Retrieving Windows Defender ATP query API data with PowerShell

I am currently working on some automation around Windows Defender, so started to look at the Windows Defender Advanced Threat Protection query API.

Note that this API is still in preview. I wrote two functions for this.

Connect-WindowsATP is used to get an access token. Note that you will need to first register the API in Azure Directory so that you get an Application ID that you have to include at the top of the script.

Get-WinATPData uses the access token to retrieve the data from the API

You will also need the AzureAD PowerShell module installed. The script checks for it’s presence.

Have fun querying the Windows Defender ATP query API

2 Replies to “Retrieving Windows Defender ATP query API data with PowerShell”

  1. Thanks for writing this Alex. Do you have an updated one, I don’t think the AzureAD module is still a thing – so it fails to run and fails to download those modules.

Leave a Reply