Thread Info
  • State Verified Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 5042 views
  • Users 0 members are here
Options
Suggested

[Powershell] [API] Delete endpoint by api fails with "invalid Operation"

Arno van der Veen - IT's Secured

[Update: found workaround]]

I changed the script that it will produce a batch file with curl and execute this. result is that the endpoints are removed as wished.

[Edited due adding full script]]

Dear Community,

I run in an issue I do not understand.

I wrote a powershell script which should delete endpoints in a specific group.

Enabling/disabling tamper works (non-destructive script testing), but when I execute the delete, it always fails with 

Invoke-RestMethod : {
"error": "BadRequest",
"correlationId": "d8889e3a-5914-4d68-bb5a-2765467c17d7",
"requestId": "c78db0c0-6bf7-40e5-968b-510cd7cb1d6f"
}
At line:3 char:13
+ $response = Invoke-RestMethod 'api-eu02.central.sophos.com/en ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

The used command:

Invoke-RestMethod 'api-eu02.central.sophos.com/.../xxxxxx-xxx-45ed-9469-abe34def8ed9' -Method 'DELETE' -Headers $Headers

Anyone any idea? 

the api token role is superadmin, so this should not be an issue.

[script]

I would love to hear your thoughts.

Regards,

Arno



Update
[edited by: Arno van der Veen - IT's Secured at 7:38 PM (GMT -8) on 5 Mar 2022]
Parents Reply Children
  • 0 in reply to FormerMember

    Hi Richard,

    Other Api requests do work within the same script

    The header is combined by: 

    # SOPHOS API Headers:
$XDRAPIHeaders = @{
	"Authorization" = "Bearer $script:Token";
	"X-Tenant-ID" = "$script:ApiTenantId";
    "Content-Type" = "application/json";
}

    The part of authentication and header creation I got from here: https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/131161/using-powershell-to-extract-the-detections-information-from-the-datalake

        ###################################################################################################################################
    # Find machines in the assigned group
    ###################################################################################################################################
    Write-Host("`n=================================================================")
    Write-Host("[Sophos Central device removal] This script checks existing")
    Write-Host(" machines, enumerate them and removes them.")
    Write-Host("=================================================================")
   

    $Central_Cleanup = (Invoke-RestMethod -Method Get -Uri $script:ApiHost"/endpoint/v1/endpoints?groupNameContains=$($SophosDevicegroup)" -Headers $XDRAPIHeaders)
                


    
        $Central_Cleanup = (Invoke-RestMethod -Method Get -Uri $script:ApiHost"/endpoint/v1/endpoints?groupNameContains=$($SophosDevicegroup)" -Headers $XDRAPIHeaders -ErrorAction SilentlyContinue -ErrorVariable ScriptError)   
        

    
        # Display results in the console
        $Central_Cleanup.items | Format-Table -Property id, hostname, lastSeenAt, tamperProtectionEnabled


 
    ###################################################################################################################################
    # set or remove tamperprotection in the assigned group (enable = true; disable = false
    ###################################################################################################################################
      
      foreach ($id in $Central_Cleanup.items) { (Invoke-RestMethod -Method 'Post' -Uri $script:ApiHost"/endpoint/v1/endpoints/$($id.id)/tamper-protection" -Headers $XDRAPIHeaders -Body '{"enabled": false}' )    }

    ###################################################################################################################################
    # Delete machines in the assigned group
    ###################################################################################################################################

     foreach ($id in $Central_Cleanup.items)  {Invoke-RestMethod -Method Delete -Uri $script:ApiHost"/endpoint/v1/endpoints/$($id.id)"  -Headers $XDRAPIHeaders -debug -ErrorAction SilentlyContinue -ErrorVariable ScriptError} 

}

    I tried with the original API guide (https://developer.sophos.com/docs/endpoint-v1/1/routes/endpoints/%7BendpointId%7D/delete) syntax as well as the syntax offered by postman/sophos api (urn:uuid:[endpointID]). unfortunally no difference in outcome.

  • +1 in reply to Arno van der Veen - IT's Secured

    My workaround is to create a batchfile (by powershell) and remove the entries with curl commands

    $env:TOKEN=$script:Token
$env:sophosurl=$script:ApiHost
$env:sophosid=$script:ApiTenantId

     foreach ($id in $Central_Cleanup.items)  {write-output ' d:\curl\bin\curl.exe --request DELETE $script:ApiHost/endpoint/v1/endpoints/$($id.id) --header "X-Tenant-ID: %sophosid%" --header "Authorization: Bearer %token%" --header "Accept: application/json"' >> $scriptlocation\removesophos.cmd} 
     start-process "$scriptlocation\removesophos.cmd"
     Remove-Item $scriptlocation\removesophos.cmd
     $env:TOKEN=0
     $XDRAPIHeaders=0

Unfiltered HTML