alexverboon / psmdatp Goto Github PK

I have written an update to Add-MDATPIndicator to take into account the new API for passing a $True or $False to the generate alert flag. I have started to use the false setting for Informational level alerts. Let me know how you would like the code changes.

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. Go to Powershell
2. type "remove-MDATPDevice -DeviceName "Server of Choice"
3. See error

Expected behavior
Successfully remove "offboard" the server with a success message

Screenshots

Error is : Request to failed with HTTP Status BadRequest Bad Request
Write-Error, WriteErrorException

See Screenshot.

Describe the bug
When I used "Get-MDATPDevice " with "-DeviceName" parameter, but can't get the json format information. Only have the following information.

PS C:\> Get-MDATPDevice -DeviceName _hostname_
VERBOSE: GET https://api.securitycenter.windows.com/api/machines?$filter=ComputerDNSName eq '_hostname_' with 0-byte payload
VERBOSE: received 93-byte response of content type application/json; odata.metadata=minimal

would be awesome if support for value tagging could be added to this module.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags?view=o365-worldwide

API call is documented here:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/set-device-value?view=o365-worldwide

Get-MDATPAlert -Severity High
VERBOSE: GET with 0-byte payload
Get-MDATPAlert : Error retrieving MDATP alert data [The remote server returned an error: (403) Forbidden.]
At line:1 char:1

• Get-MDATPAlert -Severity High

•   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-MDATPAlert
  

Describe the bug
Using the Start-MDATPIsolation command with a specified DeviceID errors out when tryign to get a device name. This occurs with or without the -whatif switch.

MetadataError: C:\Users\(install location)\Documents\WindowsPowerShell\Modules\PSMDATP\1.0.0\PSMDATP.psm1:3225
Line |
3225 |          $DeviceName = $DeviceName.ToLower()
     |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | The variable cannot be validated because the value  is not a valid value for the DeviceName variable.

VERBOSE: GET https://api.securitycenter.windows.com/api/machines with 0-byte payload
VERBOSE: received 4711333-byte response of content type application/json
VERBOSE: Content encoding: utf-8
What if: Performing the operation "Start Isolation: Full" on target "".

To Reprodce
Run a command like the below(occurs when not using -whatif switch):
Start-MDATPIsolation -DeviceID $ID -IsolationType Full -WhatIf

Desktop (please complete the following information):

• OS: Windows 10
• PSVersion 7.1.1

Additional context
Using version 1.0.0

When running
Get-MDATPDevice -all it only retrieves 10.000 devices

It seems to be caused by the max page size being 10.000 as described in
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-machines?view=o365-worldwide

Hi,

How about I help with encryption of the conf json file ?

Possible options are ConvertTo-SecureString for the entire file, but then only the user that encrypted it can read it

or

Some sort of obfuscation to avoid plain text passwords.

Momchil

Add a function to set the device value
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/set-device-value?view=o365-worldwide