[Powershell] [API] Delete endpoint by api fails with "invalid Operation"

[Update: found workaround]]

I changed the script that it will produce a batch file with curl and execute this. result is that the endpoints are removed as wished.

[Edited due adding full script]]

Dear Community,

I run in an issue I do not understand.

I wrote a powershell script which should delete endpoints in a specific group.

Enabling/disabling tamper works (non-destructive script testing), but when I execute the delete, it always fails with 

Invoke-RestMethod : {
"error": "BadRequest",
"correlationId": "d8889e3a-5914-4d68-bb5a-2765467c17d7",
"requestId": "c78db0c0-6bf7-40e5-968b-510cd7cb1d6f"
}
At line:3 char:13
+ $response = Invoke-RestMethod 'api-eu02.central.sophos.com/en ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

The used command:

Invoke-RestMethod 'api-eu02.central.sophos.com/.../xxxxxx-xxx-45ed-9469-abe34def8ed9' -Method 'DELETE' -Headers $Headers

Anyone any idea? 

the api token role is superadmin, so this should not be an issue.

[script]

I would love to hear your thoughts.

Regards,

Arno



Update
[edited by: Arno van der Veen - IT's Secured at 7:38 PM (GMT -8) on 5 Mar 2022]
Parents
  • what headers are you sending up? Do any other API requests work for you?

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Richard,

    Other Api requests do work within the same script

    The header is combined by: 

    # SOPHOS API Headers:
    $XDRAPIHeaders = @{
    	"Authorization" = "Bearer $script:Token";
    	"X-Tenant-ID" = "$script:ApiTenantId";
        "Content-Type" = "application/json";
    }

    The part of authentication and header creation I got from here: https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/131161/using-powershell-to-extract-the-detections-information-from-the-datalake

        ###################################################################################################################################
        # Find machines in the assigned group
        ###################################################################################################################################
        Write-Host("`n=================================================================")
        Write-Host("[Sophos Central device removal] This script checks existing")
        Write-Host(" machines, enumerate them and removes them.")
        Write-Host("=================================================================")
       
    
        $Central_Cleanup = (Invoke-RestMethod -Method Get -Uri $script:ApiHost"/endpoint/v1/endpoints?groupNameContains=$($SophosDevicegroup)" -Headers $XDRAPIHeaders)
                    
    
    
        
            $Central_Cleanup = (Invoke-RestMethod -Method Get -Uri $script:ApiHost"/endpoint/v1/endpoints?groupNameContains=$($SophosDevicegroup)" -Headers $XDRAPIHeaders -ErrorAction SilentlyContinue -ErrorVariable ScriptError)   
            
    
        
            # Display results in the console
            $Central_Cleanup.items | Format-Table -Property id, hostname, lastSeenAt, tamperProtectionEnabled
    
    
     
        ###################################################################################################################################
        # set or remove tamperprotection in the assigned group (enable = true; disable = false
        ###################################################################################################################################
          
          foreach ($id in $Central_Cleanup.items) { (Invoke-RestMethod -Method 'Post' -Uri $script:ApiHost"/endpoint/v1/endpoints/$($id.id)/tamper-protection" -Headers $XDRAPIHeaders -Body '{"enabled": false}' )    }
    
        ###################################################################################################################################
        # Delete machines in the assigned group
        ###################################################################################################################################
    
         foreach ($id in $Central_Cleanup.items)  {Invoke-RestMethod -Method Delete -Uri $script:ApiHost"/endpoint/v1/endpoints/$($id.id)"  -Headers $XDRAPIHeaders -debug -ErrorAction SilentlyContinue -ErrorVariable ScriptError} 
    
    }

    I tried with the original API guide (https://developer.sophos.com/docs/endpoint-v1/1/routes/endpoints/%7BendpointId%7D/delete) syntax as well as the syntax offered by postman/sophos api (urn:uuid:[endpointID]). unfortunally no difference in outcome.

  • My workaround is to create a batchfile (by powershell) and remove the entries with curl commands

    $env:TOKEN=$script:Token
    $env:sophosurl=$script:ApiHost
    $env:sophosid=$script:ApiTenantId
    
         foreach ($id in $Central_Cleanup.items)  {write-output ' d:\curl\bin\curl.exe --request DELETE $script:ApiHost/endpoint/v1/endpoints/$($id.id) --header "X-Tenant-ID: %sophosid%" --header "Authorization: Bearer %token%" --header "Accept: application/json"' >> $scriptlocation\removesophos.cmd} 
         start-process "$scriptlocation\removesophos.cmd"
         Remove-Item $scriptlocation\removesophos.cmd
         $env:TOKEN=0
         $XDRAPIHeaders=0

Reply
  • My workaround is to create a batchfile (by powershell) and remove the entries with curl commands

    $env:TOKEN=$script:Token
    $env:sophosurl=$script:ApiHost
    $env:sophosid=$script:ApiTenantId
    
         foreach ($id in $Central_Cleanup.items)  {write-output ' d:\curl\bin\curl.exe --request DELETE $script:ApiHost/endpoint/v1/endpoints/$($id.id) --header "X-Tenant-ID: %sophosid%" --header "Authorization: Bearer %token%" --header "Accept: application/json"' >> $scriptlocation\removesophos.cmd} 
         start-process "$scriptlocation\removesophos.cmd"
         Remove-Item $scriptlocation\removesophos.cmd
         $env:TOKEN=0
         $XDRAPIHeaders=0

Children
No Data