Using PowerShell to Query ABR

Introduction

The Admin By Request API allows you to get the necessary data into your preferred SIEM system. This blog covers how to test functionality and get data from Admin By Request using Windows PowerShell.

In order to use Invoke-RestMethods cmdlets used during this task, you need to be running Windows PowerShell version 3.0 or higher.

Procedure

There are five tasks involved:

Enable and Copy API Key
1. In the Admin By Request portal, navigate to menu Settings > Tenant Settings > API Keys > API KEYS:
2. If there is no key available, click button Add New. If there is a key available, select Click to show for the relevant key, followed by Copy to clipboard.
3. Paste the API Key into notepad (or similar) to be retrieved later, so that it is not overwritten in the next step.
Copy Required URLs from Resources
This task locates and copies two URLs used to make queries in subsequent tasks.
NOTE
- For this example, we want to return the current inventory and the latest auditlog data.
- The full URL depends on your data center. This example uses dc1api (https://dc1api.adminbyrequest.com in the URL). You might see a different data center in your full URL (e.g. dc2api).
Primary method

This method requires JavaScript to be enabled on your endpoint.
1. Copy Inventory URL
  
  In the portal, go to page Inventory API.
  
  From the list of resources, click to copy the inventory URL:
  
  You might need to select and copy rather than simply clicking the URL.
  
  Paste the inventory URL into notepad (or similar) to be retrieved later, so that it is not overwritten in the next step.
2. Copy Auditlog URL
  
  In the portal, go to page Auditlog API.
  
  From the list of resources, click to copy the auditlog URL:
  
  You might need to select and copy rather than simply clicking the URL.
  
  Paste the auditlog URL into notepad (or similar) to be retrieved later, so that it is not overwritten in the next step.
Alternative method

This works whether JavaScript is enabled or not. Confirm your data center as described below, then append /inventory and /auditlog respectively at steps 1 and 2 above.

To determine your data center, go to page Tenant Settings > API Keys in the portal and check which API prefix is shown under About API Keys. The data center (which is also the API prefix) will be one of the following:
- https://dc1api.adminbyrequest.com (Europe - Netherlands)
- https://dc2api.adminbyrequest.com (USA)
- https://dc3api.adminbyrequest.com (UK)
- https://dc4api.adminbyrequest.com (Europe - Germany)
- https://dc6api.adminbyrequest.com (Asia)
Make a note of your prefix - among other things, this is the domain used when an API Key is created.
Start PowerShell and Declare API Key
If you want to run the code within this blog as a script, you might need to change the default execution policy in PowerShell to bypass or unrestricted using the following line of code:
```
set-executionpolicy bypass -scope process
```
An explanation of why this is required is outside the scope of this blog - refer to PowerShell's Execution Policy for more information.
1. Launch Windows PowerShell and declare the API Key by copying and pasting the following line of code into the window:
```
$apikey = '<your-api-key>'
```
2. Replace <your-api-key> in this line of code with the API Key you copied in Enable and Copy API Key.
3. Press Enter:
Define General Variables
This task defines several variables to make the code easier to work with.
Get Data
1. Get Inventory Data
  1. Copy and paste the following line of code into the PowerShell window:
    
    Invoke-Restmethod -uri $inventory -header $header -Method GET
2. Get Auditlog Data
  1. Copy and paste the following line of code into the PowerShell window:
    
    Invoke-Restmethod -uri $auditlog -header $header -Method GET
To output the data to a TXT or CSV file for further aggregation, simply add >> filename to the end of the command.

For example:
```
Invoke-Restmethod -uri $auditlog -header $header -Method GET >> auditlog.txt
```