PowerShell

Microsoft Security Response Center (MSRC) Query and Parse a REST API with PowerShell

I got a requirement which is to fetch MSRC report. If you are new to Microsoft Security Center API like me refer here. Using your Microsoft ID generate an api key.

The ask is very simple – Retrieve the report which should contain below information

  1. CVE Title.
  2. CVE Number.
  3. Published Date.
  4. Affected Products. (This gives information what we need)

Indeed, team came up with the MsrcSecurityUpdates PowerShell module which is available in the gallery. But we don’t use that – Our need is to fetch report which meets old MS vulnerability report format.

So, the REST API is our friend and below simple script meet the need.

$monthofinterest = @('2017-Apr' , 
    '2017-May', 
    '2017-Jun', 
    '2017-Jul', 
    '2017-Aug', 
    '2017-Sep', 
    '2017-Oct', 
    '2017-Nov', 
    '2017-Dec', 
    '2018-Jan', 
    '2018-Feb', 
    '2018-Mar', 
    '2018-Apr', 
    '2018-May', 
    '2018-Jun', 
    '2018-Jul', 
    '2018-Aug', 
    '2018-Sep', 
    '2018-Oct', 
    '2018-Nov', 
    '2018-Dec', 
    '2019-Jan', 
    '2019-Feb', 
    '2019-Mar', 
    '2019-Apr', 
    '2019-May', 
    '2019-Jun', 
    '2019-Jul'  )
$colls = @()
$monthofinterest | . {
    process
    {
        $pcdReport = Invoke-RestMethod -Method Get -Uri "https://api.msrc.microsoft.com/cvrf/$($_)?api-version=2018" -Headers @{
            'api-key' = '<APIKey>'
        }
        $pcdReport.cvrfdoc.Vulnerability.cve | . {
            process
            {
                $results = Invoke-RestMethod -Uri "https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/$($_)"
                $results
                $colls += $results
            }
        }
    }
}
$colls | 
Select-Object cve* -ExpandProperty affectedproducts | 
Export-Csv C:\Temp\MSRCRawReport.csv -NoTypeInformation

Refer this blog post if you need data in different format.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *