# This is a locally sourced Imports file for local development.
# It can be imported by the psm1 in local development to add script level variables.
# It will merged in the build process. This is for local development only.

# region script variables
# $script:resourcePath = "$PSScriptRoot\Resources"

function Add-MDATPDeviceTag{
    Add-MDATPDeviceTag adds the specified Tag to the MDATP device
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    The value of the tag to be added
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
        Add-MDATPDeviceTag -DeviceName computer02 -Tag 'Testing' -verbose
        This command adds the tag 'testing' to the device 'computer02'
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 16.03.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Tag to be added to the device

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path "$PoshMTPconfigFilePath" -PathType Leaf ){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = "$ClientID"
            client_secret = "$ClientSecret"
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # MDATP API URI
        $MDATP_API_URI = ""

        # change the devicename to lowercase
        $DeviceName = $DeviceName.ToLower()

        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            if ($pscmdlet.ShouldProcess("$DeviceName", "Adding tag: $Tag")){
                    # Tag machine
                    $AddTag = @{"Value" = "$Tag"; "Action"= "Add"} | ConvertTo-Json
                    $Taguri = "$MachineAPI/$MDATPDeviceID/tags"
                    $response  =Invoke-WebRequest -Uri $Taguri -Headers $Headers -Method Post -Body $AddTag
                    # end tag machine
                    If ($response.StatusCode -eq 200){
                        Write-Verbose "Tag: $Tag was successfully added to device $DeviceName"
                        Write-Warning "Adding tag $Tag to device $DeviceName failed!"
                        Write-Error "StatusCode: $($response.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Added tag: $Tag"
        Write-Verbose "StatusCode: $($response.statuscode)"
        Write-Verbose "StatusDescription: $($response.StatusDescription)"

function Add-MDATPIndicator{
    Add-MDATPIndicator Submits or Updates new Indicator entity.
    .PARAMETER IndicatorValue
    Identity of the Indicator entity. Required
    .PARAMETER IndicatorType
    Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". Required
    .PARAMETER Action
    The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". Required
    .PARAMETER Application
    The application associated with the indicator. Optional
    .PARAMETER Title
    Indicator alert title. Required
    .PARAMETER Description
    Description of the indicator. Required
    .PARAMETER expirationTime
    The expiration time of the indicator. Optional
    .PARAMETER Severity
    The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". Optional
    .PARAMETER recommendedActions
    TI indicator alert recommended actions. Optional
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Add-MDATPIndicator -IndicatorValue "" -IndicatorType Url -Action Alert -Title "Sample URL detected" -Description "Access to the website detected" -severity High
    This command adds the URL indicator for
    Add-MDATPIndicator -IndicatorType DomainName -Action Alert -Title "somedomain domain detected" -Description "somedomain domain detected from custom indicator" -severity Informational
    This command ads the domain indicator for
    Add-MDATPIndicator -IndicatorValue "A4B52BBC94F10572296D3F8F4E25B39A1837D00F3036955C3761A9E7B2207A58" -IndicatorType FileSha256 -Action Alert -Title "Dummy File" -severity Informational -Description "dummy file detected"
    This command creates FileSha256 indicator
    Add-MDATPIndicator -IndicatorType IpAddress -IndicatorValue -Action Alert -Title "IP Address indicator" -Description "access detected" -severity Medium
    This command adds an IP indicator
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 05.05.2020
    Purpose/Change: Initial script development


        # The value of the indicator

        # The type of the indicator

        # The Action taken

        # associated application

        # Alert Title

        # Alert Description

        # Alert expirationTime

        # Alert Severity

        # Alert recommendedActions

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path "$PoshMTPconfigFilePath" -PathType Leaf ){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = "$ClientID"
            client_secret = "$ClientSecret"
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        $indicatorsuri = ""

        $AddIndicator = @{
            "indicatorValue"     = "$IndicatorValue";
            "indicatorType"      = "$IndicatorType";
            "action"             = "$Action";
            "application"        = "$Application";
            "title"              = "$Title";
            "description"        = "$Description";
            "expirationTime"     = "$expirationTime";
            "severity"           = "$severity";
            "recommendedActions" = "$recommendedActions"

        If ([string]::IsNullOrEmpty($application)){

        If ([string]::IsNullOrEmpty($recommendedActions)){

        If ([string]::IsNullOrEmpty($expirationTime)){

        $AddIndicator = $AddIndicator | ConvertTo-Json
        Write-Verbose "Request body: $AddIndicator"

        if ($pscmdlet.ShouldProcess("$IndicatorValue", "Adding Indicator: $IndicatorType")){
                $response = Invoke-WebRequest -Uri $indicatorsuri -Headers $Headers -Method Post -Body $AddIndicator
                If ($response.StatusCode -eq 200){
                    Write-Verbose "Indicator: $IndicatorType - $IndicatorValue was successfully added "
                    Write-Warning "Adding Indicator: $IndicatorType - $IndicatorValue failed "
                    Write-Error "StatusCode: $($response.StatusCode)"
                $ex = $_.Exception
                $errorResponse = $ex.Response.GetResponseStream()
                $reader = New-Object System.IO.StreamReader($errorResponse)
                $reader.BaseStream.Position = 0
                $responseBody = $reader.ReadToEnd();
                Write-Verbose "Response content:`n$responseBody"
                Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
        Write-Verbose "IndicatorType: $IndicatorType"
        Write-Verbose "IndicatorValue: $IndicatorValue"
        Write-Verbose "Severity; $Severity"
        Write-Verbose "StatusCode: $($response.statuscode)"
        Write-Verbose "StatusDescription: $($response.StatusDescription)"

function Get-MDATPAlert{
    Get-MDATPAlert retrieves Microsoft Defender Advanced Threat Protection alerts exposed through the Microsoft Defender Advanced Threat Protection Alerts Rest API.
    .PARAMETER Severity
    Provides an option to filter the output by Severity. Low, Medium, High.
    .PARAMETER PastHours
    Provides an option to filter the results by past hours when the alert was created.
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    This command retrieves all alerts
    Get-MDATPAlert -PastHours 168 -Severity Informational
    This command retrieves all alerts from the past 7 days with severity level Informational
    Version: 1.1
    Author: Alex Verboon
    Creation Date: 10.04.2020
    Purpose/Change: update config.json

        # Alert Severity level
        [ValidateSet('High', 'Medium', 'Low','Informational')]

        # Show alerts from past n hours
        [ValidateSet('12', '24', '48','72','168','720')]

        # API Configuration file

        # Begin Get API Information

        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"

        # End Get API Information

        #WDATP Alerts - Europe
        $uri = ""
        Other regions
        For EU:
        For US:
        For UK:

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = "$ClientID"
            client_secret = "$ClientSecret"
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $Headers = @{ Authorization = "Bearer $($Response.access_token)"}

        # Define the time range
        If ($null -eq $PastHours){
            $PastHours = 24
            $dateTime = (Get-Date).ToUniversalTime().AddHours(-$PastHours).ToString("o")
            $body = @{sinceTimeUtc = $dateTime}

        # Retrieve MDATP alert data
            $output = @(Invoke-RestMethod -Uri $uri -Headers $Headers -Body $Body -Method Get -Verbose -ContentType application/json)
            $errorMessage = $_.Exception.Message
            Write-Error "Error retrieving MDATP alert data [$errorMessage]"

        # Handle the output
        If ([string]::IsNullOrEmpty($Severity)){
            $output | Where-Object {$_.Severity -eq "$Severity"}

function Get-MDATPCollectionPackageUri{
    Get-MDATPCollectionPackageUri retrieves the Investigation Collection Package download URI and optionally download the package
    Use the Get-MDATPDeviceActions cmdlet to retrieve the ActionID of the investigation package collection request.
    The Action ID of the investigation package collection request.
    .PARAMETER Download
    Downloads the investigation pacakge ZIP file into the users Downloads folder
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    $lastcollectionrequestid = Get-MDATPDeviceActions -DeviceName testclient6 -ActionType CollectInvestigationPackage | Select-Object -First 1
    Get-MDATPCollectionPackageUri -ActionID $
    This comand first retrieves the last collection package request ID and then retrieves the download URI
    $lastcollectionrequestid = Get-MDATPDeviceActions -DeviceName testclient6 -ActionType CollectInvestigationPackage | Select-Object -First 1
    Get-MDATPCollectionPackageUri -ActionID $ -Download
    This comand first retrieves the last collection package request ID and stores the investigation package into the users download folder
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 12.04.2020
    Purpose/Change: Initial script development

        # ActionID

        # API Configuration

        # Download switch

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri       = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID       = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret   = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"

        # MDATP API URI
        $MDATP_API_URI = ""

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # Define the request URI
        $MachineActionAPI = "$MDATP_API_URI/machineactions"
        $getPackageUri = "getPackageUri"
        $RequestURI = "$MachineActionAPI/$ActionID/$getPackageUri"
        Write-Verbose "Request URI: $($RequestURI)"

        # Let's get the Investigation Collection Package download URL
            $URIresponse = @(Invoke-RestMethod -Uri "$RequestURI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
            $ex = $_.Exception
            $errorResponse = $ex.Response.GetResponseStream()
            $reader = New-Object System.IO.StreamReader($errorResponse)
            $reader.BaseStream.Position = 0
            $responseBody = $reader.ReadToEnd();
            Write-Verbose "Response content:`n$responseBody"
            Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"

            $fileuri = $URIresponse.value
            $OutPutFile = "$ENV:USERPROFILE\Downloads\MDATP_InvestigationPackage_$($ActionID).zip"
                Invoke-WebRequest -UseBasicParsing -Uri $fileuri -OutFile "$OutPutFile"
                Write-Error "Investigation Package download failed"

function Get-MDATPDevice{
    Get-MDATPDevice retrieves MDATP device information
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    Lists machine actions for all managed devices
    .PARAMETER HealthStatus
    Filters the results by device heatlh.
    .PARAMETER RiskScore
    Filters the results by device risk score
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Get-MDATPDevice -all
    This command retrieves all MDATP devices
    Get-MDATPDevice -All -HealthStatus Inactive
    This command lists all inactive devices
    Get-MDATPDevice -All -RiskScore Medium
    This command lists all devices with a medium risk score
    Get-MDATPDevice -DeviceName Computer01
    This command retrieves device information for Computer01
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 14.04.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Switch to retrieve actions from all devices

        # The HealthStatus of the device

        # The device Risk Score

        # API Configuration

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings  = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri        = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID        = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret    = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"

        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        $DeviceUri = ""

            $HealthFilter = "healthStatus eq '$Healthstatus'"

            $RiskFilter = "riskscore eq '$RiskScore'"

        If ($HealthFilter -and $RiskFilter){
            $DeviceUri = $DeviceUri + "?`$filter=" + $HealthFilter + " and " + $RiskFilter
            $DeviceUri = $DeviceUri + "?`$filter=" + $HealthFilter
        ElseIf ($RiskFilter){
            $DeviceUri = $DeviceUri + "?`$filter="+$RiskFilter

        If ($PSBoundParameters.ContainsKey("DeviceName")){
            $DeviceUri = $DeviceUri +  "?`$filter=" + "ComputerDNSName eq '$DeviceName'"

        If ($PSBoundParameters.ContainsKey("DeviceID")){
            $DeviceUri = $DeviceUri +  "?`$filter=" + "id eq '$DeviceID'"

        Write-Verbose "API Request: $DeviceUri"
            $DeviceList = @(Invoke-RestMethod -Uri "$DeviceUri" -Headers $Headers -Method Get -Verbose -ContentType application/json)
            $errorMessage = $_.Exception.Message
            Write-Error "Error retrieving MDATP device data [$errorMessage]"

function Get-MDATPDeviceAction{
    Get-MDATPDeviceAction retrieves machine MDATP actions
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    Lists machine actions for all managed devices
    .PARAMETER Action Type
    Filters the results by the specified Action type. Possible values are: RunAntiVirusScan, Offboard,UnrestrictCodeExecution,RestrictCodeExecution,Unisolate,Isolate,CollectInvestigationPackage,RequestSample,StopAndQuarantineFile
    The machine action id
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
        Get-MDATPDeviceAction -DeviceName computer02
        This command retrieves the actions for device 'computer02'
        Get-MDATPDeviceAction -DeviceID 70077ccc272ab3baeb991c09442c5657d22bfc5c
        This command retrieves the actions for the device with the specified device id
        Get-MDATPDeviceAction -ActionType CollectInvestigationPackage
        This command retreives all machine actions with the specified action type
        Get-MDATPDeviceAction -All
        This command retrieves machine actions for all devices
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 12.04.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Switch to retrieve actions from all devices

        # MDATP Action id

        # Action Type

        # API Configuration

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"

        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"

        If ($DeviceName){
            $Machines = @()
            $DeviceName = $DeviceName.ToLower()
            $MachineAPI = "" + "?`$filter=" + "ComputerDNSName eq '$DeviceName'"
            $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json) | Select-Object -ExpandProperty Value
            $ActionDevice = @($Machines)

            If($ActionDevice.count -gt 1){
                Write-Error "There are multiple device records with this computername, please specify the MDATP device id"
                $ActionDevice | Select-Object computerDnsName, id
            Elseif($ActionDevice.count -eq 0){
                Write-Error "No device records found that match DeviceName $DeviceName"
            Elseif ($ActionDevice.count -eq 1){
                Write-Verbose "$($ActionDevice.CompueterDnsName) found with id $($"
                $DeviceID = $
                Write-Error "Something went wrong"

            $MachineAPI = "$DeviceID"
            $Machine = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
            If($Machine.Count -eq 1){
                $DeviceName = $Machine.ComputerDnsName
                Write-Error "No device records found that match DeviceID $DeviceID"

        # Get Machine Actions data
        $MachineActionsUri= ""
            $MachineActionsUri= ""
                $MachineActionsUri = $MachineActionsUri + "?`$filter="
                $MachineActionsUri = $MachineActionsUri + "machineId+eq+'$DeviceID'"

                    $MachineActionsUri = $MachineActionsUri + "and type+eq+'$ActionType'"
                    $MachineActionsUri = $MachineActionsUri + "?`$filter="
                    $MachineActionsUri = $MachineActionsUri + "type+eq+'$ActionType'"
            # Search by action ID
                $MachineActionsUri = $MachineActionsUri + "$id"

        # Retrieve MDATP machine actions data
            $output = @(Invoke-RestMethod -Uri $MachineActionsUri -Headers $Headers -Method Get -Verbose -ContentType application/json)
            $errorMessage = $_.Exception.Message
            Write-Error "Error retrieving MDATP machine actions data [$errorMessage]"

        # Handle the output

function Get-MDATPDeviceTag{
    Get-MDATPDeviceTag retrieves tags assigned on the specified device
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
        Get-MDATPDeviceTag -DeviceName computer02
        This command reads all the tags assigned to the device 'computer02'
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 16.03.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Switch to retrieve tags from all devices

        # API Configuration

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"

        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        $MDATP_API_URI = ""
        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)

        If ($DeviceName){
            # change the devicename to lowercase
            $DeviceName = $DeviceName.ToLower()
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})
            $ActionDevice = @($machines.value)

        If($ActionDevice.Count -gt 0 -and $All -eq $true){
            $Result = ForEach($device in $ActionDevice){
                    DeviceName  = $device.ComputerDnsName
                    id          = $
                    machineTags = $device.machineTags
        ElseIf($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $Result = [PSCustomObject]@{
                DeviceName  = $ActionDevice.ComputerDnsName
                id          = $
                machineTags = $ActionDevice.machineTags

function Get-MDATPIndicator{
    Get-MDATPIndicator retrieves Microsoft Defender Advanced Threat Protection custom indicators exposed
    through the Microsoft Defender Advanced Threat Protection indicators Rest API.
    .PARAMETER IndicatorType
    Filters the indicator by the specified IndicatorType. Possible values are: DomainName, Url, FileSha256,IpAddress,WebCategory
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    This command retrieves all TI indicators
    Get-MDATPIndicator -IndicatorType DomainName
    This command retrieves all DomainName TI indicators
        $indicators = Get-MDATPIndicator -MTPConfigFile "C:\Dev\Private\MSSecurityPowerShell\Config\PoshMTPconfigBaseVISION.json"
        $indicators | Where-Object {$_.Source -like "WindowsDefenderATPThreatIntelAPI"}
        This sample shows how to filter results by TI source
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 20.03.2020
    Purpose/Change: Initial script development

        # Indicator type

        # MDATP configfile

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
            $indicatorsuri = ""
            $indicators = @(Invoke-RestMethod -Uri $indicatorsuri -Headers $Headers -Body $Body -Method Get -Verbose -ContentType application/json)

            $errorMessage = $_.Exception.Message
            Write-Error "Error retrieving MDATP TI indicators data [$errorMessage]"

        If ($IndicatorType){
            $indicators.value | Where-Object {$_.IndicatorType -eq "$IndicatorType"}

function Get-MDATPInvestigation{
    Get-MDATPInvestigation retrieves Microsoft Defender ATP automated investigation information
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    The investigation id
    .PARAMETER State
    The current state of the investigation. Possible values are:
    Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    This command retrieves all investigations
    Get-MDATPInvestigation -DeviceName Computer01
    This command retrieves all investigations for Computer01
    Get-MDATPInvestigation -DeviceID 70077ccc272ab3baeb991c09442c5657d22bfc5c
    This command retrieves all investigations for the device with the specified
    device id.
    Get-MDATPInvestigation -State Running
    This command retireves all investigations with the state Running
    Get-MDATPInvestigation -Id 12
    This command retrieves investigation details for the investigation with id 12
    Get-MDATPInvestigation -DeviceName computer01 -State SuccessfullyRemediated
    This command retrieves all SuccessfullyRemediated investigations for device computer01
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 12.04.2020
    Purpose/Change: Initial script development

        # Switch to list all devices

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # MDATP investigation id

        # Investigation state
        [ValidateSet(  'Unknown','Terminated','SuccessfullyRemediated','Benign','Failed','PartiallyRemediated','Running','PendingApproval','PendingResource','PartiallyInvestigated','TerminatedByUser','TerminatedBySystem','Queued','InnerFailure','PreexistingAlert','UnsupportedOs','UnsupportedAlertType','SuppressedAlert')]

        # API Configuration file

        # Begin Get API access configuration
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings  = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri        = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID        = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret    = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"

        If ($DeviceName){
            $MachineAPI = ""
            $DeviceName = $DeviceName.ToLower()
            $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
            $ActionDevice = @($machines.value | Select-Object -Property *  | Where-Object {$_.computerDnsName -like "$DeviceName"})

            If($ActionDevice.count -gt 1){
                Write-Error "There are multiple device records with this computername, please specify the MDATP device id"
                $ActionDevice | Select-Object computerDnsName, id
            Elseif($ActionDevice.count -eq 0){
                Write-Error "No device records found that match DeviceName $DeviceName"
            Elseif ($ActionDevice.count -eq 1){
                Write-Verbose "$($ActionDevice.CompueterDnsName) found with id $($"
                $DeviceID = $

            $MachineAPI = "$DeviceID"
            $Machine = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
            If($Machine.Count -eq 1){
                $DeviceName = $Machine.ComputerDnsName
                Write-Error "No device records found that match DeviceID $DeviceID"

        # Get Investigation data
        $InvestigationUri= ""
            $InvestigationUri= ""
                $InvestigationUri = $InvestigationUri + "?`$filter="
                $InvestigationUri = $InvestigationUri + "machineId+eq+'$DeviceID'"

                    $InvestigationUri = $InvestigationUri + "and state+eq+'$State'"
                    $InvestigationUri = $InvestigationUri + "?`$filter="
                    $InvestigationUri = $InvestigationUri + "state+eq+'$State'"

            # Search by Investigation ID
                $InvestigationUri = $InvestigationUri + "$id"
        # Retrieve MDATP Investigations data
            $output = @(Invoke-RestMethod -Uri $InvestigationUri -Headers $Headers -Method Get -Verbose -ContentType application/json)
            $errorMessage = $_.Exception.Message
            Write-Error "Error retrieving MDATP inestigation data [$errorMessage]"

        # Handle the output

function Get-MDATPQuery{
    Get-MDATPQuery executes MDATP advanced hunting queries through the
    Microsoft Defender Advanced Threat Protection Alerts Rest API.
    1. You can only run a query on data from the last 30 days.
    2. The results will include a maximum of 100,000 rows.
    3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day.
    4. The maximal execution time of a single request is 10 minutes.
    .PARAMETER Schema
    The Schema to use for the query
    .PARAMETER DeviceName
    Computername of the device.If no DeviceName is provided all devices are querried
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Get-MDATPQuery -Schema DeviceLogonEvents -DeviceName TestClient4
    The above query retrieves all logon events for the specified device
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 17.02.2020
    Purpose/Change: Initial script development

        # The MDATP Schema to search for

        # Computername of the MDATP managed device

        # The Time Range
        [ValidateSet('1h', '12h', '1d','7d','30d')]

        # API Configuration

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri       = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID       = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret   = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        #WDATP API
        $uri = ""
        # Define devices to include in query
        if ($DeviceName){
            $DeviceName = $DeviceName.ToLower()
            $ExecQuery = "$Schema | where DeviceName == '$DeviceName'"
            $ExecQuery = "$Schema"
        $DeviceTarget = if([string]::IsNullOrEmpty($DeviceName)) {"All Devices"}Else {"$DeviceName"}

        If ($TimeRange){
            $ExecQuery = $ExecQuery + "|where Timestamp > ago($($TimeRange))"

            $body = ConvertTo-Json -InputObject @{ 'Query' = $ExecQuery}
            $webResponse = @(Invoke-WebRequest -Method Post -Uri $uri -Headers $headers -Body $body)
            $response =  $webResponse | ConvertFrom-Json
            $results = $response.Results
            $errorMessage = $_.Exception.Message
            Write-Error "Error running advanced hunting query [$errorMessage]"
        Write-Verbose "Schema: $Schema"
        Write-Verbose "Device: $DeviceTarget"
        Write-Verbose "Query: $ExecQuery"
        Write-Verbose "Retrieved $($results.count) records"

function Remove-MDATPDevice{
    Remove-MDATPDevice offboards a device from MDATP and adds a tag 'Offboarded' to the device.
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER OffboardReason
    Comment to be added to the offboard action, when no value is specified a default comment 'Offobard machine by automation' is added
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Remove-MDATPDevice -DeviceName Computer02
    This command offboards device Computer02 from MDATP
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 14.03.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Offboard reason
        [String]$OffboardReason = "Offobard machine by automation",

        # API Configuration

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings   = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri         = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID         = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret     = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # MDATP API URI
        $MDATP_API_URI = ""
        $OffboardingStatus = $false

        # change the devicename to lowercase
        $DeviceName = $DeviceName.ToLower()

        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            # set offboarding comment
            $OffboardReasonInput = @{"Comment" = "$OffboardReason"} | ConvertTo-Json
            if ($pscmdlet.ShouldProcess("$DeviceName", "offobarding device from MDATP")){
                $Offboarduri = "$MachineAPI/$MDATPDeviceID/offboard"
                    $OffboardAction  =Invoke-WebRequest -Uri $Offboarduri -Headers $Headers -Method Post -Body $OffboardReasonInput
                    If ($OffboardAction.StatusCode -eq 201){
                        Write-Verbose "Offboarding device $DeviceName completed successfully"
                        # Tag machine
                        $offboardTag = @{"Value" = "Offboarded"; "Action"= "Add"} | ConvertTo-Json
                        $Taguri = "$MachineAPI/$MDATPDeviceID/tags"
                        Invoke-WebRequest -Uri $Taguri -Headers $Headers -Method Post -Body $offboardTag
                        $OffboardingStatus = $true
                        # end tag machine
                        Write-Warning "Offboarding device $DeviceName failed!"
                        Write-Error "StatusCode: $($OffboardAction.StatusCode)"
                        $OffboardingStatus = $false
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Reason: $OffboardReason"
        Write-Verbose "Offboardingstatus: $OffboardingStatus"
        Write-Verbose "StatusCode: $($response.statuscode)"
        Write-Verbose "StatusDescription: $($response.StatusDescription)"

function Remove-MDATPDeviceTag{
    Remove-MDATPDeviceTag removes the specified Tag to the MDATP device.
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    The value of the tag to be removed
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Remove-MDATPDeviceTag -DeviceName computer02 -Tag 'Testing' -verbose
    This command removes the tag 'testing' from device 'computer02'
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 16.03.2020
    Purpose/Change: Initial script development


        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Tag to be removed from the device

        # API Configuration file
        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings     = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri           = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID           = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret       = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # MDATP API URI
        $MDATP_API_URI = ""

        # change the devicename to lowercase
        $DeviceName = $DeviceName.ToLower()

        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            if ($pscmdlet.ShouldProcess("$DeviceName", "Remvoing tag: $Tag")){
                    # Tag machine
                    $AddTag = @{"Value" = "$Tag"; "Action"= "Remove"} | ConvertTo-Json
                    $Taguri = "$MachineAPI/$MDATPDeviceID/tags"
                    $response  =Invoke-WebRequest -Uri $Taguri -Headers $Headers -Method Post -Body $AddTag
                    # end tag machine
                    If ($response.StatusCode -eq 200){
                        Write-Verbose "Tag: $Tag was successfully removed from device $DeviceName"
                        Write-Warning "Removing tag $Tag from device $DeviceName failed!"
                        Write-Error "StatusCode: $($response.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Removed tag: $Tag"
        Write-Verbose "StatusCode: $($response.statuscode)"
        Write-Verbose "StatusDescription: $($response.StatusDescription)"

function Remove-MDATPIndicator{
    .PARAMETER IndicatorID
    The unique custom indicator ID
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Remove-MDATPIndicator -IndicatorID 25
    This command removes the custom indicator with id 25
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 05.05.2020
    Purpose/Change: Initial script development

        # Unique custom indicator ID

        # API Configuration

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings   = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri         = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID         = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret     = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # MDATP API URI
            $indicatorsuri = ""
            $indicators = @(Invoke-RestMethod -Uri $indicatorsuri -Headers $Headers -Body $Body -Method Get -Verbose -ContentType application/json)
            $errorMessage = $_.Exception.Message
            Write-Error "Error retrieving MDATP TI indicators data [$errorMessage]"

        $IndicatorInfo = $indicators.value | Where-Object {$ -eq $IndicatorID}
        $RemoveIndicatorsuri = "$IndicatorID"

        if ($pscmdlet.ShouldProcess("$IndicatorID", "Remvoing Indicator - $($IndicatorInfo.IndicatorType) - $($IndicatorInfo.indicatorvalue)")){
                $response = Invoke-WebRequest -Uri $RemoveIndicatorsuri -Headers $Headers -Method Delete
                If ($response.StatusCode -eq 204){
                    Write-Verbose "Indicator: $IndicatorID - $($IndicatorInfo.IndicatorType) - $($IndicatorInfo.indicatorvalue) was successfully removed"
                    Write-Warning "Removing Indicator: $IndicatorID failed"
                    Write-Error "StatusCode: $($response.StatusCode)"
                $ex = $_.Exception
                $errorResponse = $ex.Response.GetResponseStream()
                $reader = New-Object System.IO.StreamReader($errorResponse)
                $reader.BaseStream.Position = 0
                $responseBody = $reader.ReadToEnd();
                Write-Verbose "Response content:`n$responseBody"
                Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
        Write-Verbose "IndicatorID: $IndicatorID"
        Write-Verbose "IndicatorType: $($IndicatorInfo.indicatorType)"
        Write-Verbose "Indicatorvalue: $($IndicatorInfo.indicatorValue)"
        Write-Verbose "StatusCode: $($response.statuscode)"
        Write-Verbose "StatusDescription: $($response.StatusDescription)"

function Start-MDATPAppRestriction{
    Start-MDATPAppRestriction restricts execution of all applications on the machine.
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER Comment
    Comment that is added to the request, if no comment is provided the default commment 'submitted by automation' is used.
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Start-MDATPAppRestriction -DeviceName computer02 -Comment "incident1973"
    This command restricts application execution on device computer02
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 12.04.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Comment for the request

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings  = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri        = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID        = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret    = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # MDATP API URI
        $MDATP_API_URI = ""

            $Comment = "submitted by automation"

        # change the devicename to lowercase
        $DeviceName = $DeviceName.ToLower()

        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $

            if ($pscmdlet.ShouldProcess("$DeviceName", "Start Isolation: $IsolationType")){
                    $AppRestrictionInput = @{"Comment" = "$Comment"} | ConvertTo-Json
                    $AppRestrictionUri = "$MachineAPI/$MDATPDeviceID/restrictCodeExecution "
                    $AppRestrictionResponse  =Invoke-WebRequest -Uri $AppRestrictionUri -Headers $Headers -Method Post -Body $AppRestrictionInput
                    If ($AppRestrictionResponse.StatusCode -eq 201){
                        $ActionID = $AppRestrictionResponse.content | ConvertFrom-Json | Select-Object -ExpandProperty id
                        Write-Verbose "App restriction was successfully initiated for device $DeviceName -ActionID: $ActionID"
                        $ActionID = "0000000-0000-0000-0000-000000000000"
                        Write-Warning "Initiating app restriction for device $DeviceName failed!"
                        Write-Error "StatusCode: $($AppRestrictionResponse.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
                    $ActionID = "0000000-0000-0000-0000-000000000000"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Comment: $Comment"
        Write-Verbose "ActionID: $($ActionID)"
        Write-Verbose "StatusCode: $($IsolateResponse.statuscode)"
        Write-Verbose "StatusDescription: $($IsolateResponse.StatusDescription)"

function Start-MDATPAVScan{
    Start-MDATPAVScan initiates an Antivirus scan on the specified device
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER Scantype
    The type of scan to perform, Full or Quick
    .PARAMETER Comment
    Comment that is added to the request, if no comment is provided the default commment 'submitted by automation' is used.
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Start-MDATPAVScan -DeviceName testclient6 -ScanType Quick -Comment "better check"
    This command starts a quck AV scan on device testclient6
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 17.03.2020
    Purpose/Change: Initial script development


        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # ScanType controls the type of scan to perform

        # Comment for the request

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"

        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # MDATP API URI
        $MDATP_API_URI = ""

            $Comment = "submitted by automation"

        $DeviceName = $DeviceName.ToLower()
        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            if ($pscmdlet.ShouldProcess("$DeviceName", "Start AV Scan: $ScanType")){
                    # DefineScanType
                    $ScanTypeInput = @{"ScanType" = "$ScanType"; "Comment"= "$Comment"} | ConvertTo-Json
                    $ScanUri = "$MachineAPI/$MDATPDeviceID/runAntiVirusScan"
                    $ScanResponse  =Invoke-WebRequest -Uri $ScanUri -Headers $Headers -Method Post -Body $ScanTypeInput
                    # end tag machine
                    If ($ScanResponse.StatusCode -eq 201){
                        $ActionID = $ScanResponse.content | ConvertFrom-Json | Select-Object -ExpandProperty id
                        Write-Verbose "$ScanType scan was successfully initiated for device $DeviceName"
                        $ActionID = "0000000-0000-0000-0000-000000000000"
                        Write-Warning "Initiating $ScanType scan for device $DeviceName failed!"
                        Write-Error "StatusCode: $($ScanResponse.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
                    $ActionID = "0000000-0000-0000-0000-000000000000"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "ScanType: $ScanType"
        Write-Verbose "Comment: $Comment"
        Write-Verbose "ActionID: $($ActionID)"
        Write-Verbose "StatusCode: $($ScanResponse.statuscode)"
        Write-Verbose "StatusDescription: $($ScanResponse.StatusDescription)"

function Start-MDATPInvestigation{
    Start-MDATPInvestigation initiates an automated investigation on the targeted device
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER Comment
    Comment that is added to the request, if no comment is provided the default commment 'submitted by automation' is used.
    Comment to associate with the action
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Start-MDATPInvestigation -DeviceName computer02 -Comment "incident1973"
    This command starts an automated investigation on device computer02
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 17.03.2020
    Purpose/Change: Initial script development


        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Comment for the request

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"

        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        # MDATP API URI
        $MDATP_API_URI = ""

            $Comment = "submitted by automation"

        $DeviceName = $DeviceName.ToLower()
        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            if ($pscmdlet.ShouldProcess("$DeviceName", "Start automated investigation")){
                    $InvestigationInput = @{"Comment" = "$Comment"} | ConvertTo-Json
                    $InvestigationUri = "$MachineAPI/$MDATPDeviceID/startInvestigation"
                    $InvestigationResponse = Invoke-WebRequest -Uri $InvestigationUri -Headers $Headers -Method Post -Body $InvestigationInput
                    If ($InvestigationResponse.StatusCode -eq 201){
                        $ActionID = $InvestigationResponse.content | ConvertFrom-Json | Select-Object -ExpandProperty id
                        Write-Verbose "An automated investigation was successfully initiated for device $DeviceName -ActionID: $ActionID"
                        $ActionID = "0000000-0000-0000-0000-000000000000"
                        Write-Warning "Initiating automated investigation for device $DeviceName failed!"
                        Write-Error "StatusCode: $($InvestigationResponse.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
                    $ActionID = "0000000-0000-0000-0000-000000000000"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Comment: $Comment"
        Write-Verbose "ActionID: $($ActionID)"
        Write-Verbose "StatusCode: $($InvestigationResponse.statuscode)"
        Write-Verbose "StatusDescription: $($InvestigationResponse.StatusDescription)"

function Start-MDATPInvestigationPackageCollection{
    Start-MDATPInvestigationPackageCollection initiates the collection of an investigation package
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER Comment
    Comment that is added to the request, if no comment is provided the default commment 'submitted by automation' is used.
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Start-MDATPInvestigationPackageCollection -DeviceName computer02
    This command starts the collection of the investigation package on device computer02
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 17.03.2020
    Purpose/Change: Initial script development


        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Comment for the request

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token

        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        $MDATP_API_URI = ""

            $Comment = "submitted by automation"
        $DeviceName = $DeviceName.ToLower()

        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            if ($pscmdlet.ShouldProcess("$DeviceName", "Start investigation package collection")){
                    Write-Verbose "Device: $DeviceName Id:$MDATPDeviceID"
                    $CollectInput = @{"Comment" = "$Comment"} | ConvertTo-Json
                    $CollectUri = "$MachineAPI/$MDATPDeviceID/collectInvestigationPackage"
                    $CollectResponse  =Invoke-WebRequest -Uri $CollectUri -Headers $Headers -Method Post -Body $CollectInput
                    # end tag machine
                    If ($CollectResponse.StatusCode -eq 201){
                        $ActionID = $CollectResponse.content | ConvertFrom-Json | Select-Object -ExpandProperty id
                        Write-Verbose "Investigation package collection was successfully initiated for device $DeviceName - ActionID: $ActionID"
                        $ActionID = "0000000-0000-0000-0000-000000000000"
                        Write-Warning "Initiating investigation pacakge collection for device $DeviceName failed!"
                        Write-Error "StatusCode: $($CollectResponse.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
                    $ActionID = "0000000-0000-0000-0000-000000000000"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Action: Collection Investigation Package"
        Write-Verbose "Comment: $Comment"
        Write-Verbose "ActionID: $($ActionID)"
        Write-Verbose "StatusCode: $($response.statuscode)"
        Write-Verbose "StatusDescription: $($CollectResponse.StatusDescription)"

function Start-MDATPIsolation{
    Start-MDATPIsolation initiates the isolation of the specified device from the network
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER IsolationType
    Type of the isolation. Allowed values are: 'Full' or 'Selective'.
    .PARAMETER Comment
    Comment that is added to the request, if no comment is provided the default commment 'submitted by automation' is used.
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Start-MDATPIsolation -DeviceName computer02 -IsolationType Full -Comment "incident1973"
    This command isolates device computer02 from the network
    Start-MDATPIsolation -DeviceName computer02 -IsolationType Selective -Comment "incident1973"
    This command isolates device computer02 from the network but allows communication through Outlook and Skype
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 12.04.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # IsolationType controls the type of isolation to perform

        # Comment for the request

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        $MDATP_API_URI = ""
            $Comment = "submitted by automation"
        $DeviceName = $DeviceName.ToLower()
        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            if ($pscmdlet.ShouldProcess("$DeviceName", "Start Isolation: $IsolationType")){
                    $IsolationTypeInput = @{"IsolationType" = "$IsolationType"; "Comment"= "$Comment"} | ConvertTo-Json
                    $IsolateUri = "$MachineAPI/$MDATPDeviceID/isolate"
                    $IsolateResponse  =Invoke-WebRequest -Uri $IsolateUri -Headers $Headers -Method Post -Body $IsolationTypeInput
                    If ($IsolateResponse.StatusCode -eq 201){
                        $ActionID = $IsolateResponse.content | ConvertFrom-Json | Select-Object -ExpandProperty id
                        Write-Verbose "$IsolationType isolation was successfully initiated for device $DeviceName -ActionID: $ActionID"
                        $ActionID = "0000000-0000-0000-0000-000000000000"
                        Write-Warning "Initiating $IsolationType isolation for device $DeviceName failed!"
                        Write-Error "StatusCode: $($IsolateResponse.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
                    $ActionID = "0000000-0000-0000-0000-000000000000"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "IsolationType: $IsolationType"
        Write-Verbose "Comment: $Comment"
        Write-Verbose "ActionID: $($ActionID)"
        Write-Verbose "StatusCode: $($IsolateResponse.statuscode)"
        Write-Verbose "StatusDescription: $($IsolateResponse.StatusDescription)"

function Stop-MDATPAppRestriction{
    Stop-MDATPAppRestriction removes app execution restrictions on the machine.
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER Comment
    Comment that is added to the request, if no comment is provided the default commment 'submitted by automation' is used.
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Stop-MDATPAppRestriction -DeviceName computer02 -Comment "incident1973"
    This command removes app execution restrictions from device computer02
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 12.04.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Comment for the request

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        $MDATP_API_URI = ""
            $Comment = "submitted by automation"
        $DeviceName = $DeviceName.ToLower()
        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $

            if ($pscmdlet.ShouldProcess("$DeviceName", "Start Isolation: $IsolationType")){
                    $UnAppRestrictionInput = @{"Comment" = "$Comment"} | ConvertTo-Json
                    $UnAppRestrictionUri = "$MachineAPI/$MDATPDeviceID/unrestrictCodeExecution "
                    $UnAppRestrictionResponse  =Invoke-WebRequest -Uri $UnAppRestrictionUri -Headers $Headers -Method Post -Body $UnAppRestrictionInput
                    If ($UnAppRestrictionResponse.StatusCode -eq 201){
                        $ActionID = $UnAppRestrictionResponse.content | ConvertFrom-Json | Select-Object -ExpandProperty id
                        Write-Verbose "Remove App restriction was successfully initiated for device $DeviceName -ActionID: $ActionID"
                        $ActionID = "0000000-0000-0000-0000-000000000000"
                        Write-Warning "Initiating app restriction for device $DeviceName failed!"
                        Write-Error "StatusCode: $($UnAppRestrictionResponse.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
                    $ActionID = "0000000-0000-0000-0000-000000000000"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Comment: $Comment"
        Write-Verbose "ActionID: $($ActionID)"
        Write-Verbose "StatusCode: $($IsolateResponse.statuscode)"
        Write-Verbose "StatusDescription: $($IsolateResponse.StatusDescription)"

function Stop-MDATPIsolation{
    Stop-MDATPIsolation removes network isolation for the specified device
    .PARAMETER DeviceName
    Computername of the device
    The unique device ID of the device
    .PARAMETER Comment
    Comment that is added to the request, if no comment is provided the default commment 'submitted by automation' is used.
    .PARAMETER MTPConfigFile
    The MTPConfigFile contains the API connection information, if not specified a default PoshMTPconfig.json is used that must be located in the module folder
    Stop-MDATPIsolation -DeviceName computer02 -Comment "incident1973"
    This command removes network isolation for device computer02
    Version: 1.0
    Author: Alex Verboon
    Creation Date: 12.04.2020
    Purpose/Change: Initial script development

        # Computername of the MDATP managed device

        # Unique device id of the MDATP managed device

        # Comment for the request

        # API Configuration file

        # Begin Get API Information
        If ($MTPConfigFile){
            $PoshMTPconfigFilePath = $MTPConfigFile
            Write-Verbose "MTP ConfigFile parameter: $PoshMTPconfigFilePath"
            # If no configfile is defined we use a defined lcoation .\Config\PoshMTPconfig.json
            $ConfigFileDir =  [IO.Directory]::GetParent($PSScriptRoot)
            $PoshMTPconfigFilePath = "$ConfigFileDir\" +  "PoshMTPconfig.json"
            Write-Verbose "MTP ConfigFile static: $PoshMTPconfigFilePath"

        Write-Verbose "Checking for $PoshMTPconfigFilePath"
        If (Test-Path -Path $PoshMTPconfigFilePath -PathType Leaf){
            $ConfigSettings = @(Get-Content -Path "$PoshMTPconfigFilePath" | ConvertFrom-Json)
            $OAuthUri = $ConfigSettings.API_MDATP.OAuthUri
            $ClientID = $ConfigSettings.API_MDATP.ClientID
            $ClientSecret = $ConfigSettings.API_MDATP.ClientSecret
            Write-Error "$PoshMTPconfigFilePath not found"
        # End Get API Information

        # Connect with MDATP API
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        $Body = @{
            resource      = ""
            client_id     = $ClientID
            client_secret = $ClientSecret
            grant_type    = 'client_credentials'
            redirectUri   = "https://localhost:8000"
        $Response = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body
        #$Authorization = Invoke-RestMethod -Method Post -Uri $OAuthUri -Body $Body -ContentType "application/x-www-form-urlencoded" -UseBasicParsing
        #$access_token = $Authorization.access_token
        $headers = @{
            'Content-Type' = 'application/json'
            Accept         = 'application/json'
            Authorization  = "Bearer $($Response.access_token)"
        $MDATP_API_URI = ""
            $Comment = "submitted by automation"
        $DeviceName = $DeviceName.ToLower()

        # Get the MDATP devices
        $MachineAPI = "$MDATP_API_URI/machines"
        $Machines = @(Invoke-RestMethod -Uri "$MachineAPI" -Headers $Headers -Method Get -Verbose -ContentType application/json)
        If ($DeviceName){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$_.computerDnsName -like "$DeviceName"})
        Elseif ($DeviceID){
            $ActionDevice = @($machines.value | Select-Object * | Where-Object {$ -like "$DeviceID"})

        If($ActionDevice.count -gt 1){
            Write-Warning "There are multiple device records with this computername, please specify the MDATP device id"
            $ActionDevice | Select-Object computerDnsName, id
        Elseif($ActionDevice.count -eq 0){
            Write-Warning "No device records found that match DeviceName $DeviceName"
        Elseif($ActionDevice.count -eq 1){
            $MDATPDeviceID = $
            if ($pscmdlet.ShouldProcess("$DeviceName", "Stop Isolation")){
                    $UnIsolationInput = @{"Comment" = "$Comment"} | ConvertTo-Json
                    $UnIsolateUri = "$MachineAPI/$MDATPDeviceID/unisolate "
                    $UnIsolateResponse  =Invoke-WebRequest -Uri $UnIsolateUri -Headers $Headers -Method Post -Body $UnIsolationInput
                    If ($UnIsolateResponse.StatusCode -eq 201){
                        $ActionID = $UnIsolateResponse.content | ConvertFrom-Json | Select-Object -ExpandProperty id
                        Write-Verbose "Remove isolation was successfully initiated for device $DeviceName -ActionID: $ActionID"
                        $ActionID = "0000000-0000-0000-0000-000000000000"
                        Write-Warning "Removing isolation for device $DeviceName failed!"
                        Write-Error "StatusCode: $($UnIsolateResponse.StatusCode)"
                    $ex = $_.Exception
                    $errorResponse = $ex.Response.GetResponseStream()
                    $reader = New-Object System.IO.StreamReader($errorResponse)
                    $reader.BaseStream.Position = 0
                    $responseBody = $reader.ReadToEnd();
                    Write-Verbose "Response content:`n$responseBody"
                    Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
                    $ActionID = "0000000-0000-0000-0000-000000000000"
        Write-Verbose "Device: $DeviceName"
        Write-Verbose "DeviceID: $MDATPDeviceID"
        Write-Verbose "Comment: $Comment"
        Write-Verbose "ActionID: $($ActionID)"
        Write-Verbose "StatusCode: $($UnIsolateResponse.statuscode)"
        Write-Verbose "StatusDescription: $($UnIsolateResponse.StatusDescription)"