Retrieving Windows Defender ATP query API data with PowerShell

I am currently working on some automation around Windows Defender, so started to look at the Windows Defender Advanced Threat Protection query API.

Note that this API is still in preview. I wrote two functions for this.

Connect-WindowsATP is used to get an access token. Note that you will need to first register the API in Azure Directory so that you get an Application ID that you have to include at the top of the script.

Get-WinATPData uses the access token to retrieve the data from the API

You will also need the AzureAD PowerShell module installed. The script checks for it’s presence.

Have fun querying the Windows Defender ATP query API

Leave a Reply