil

Describe the bug
When I used "Get-MDATPDevice " with "-DeviceName" parameter, but can't get the json format information. Only have the following information.

PS C:\> Get-MDATPDevice -DeviceName _hostname_
VERBOSE: GET https://api.securitycenter.windows.com/api/machines?$filter=ComputerDNSName eq '_hostname_' with 0-byte payload
VERBOSE: received 93-byte response of content type application/json; odata.metadata=minimal

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to Powershell
2. type "remove-MDATPDevice -DeviceName "Server of Choice"
3. See error

Expected behavior
Successfully remove "offboard" the server with a success message

Screenshots

Error is : Request to failed with HTTP Status BadRequest Bad Request
Write-Error, WriteErrorException

See Screenshot.

Get-MDATPAlert -Severity High
VERBOSE: GET with 0-byte payload
Get-MDATPAlert : Error retrieving MDATP alert data [The remote server returned an error: (403) Forbidden.]
At line:1 char:1

• Get-MDATPAlert -Severity High

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-MDATPAlert
  

When running
Get-MDATPDevice -all it only retrieves 10.000 devices

It seems to be caused by the max page size being 10.000 as described in
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines?view=o365-worldwide

would be awesome if support for value tagging could be added to this module.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags?view=o365-worldwide

API call is documented here:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/set-device-value?view=o365-worldwide

Describe the bug
Using the Start-MDATPIsolation command with a specified DeviceID errors out when tryign to get a device name. This occurs with or without the -whatif switch.

MetadataError: C:\Users\(install location)\Documents\WindowsPowerShell\Modules\PSMDATP\1.0.0\PSMDATP.psm1:3225
Line |
3225 |          $DeviceName = $DeviceName.ToLower()
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The variable cannot be validated because the value  is not a valid value for the DeviceName variable.

VERBOSE: GET https://api.securitycenter.windows.com/api/machines with 0-byte payload
VERBOSE: received 4711333-byte response of content type application/json
VERBOSE: Content encoding: utf-8
What if: Performing the operation "Start Isolation: Full" on target "".

To Reprodce
Run a command like the below(occurs when not using -whatif switch):
Start-MDATPIsolation -DeviceID $ID -IsolationType Full -WhatIf

Desktop (please complete the following information):

• OS: Windows 10
• PSVersion 7.1.1

Additional context
Using version 1.0.0