[Update: found workaround]]
I changed the script that it will produce a batch file with curl and execute this. result is that the endpoints are removed as wished.
[Edited due adding full script]]
Dear Community,
I run in an issue I do not understand.
I wrote a powershell script which should delete endpoints in a specific group.
Enabling/disabling tamper works (non-destructive script testing), but when I execute the delete, it always fails with
Invoke-RestMethod : { "error": "BadRequest", "correlationId": "d8889e3a-5914-4d68-bb5a-2765467c17d7", "requestId": "c78db0c0-6bf7-40e5-968b-510cd7cb1d6f"}At line:3 char:13+ $response = Invoke-RestMethod 'api-eu02.central.sophos.com/en ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Invoke-RestMethod : {
"error": "BadRequest",
"correlationId": "d8889e3a-5914-4d68-bb5a-2765467c17d7",
"requestId": "c78db0c0-6bf7-40e5-968b-510cd7cb1d6f"
}
At line:3 char:13
+ $response = Invoke-RestMethod 'api-eu02.central.sophos.com/en ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
The used command:
Invoke-RestMethod 'api-eu02.central.sophos.com/.../xxxxxx-xxx-45ed-9469-abe34def8ed9' -Method 'DELETE' -Headers $Headers
Anyone any idea?
the api token role is superadmin, so this should not be an issue.
[script]
I would love to hear your thoughts.
Regards,
Arno
what headers are you sending up? Do any other API requests work for you?
RichardP
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Hi Richard,
Other Api requests do work within the same script
The header is combined by:
# SOPHOS API Headers: $XDRAPIHeaders = @{ "Authorization" = "Bearer $script:Token"; "X-Tenant-ID" = "$script:ApiTenantId"; "Content-Type" = "application/json"; }
The part of authentication and header creation I got from here: https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/131161/using-powershell-to-extract-the-detections-information-from-the-datalake
################################################################################################################################### # Find machines in the assigned group ################################################################################################################################### Write-Host("`n=================================================================") Write-Host("[Sophos Central device removal] This script checks existing") Write-Host(" machines, enumerate them and removes them.") Write-Host("=================================================================") $Central_Cleanup = (Invoke-RestMethod -Method Get -Uri $script:ApiHost"/endpoint/v1/endpoints?groupNameContains=$($SophosDevicegroup)" -Headers $XDRAPIHeaders) $Central_Cleanup = (Invoke-RestMethod -Method Get -Uri $script:ApiHost"/endpoint/v1/endpoints?groupNameContains=$($SophosDevicegroup)" -Headers $XDRAPIHeaders -ErrorAction SilentlyContinue -ErrorVariable ScriptError) # Display results in the console $Central_Cleanup.items | Format-Table -Property id, hostname, lastSeenAt, tamperProtectionEnabled ################################################################################################################################### # set or remove tamperprotection in the assigned group (enable = true; disable = false ################################################################################################################################### foreach ($id in $Central_Cleanup.items) { (Invoke-RestMethod -Method 'Post' -Uri $script:ApiHost"/endpoint/v1/endpoints/$($id.id)/tamper-protection" -Headers $XDRAPIHeaders -Body '{"enabled": false}' ) } ################################################################################################################################### # Delete machines in the assigned group ################################################################################################################################### foreach ($id in $Central_Cleanup.items) {Invoke-RestMethod -Method Delete -Uri $script:ApiHost"/endpoint/v1/endpoints/$($id.id)" -Headers $XDRAPIHeaders -debug -ErrorAction SilentlyContinue -ErrorVariable ScriptError} }
I tried with the original API guide (https://developer.sophos.com/docs/endpoint-v1/1/routes/endpoints/%7BendpointId%7D/delete) syntax as well as the syntax offered by postman/sophos api (urn:uuid:[endpointID]). unfortunally no difference in outcome.
My workaround is to create a batchfile (by powershell) and remove the entries with curl commands
$env:TOKEN=$script:Token $env:sophosurl=$script:ApiHost $env:sophosid=$script:ApiTenantId foreach ($id in $Central_Cleanup.items) {write-output ' d:\curl\bin\curl.exe --request DELETE $script:ApiHost/endpoint/v1/endpoints/$($id.id) --header "X-Tenant-ID: %sophosid%" --header "Authorization: Bearer %token%" --header "Accept: application/json"' >> $scriptlocation\removesophos.cmd} start-process "$scriptlocation\removesophos.cmd" Remove-Item $scriptlocation\removesophos.cmd $env:TOKEN=0 $XDRAPIHeaders=0