Microsoft Defender for Endpoint APIs using PowerShell

Applies to:


Advanced hunting capabilities are not included in Defender for Business. See Compare Microsoft Defender for Business to Microsoft Defender for Endpoint Plans 1 and 2.

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:


Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Full scenario using multiple APIs from Microsoft Defender for Endpoint.

In this section, we share PowerShell samples to

  • Retrieve a token
  • Use token to retrieve the latest alerts in Microsoft Defender for Endpoint
  • For each alert, if the alert has medium or high priority and is still in progress, check how many times the device has connected to suspicious URL.

Prerequisite: You first need to create an app.

Preparation instructions

  • Open a PowerShell window.
  • If your policy does not allow you to run the PowerShell commands, you can run the below command:
    Set-ExecutionPolicy -ExecutionPolicy Bypass

For more information, see PowerShell documentation

Get token

Run the below:

  • $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)

  • $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Defender for Endpoint)

  • $appSecret: Secret of your Azure AD app

  • $suspiciousUrl: The URL

$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
$suspiciousUrl = '' # Paste your own URL here

$resourceAppIdUri = ''
$oAuthUri = "$TenantId/oauth2/token"
$authBody = [Ordered] @{
    resource = "$resourceAppIdUri"
    client_id = "$appId"
    client_secret = "$appSecret"
    grant_type = 'client_credentials'
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$aadToken = $authResponse.access_token

#Get latest alert
$alertUrl = "`$top=10"
$headers = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $aadToken" 
$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
$alerts =  ($alertResponse | ConvertFrom-Json).value

$machinesToInvestigate = New-Object System.Collections.ArrayList

Foreach($alert in $alerts)
    #echo $ $alert.machineId    $alert.severity $alert.status

    $isSevereAlert = $alert.severity -in 'Medium', 'High'
    $isOpenAlert = $alert.status -in 'InProgress', 'New'
    if($isOpenAlert -and $isSevereAlert)
        if (-not $machinesToInvestigate.Contains($alert.machineId))
            $machinesToInvestigate.Add($alert.machineId) > $null

$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')

$query = "NetworkCommunicationEvents
| where MachineId in ($commaSeparatedMachines)
| where RemoteUrl  == `"$suspiciousUrl`"
| summarize ConnectionsCount = count() by MachineId"

$queryUrl = ""

$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
$response =  ($queryResponse | ConvertFrom-Json).Results

See also