## Microsoft Defender for External Attack Surface Management (MDEASM) Python Jupyter Notebook
***
This is a sample notebook for querying your MDEASM inventory. A few prerequisites must be completed before you can use it properly:
1. You must complete an initial __[Discovery](https://learn.microsoft.com/en-us/azure/external-attack-surface-management/using-and-managing-discovery)__ in your MDEASM workspace to which you have, at a minimum, _read_ permissions
2. You will also need your _Subscription Id_, _Tenant Id_, _Resource Group Name_, _Workspace Name_, & the Azure _Region_ your workspace was initialized in
3. You must have a registered __[Service Principal](https://learn.microsoft.com/en-us/rest/api/defenderforeasm/authentication#client-service-principal)__ application that is properly configured to interact with our REST API
4. To create a bearer token with your _Service Principal_ you will need the app _Client Id_, _Client Secret_, & _Tenant Id_ 
5. A minimum of a 3.X Python installation with an installed Jupyter module OR and IDE such as VSCode with a Jupyter Notebook extension installed
***

> Note for simplicity's sake, we are putting the auth variables here in the notebook for demo purposes only. In reality, this should __never__ take place in a document/script you share with others, or publish online. Storage of clientIds and clientSecrets should always leverage a more secure solution such as Key Vaults or encrypted storage of some kind. If you share this notebook with others after usage, clear outputs of all cells and restart your kernel after you have deleted these sensetive variables from your code.

In [None]:
import requests, time, json, re

try:
    import mdeasm_creds
    clientId = mdeasm_creds.clientId
    clientSecret = mdeasm_creds.clientSecret
    tenantId = mdeasm_creds.tenantId
    subscriptionId = mdeasm_creds.subscriptionId
    resourceGroupName = mdeasm_creds.resourceGroupName
    resourceName = mdeasm_creds.resourceName
    region = mdeasm_creds.region
except ImportError:
    print("Please create a file called mdeasm_creds.py and add your credentials to it. Or enter in your credentials below.")

# Important variables to set
bearerToken = None # This will be set by the azure_auth() function otherwise enter the token as a string in side quotes ''
bearerTokenExpires = 0 # This will be set by the azure_auth() function otherwise enter the epoch time in seconds as an integer
## clientId = '' # ex. 'a8c5a9e0-0000-0000-0000-000000000000' => Application (client) ID - string [required]
## clientSecret = '' # ex. 'ABCDE~123456789abcdefg_9876543210~ZyXwVu' => Application (client) secret - string [required]
## tenantId = '' # ex. 'a8c5a9e0-0000-0000-0000-000000000000' => Directory (tenant) ID - string [required]
## subscriptionId = '' # ex. 'a8c5a9e0-0000-0000-0000-000000000000' => Subscription ID - string [required]
## resourceGroupName = '' # ex. 'myMDEASMAPItest-rg' => Resource group name - string [required]
## resourceName = '' # ex. 'myMDEASMworkspace' => Resource/Workspace name - string [required]
## region = '' # ex. 'eastus' => Region - string [required]
# Leave these variables unchanged until you need to change them
resource = 'https://easm.defender.microsoft.com/' # => API Resource - string [supplied]
apiVersion = '2022-11-01-preview' # => API Version - string [supplied]
maxpagesize = 25 # => Max page size - int [required]
mark = '*' # => Mark - string [optional]
postBody = '' # => Post body - JSON formatted string [optional]
# Utilitiy variables
uuidRegex = '[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}'
encodingRegex = "[\s\!\@\#\$\^\*\(\)\_\=\-\[\]\{\}\;\:\'\"\,\.\<\>\/\?\|\\\]"
whoisFilter = ['privacy', 'redacted', 'godaddy', 'private', 'protected', 'proxy', 'masking', 'privateregistration', 'safenames.net', 'domaincontrol.com', 'enom.com', 'verisign.com', 'domainhasexpired.com', 'ultradns.net', 'web.com', 'cscglobal.com', 'namecheap', 'hichina', 'amazon', 'google', 'ultrahost', 'aws', 'nsone.net', 'hugedomains', 'gdpr']
results = set({})
nextUrl = None
planeType = 'data' # => Plane type - string [required] - 'data' or 'control'
currentPlane = 'data'

# Function to take a filter and check if it is URL encoded, if not, then encode it
def check_url_encoding(filter):
    if filter != '' and re.search(encodingRegex, filter):
        query = requests.utils.quote(filter, safe='+')
    else:
        query = filter
    return query

# Helper Function to authenticate and obtain a bearer token to be run before every request
def azure_auth():
    # Check if required variables are set
    global bearerToken, bearerTokenExpires, planeType, currentPlane
    planeType = planeType.lower()
    if planeType == 'data':
        resource = 'scope=https%3A%2F%2Feasm.defender.microsoft.com%2F.default'
    elif planeType == 'control':
        resource = 'scope=https%3A%2F%2Fmanagement.azure.com%2F.default'
    else:
        print("Invalid plane type must be either 'data' or 'control'")
        return None

    if clientId == None or clientSecret == None or tenantId == None:
        print("Please provide a client ID, client secret, and tenant ID or if you acquired your bearer token via the CLI please enter it in the bearerToken and bearerTokenExpires parameters above.")
        return None
    # Check if bearer token is set and not expired, else return a new token
    if bearerToken == None or bearerToken == '' and bearerTokenExpires == 0 or time.time() > bearerTokenExpires or currentPlane != planeType or currentPlane == None:
        auth_url = f"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token"
        auth_payload=f'grant_type=client_credentials&client_id={clientId}&client_secret={clientSecret}&{resource}'
        auth_headers = {'Content-Type': 'application/x-www-form-urlencoded'}
        response = requests.request("POST", auth_url, headers=auth_headers, data=auth_payload)
        if response.status_code != 200:
            print("Error acquiring bearer token")
            print(response.text)
            return None
        else:
            bearerToken = json.loads(response.text)['access_token']
            bearerTokenExpires = time.time() + json.loads(response.text)['expires_in']
            currentPlane = planeType
    return bearerToken, bearerTokenExpires

# Make an initial request for a bearer token
azure_auth()
if bearerToken != None and bearerTokenExpires == 0 or time.time() > bearerTokenExpires:
    print("Error acquiring bearer token")
else:
    print("Bearer token acquired successfully")

### Assets - List

In [None]:
## Assets List returns##
def get_asset_list(query):
    ''' Assets List endpoint - takes a URL encoded query string '''
    check_url_encoding(query)
    global planeType
    planeType = 'data'
    azure_auth()
    nextUrl = None
    url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/assets?api-version={apiVersion}&maxpagesize={maxpagesize}&filter={query}&mark={mark}"

    payload={}
    headers = {
      'User-Agent': 'MDEASM Python Notebook',
      'Authorization': f'Bearer {bearerToken}'
    }
    

    response = requests.request("GET", url, headers=headers, data=payload)
    if response.status_code != 200:
        print("Error getting asset list")
        print(response.text)
        return None
    if len(response.text) == 0:
        print("No assets found matching your query")
        return None
    else:
        responsejson = json.loads(response.text)
        responseresults = responsejson['content']
        for i in responseresults:
            results.add(i['name'])
        if 'nextLink' in responsejson and nextUrl != responsejson['nextLink']:
            nextUrl = responsejson['nextLink']
        else:
            nextUrl = None
        #print(responsejson)
        
    while nextUrl:
        azure_auth()
        response = requests.request("GET", nextUrl, headers=headers, data=payload)
        responsejson = json.loads(response.text)
        responseresults = responsejson['content']
        for i in responseresults:
            results.add(i['name'])
        if 'nextLink' not in responsejson:
            nextUrl = None
        else:
            time.sleep(1)
            nextUrl = responsejson['nextLink']
        
    if len(results) == 0:
        print("No assets found matching your query")
    else:
        print("Number of results: " + str(len(results)))
    print(results)

In [None]:
query = 'state = confirmed AND kind in ("host","ipAddress") AND webComponentType = Server AND webComponentName ^=in ("Apache", "Microsoft IIS") AND cvss3BaseScore >= 7'
get_asset_list(query)

### Asset - Get

In [None]:
# Retrieves a single asset by assetId
def get_asset(assetId):
    ''' Asset Get endpoint - takes a UUID formatted AssetId '''
    if assetId!= None and re.search(uuidRegex, assetId) != None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/assets/{assetId}?api-version={apiVersion}"
        payload={}
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        response = requests.request("GET", url, headers=headers, data=payload)
        if response.status_code != 200:
            print("Error getting asset details")
            print(response.text)
            return None
        if len(response.text) == 0:
            print("No asset found matching your assetId")
            return None
        else:
            responsejson = json.loads(response.text)
            
            # simplified output of asset names, adjust to your needs
            print(responsejson)
    else:
        print("Please provide a valid assetId")

In [None]:
get_asset('a8c5a9e0-0000-0000-0000-000000000000')

### Assets - Update

In [None]:
# Update labels, state, or externalId for a set of assets returned by a query
def update_assets(query, postBody):
    ''' Function to access the Assets Update endpoint - requires a URL encoded query string 
    and a post body containing the asset properties to update 
    example post body: {"labels": {"Label1": True}, "state": "confirmed", "transfers":["sslCert"], "externalId": "123456"}
    accepted transfers values: contact, domain, ipBlock, host, page, sslCert, as, ipAddress'''
    check_url_encoding(query)
    global planeType
    planeType = 'data'
    azure_auth()
    url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/assets?filter={query}&api-version={apiVersion}"
    payload = json.loads(json.dumps(postBody))
    headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}',
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }
    response = requests.request("POST", url, headers=headers, data=payload)
    if response.status_code != 200:
        print("Error updating assets related to supplied query")
        print(response.text)
        return None
    else:
        responsejson = json.loads(response.text)
        print(responsejson)

In [None]:
update_query = 'state = confirmed AND domain in ("contoso.com")'
update_body = '{"state":"dismissed","transfers":["sslCert"]}'
update_assets(update_query, update_body)

### Tasks - Get

In [None]:
# Retrieves a single task by taskId
def get_task(taskId):
    ''' Task Get endpoint - requires a UUID formatted TaskId '''
    if taskId!= None and re.search(uuidRegex, taskId) != None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/tasks/{taskId}?api-version={apiVersion}"
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        response = requests.request("GET", url, headers=headers)
        if response.status_code != 200:
            print("Error getting task details")
            print(response.text)
            return None
        if len(response.text) == 0:
            print("No task found matching your taskId")
            return None
        else:
            responsejson = json.loads(response.text)
            
            # simplified output of asset names, adjust to your needs
            print(responsejson)
    else:
        print("Please provide a valid taskId")

In [None]:
get_task('a8c5a9e0-0000-0000-0000-000000000000')

### Tasks - List

In [None]:
# Retrieves a list of tasks by workspace name
def get_task_list():
    ''' Tasks List endpoint - requires a valid resource name (the name of your workspace) '''
    global planeType
    planeType = 'data'
    azure_auth()
    url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/tasks?api-version={apiVersion}"
    headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
    }
    response = requests.request("GET", url, headers=headers)
    if response.status_code != 200:
        print("Error getting task list, check the resource name")
        print(response.text)
        return None
    if len(response.text) == 0:
        print("No tasks found matching your resource name")
        return None
    else:
        responsejson = json.loads(response.text)
        
        # simplified output of workspace tasks, adjust to your needs
        print(responsejson)

In [None]:
get_task_list()

### Tasks - Cancel

In [None]:
# Cancels a running task by taskId
def cancel_task(taskId):
    ''' Task Cancel endpoint - requires a UUID formatted TaskId '''
    if taskId!= None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/tasks/{taskId}:cancel?api-version={apiVersion}"
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        response = requests.request("POST", url, headers=headers)
        if response.status_code != 200:
            print("Error getting cancellation request details")
            print(response.text)
            return None
        if len(response.text) == 0:
            print("No task found matching your taskId")
            return None
        else:
            responsejson = json.loads(response.text)
            
            # simplified output of asset names, adjust to your needs
            print(responsejson)
    else:
        print("Please provide a valid taskId")

In [None]:
cancel_task('a8c5a9e0-0000-0000-0000-000000000000')

### Helper functions:
### Get Common Assets

In [None]:
# Function to gather all the common assets/attributes for a given query
# Change includeNS=True if you want to include nameservers
def get_common_assets(query, includeNS=False):
    check_url_encoding(query)
    global planeType, nextUrl
    planeType = 'data'
    azure_auth()
    nextUrl = None
    commonAssetsList = []
    
    def commonFunc(assetName, assetType):
        if any(assetName in x.values() for x in commonAssetsList):
            for i in commonAssetsList:
                if assetName == str(i['name']):
                    i['count'] += 1
        else:
            if len(assetName) > 0:
                if next((f for f in whoisFilter if f in assetName.lower()), None):
                    pass
                else:
                    commonAssetsList.append({"name": str(assetName), "assetType": assetType, "count": 1})

    url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/assets?api-version={apiVersion}&maxpagesize={maxpagesize}&filter={query}&mark={mark}"

    payload={}
    headers = {
      'User-Agent': 'MDEASM Python Notebook',
      'Authorization': f'Bearer {bearerToken}'
    }

    response = requests.request("GET", url, headers=headers, data=payload)
    if response.status_code != 200:
        print("Error getting asset list")
        print(response.text)
        return None
    if len(response.text) == 0:
        print("No assets found matching your query")
        return None
    else:
        responsejson = json.loads(response.text)
        responseresults = responsejson['content']   
        for i in responseresults:
            if i['kind'] == 'domain':
                if i['asset']['domain'] != None or i['asset']['domain'] != '':
                    commonFunc(str(i['asset']['domain']), 'domain')
                if 'adminContacts' in i['asset'].keys():
                    for x in i['asset']['adminContacts']:
                        if 'recent' in x.keys():
                            if x['recent']:
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')
                if 'adminNames' in i['asset'].keys():
                    for x in i['asset']['adminNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'adminPhones' in i['asset'].keys():
                    for x in i['asset']['adminPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'adminOrgs' in i['asset'].keys():
                    for x in i['asset']['adminOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')
                if 'registrantContacts' in i['asset'].keys():
                    for x in i['asset']['registrantContacts']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisContact')
                if 'registrantNames' in i['asset'].keys():
                    for x in i['asset']['registrantNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'registrantPhones' in i['asset'].keys():
                    for x in i['asset']['registrantPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'registrantOrgs' in i['asset'].keys():
                    for x in i['asset']['registrantOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')
                if includeNS == True and 'nameServers' in i['asset'].keys() and len(i['asset']['nameServers']) > 0:
                    for x in i['asset']['nameServers']:
                        if 'value' in x.keys() and 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(x['value'], 'nameServer')
            
            elif i['kind'] == 'host' or i['kind'] == 'page':
                if i['asset']['domain'] != None or i['asset']['domain'] != '':
                    commonFunc(str(i['asset']['domain']), 'domain')
                if 'domainAsset' in i['asset'].keys():
                    if 'adminContacts' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminContacts']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')

                    if 'adminNames' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminNames']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisName')

                    if 'adminPhones' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminPhones']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisPhone')

                    if 'adminOrgs' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminOrgs']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisOrg')

                    if 'registrantContacts' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantContacts']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')

                    if 'registrantNames' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantNames']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisName')

                    if 'registrantPhones' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantPhones']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisPhone')

                    if 'registrantOrgs' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantOrgs']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisOrg')
                if includeNS == True and 'domainAsset' in i['asset'].keys():
                    if 'nameServers' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['nameServers']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(x['value'], 'nameServer')    
            
            elif i['kind'] == 'ipAddress':
                    if 'ipBlocks' in ['asset'].keys():
                        for x in i['asset']['ipBlocks']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['ipBlock']), 'ipBlock')
                    if 'asns' in ['asset'].keys():
                        for x in i['asset']['asns']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']))
            
            elif i['kind'] == 'ipBlock':
                if 'netNames' in i['asset'].keys():
                    for x in i['asset']['netNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'netName')
                if 'adminContacts' in i['asset'].keys():
                    for x in i['asset']['adminContacts']:
                        if 'recent' in x.keys():
                            if x['recent']:
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')
                if 'adminNames' in i['asset'].keys():
                    for x in i['asset']['adminNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'adminPhones' in i['asset'].keys():
                    for x in i['asset']['adminPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'adminOrgs' in i['asset'].keys():
                    for x in i['asset']['adminOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')
                if 'technicalContacts' in i['asset'].keys():
                    for x in i['asset']['technicalContacts']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisContact')
                if 'technicalNames' in i['asset'].keys():
                    for x in i['asset']['technicalNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'technicalPhones' in i['asset'].keys():
                    for x in i['asset']['technicalPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'technicalOrgs' in i['asset'].keys():
                    for x in i['asset']['technicalOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')

        if 'nextLink' in responsejson and nextUrl != responsejson['nextLink']:
            nextUrl = responsejson['nextLink']
        else:
            nextUrl = None
        
    while nextUrl:
        azure_auth()
        time.sleep(1)
        response = requests.request("GET", nextUrl, headers=headers, data=payload)
        responsejson = json.loads(response.text)
        responseresults = responsejson['content']
        for i in responseresults:
            if i['kind'] == 'domain':
                if i['asset']['domain'] != None or i['asset']['domain'] != '':
                    commonFunc(str(i['asset']['domain']), 'domain')
                if 'adminContacts' in i['asset'].keys():
                    for x in i['asset']['adminContacts']:
                        if 'recent' in x.keys():
                            if x['recent']:
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')
                if 'adminNames' in i['asset'].keys():
                    for x in i['asset']['adminNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'adminPhones' in i['asset'].keys():
                    for x in i['asset']['adminPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'adminOrgs' in i['asset'].keys():
                    for x in i['asset']['adminOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')
                if 'registrantContacts' in i['asset'].keys():
                    for x in i['asset']['registrantContacts']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisContact')
                if 'registrantNames' in i['asset'].keys():
                    for x in i['asset']['registrantNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'registrantPhones' in i['asset'].keys():
                    for x in i['asset']['registrantPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'registrantOrgs' in i['asset'].keys():
                    for x in i['asset']['registrantOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')
                if includeNS == True and 'nameServers' in i['asset'].keys() and len(i['asset']['nameServers']) > 0:
                    for x in i['asset']['nameServers']:
                        if 'value' in x.keys() and 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(x['value'], 'nameServer')
            
            elif i['kind'] == 'host' or i['kind'] == 'page':
                if i['asset']['domain'] != None or i['asset']['domain'] != '':
                    commonFunc(str(i['asset']['domain']), 'domain')
                if 'domainAsset' in i['asset'].keys():
                    if 'adminContacts' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminContacts']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')

                    if 'adminNames' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminNames']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisName')

                    if 'adminPhones' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminPhones']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisPhone')

                    if 'adminOrgs' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['adminOrgs']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisOrg')

                    if 'registrantContacts' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantContacts']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')

                    if 'registrantNames' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantNames']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisName')

                    if 'registrantPhones' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantPhones']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisPhone')

                    if 'registrantOrgs' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['registrantOrgs']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisOrg')
                if includeNS == True and 'domainAsset' in i['asset'].keys():
                    if 'nameServers' in i['asset']['domainAsset'].keys():
                        for x in i['asset']['domainAsset']['nameServers']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(x['value'], 'nameServer')    
            
            elif i['kind'] == 'ipAddress':
                    if 'ipBlocks' in ['asset'].keys():
                        for x in i['asset']['ipBlocks']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['ipBlock']), 'ipBlock')
                    if 'asns' in ['asset'].keys():
                        for x in i['asset']['asns']:
                            if 'recent' in x.keys():
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']))
            
            elif i['kind'] == 'ipBlock':
                if 'netNames' in i['asset'].keys():
                    for x in i['asset']['netNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'netName')
                if 'adminContacts' in i['asset'].keys():
                    for x in i['asset']['adminContacts']:
                        if 'recent' in x.keys():
                            if x['recent']:
                                if x['recent'] == True and x['value'] != None or x['value'] != '':
                                    commonFunc(str(x['value']), 'whoisContact')
                if 'adminNames' in i['asset'].keys():
                    for x in i['asset']['adminNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'adminPhones' in i['asset'].keys():
                    for x in i['asset']['adminPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'adminOrgs' in i['asset'].keys():
                    for x in i['asset']['adminOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')
                if 'technicalContacts' in i['asset'].keys():
                    for x in i['asset']['technicalContacts']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisContact')
                if 'technicalNames' in i['asset'].keys():
                    for x in i['asset']['technicalNames']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisName')
                if 'technicalPhones' in i['asset'].keys():
                    for x in i['asset']['technicalPhones']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisPhone')
                if 'technicalOrgs' in i['asset'].keys():
                    for x in i['asset']['technicalOrgs']:
                        if 'recent' in x.keys():
                            if x['recent'] == True and x['value'] != None or x['value'] != '':
                                commonFunc(str(x['value']), 'whoisOrg')

        if 'nextLink' not in responsejson:
            nextUrl = None
        else:
            nextUrl = responsejson['nextLink']
    commonAssetsList = sorted(commonAssetsList, key=lambda k: k['count'], reverse=True)
    for i in commonAssetsList:
        print(str(i))

In [None]:
query = 'state = confirmed AND kind in ("domain")'
get_common_assets(query)

### Discovery Group - Get

In [None]:
# Retrieves a discovery group with a groupName
def get_disco_group(groupName):
    ''' Discovery Group Get endpoint - takes a string formatted discovery group name '''
    if groupName != None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/discoGroups/{groupName}?api-version={apiVersion}"
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        response = requests.request("GET", url, headers=headers)
        if response.status_code != 200:
            print("Error getting asset details")
            print(response.text)
            return None
        if len(response.text) == 0:
            print(f"No discovery group found matching {groupName}")
            return None
        else:
            responsejson = json.loads(response.text)
            
            # simplified output of asset names, adjust to your needs
            print(responsejson)
    else:
        print("Please provide a valid groupName")

In [None]:
get_disco_group('myDiscoGroupName')

### Discovery Groups - List

In [None]:
# Retrieves a list of discovery groups
def get_disco_groups_list(filter=None):
    ''' Discovery Group Get List endpoint '''
    global planeType
    planeType = 'data'
    azure_auth()
    url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/discoGroups?api-version={apiVersion}"
    headers = {
    'User-Agent': 'MDEASM Python Notebook',
    'Authorization': f'Bearer {bearerToken}'
    }
    if filter != None:
        url = url + f"&filter={filter}"
    response = requests.request("GET", url, headers=headers)
    if response.status_code != 200:
        print("Error getting discovery groups")
        print(response.text)
        return None
    if len(response.text) == 0:
        print("No discovery groups found")
        return None
    else:
        responsejson = json.loads(response.text)
        
        # simplified output of asset names, adjust to your needs
        print(responsejson)


In [None]:
get_disco_groups_list()

### Discovery Groups - List Runs

In [None]:
# Retrieve a collection of discovery run results for a discovery group with a given groupName.
def get_disco_group_runs(groupName, filter=None, skip=None):
    ''' Discovery Group Get Runs endpoint '''
    if groupName != None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/discoGroups/{groupName}?api-version={apiVersion}"
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        if filter != None:
            url = url + f"&filter={filter}"
        if skip != None:
            url = url + f"&skip={skip}"
        response = requests.request("GET", url, headers=headers)
        if response.status_code != 200:
            print(f"Error getting discovery group {groupName}")
            print(response.text)
            return None
        if len(response.text) == 0:
            print(f"No discovery group found matching: {groupName}")
            return None
        else:
            responsejson = json.loads(response.text)
            
            # simplified output of asset names, adjust to your needs
            print(responsejson)
    else:
        print("Please provide a valid groupName")

In [None]:
get_disco_group_runs('myDiscoGroupName')

### Discovery Group - Delete

In [None]:
# Delete a discovery group with a given groupName.
def delete_disco_group(groupName):
    ''' Discovery Group Delete endpoint '''
    if groupName != None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/discoGroups/{groupName}?api-version={apiVersion}"
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        response = requests.request("DELETE", url, headers=headers)
        if response.status_code != 200:
            print(f"Error deleting discovery group {groupName}")
            print(response.text)
            return None
        if len(response.text) == 0:
            print(f"No discovery group found matching: {groupName}")
            return None
        else:
            responsejson = json.loads(response.text)
            
            # simplified output of asset names, adjust to your needs
            print(responsejson)
    else:
        print("Please provide a valid groupName")

In [None]:
delete_disco_group('myDiscoGroupName')

### Discovery Group - Run

In [None]:
# Run a discovery group with a given groupName.
def run_disco_group(groupName):
    ''' Discovery Group Run endpoint '''
    if groupName != None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/discoGroups/{groupName}:run?api-version={apiVersion}"
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        response = requests.request("POST", url, headers=headers)
        if response.status_code != 200 and response.status_code != 202 and response.status_code != 204:
            print(f"Error running discovery group {groupName}: response code {response.status_code}")
            print(response.text)
            return None
        else:
            print(f"Discovery group {groupName} run successfully")
    else:
        print("Please provide a valid groupName")

In [None]:
run_disco_group('myDiscoGroupName')

### Discovery Group - Create

In [None]:
# Create a discovery group with a given groupName.
def create_disco_group(groupName, requestBody):
    ''' Discovery Group Run endpoint '''
    if groupName != None:
        global planeType
        planeType = 'data'
        azure_auth()
        url = f"https://{region}.easm.defender.microsoft.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/workspaces/{resourceName}/discoGroups/{groupName}?api-version={apiVersion}"
        requestBody = json.loads(json.dumps(requestBody))
        headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
        }
        response = requests.request("PUT", url, headers=headers, body=requestBody)
        if response.status_code != 200:
            print(f"Error creating discovery group {groupName}")
            print(response.text)
            return None
        else:
            responsejson = json.loads(response.text)
            
            # simplified output of asset names, adjust to your needs
            print(responsejson)
    else:
        print("Please provide a valid groupName and the requestBody parameters")

In [None]:
requestBody = '{"description":"myDiscoGroupDescription", "displayName":"myDiscoGroupDisplayName", "frequencyMilliseconds":604800000, "tier":"advanced", , seeds: [{name: "thisisatest.microsoft.com", kind: "host"} {name: "hotels.contoso.com", kind: "host"}]}'
create_disco_group('myDiscoGroupName')

### Control Plane Endpoints
### Labels - Create And Update

In [None]:
# Labels Create And Update endpoint - requires a URL encoded query string
#   and a post body containing the label properties to create or update 
#   example labelBody: '{"properties": {"color": "red", "displayName": "This is a test label - #1"}}'

def create_labels(labelName, labelBody):
    ''' Labels Create And Update endpoint - requires a URL encoded query string 
    and a post body containing the label properties to create or update 
    example labelBody: {"properties": {"color": "red", "displayName": "This is a test label - #1"}} '''
    global planeType
    planeType = 'control'
    azure_auth()
    url = f"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Easm/workspaces/{resourceName}/labels/{labelName}?api-version=2022-04-01-preview"
    payload = json.loads(json.dumps(labelBody))
    headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}',
        'Content-Type': 'application/json',
        'Accept': 'application/json'
    }
    response = requests.request("PUT", url, headers=headers, data=payload)
    if response.status_code != 200:
        print(f"Error creating label. Response code: {response.status_code}")
        print(response.text)
        return None
    else:
        responsejson = json.loads(response.text)
        print(responsejson)

In [None]:
create_labels('TestLabel1', '{"properties": {"color": "red", "displayName": "This is a test label - #1"}}')

### Labels - List By Workspace

In [None]:
# Returns a list of labels in a workspace
def list_labels():
    ''' Returns a list of labels in a workspace '''
    url = f"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Easm/workspaces/{resourceName}/labels?api-version=2022-04-01-preview"
    global planeType
    planeType = 'control'
    azure_auth()
    headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
    }
    response = requests.request("GET", url, headers=headers)
    if response.status_code != 200:
        print("Error getting labels list, check the resource name")
        print(response.text)
        return None
    else:
        responsejson = json.loads(response.text)
        print(responsejson)

In [None]:
list_labels()

### Labels - Get

In [None]:
# Returns a label in a workspace
def get_label(labelName):
    ''' Returns a label in a workspace '''
    labelName = labelName.replace(' ', '')
    global planeType
    planeType = 'control'
    azure_auth()
    url = f"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Easm/workspaces/{resourceName}/labels/{labelName}?api-version=2022-04-01-preview"
    headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
    }
    response = requests.request("GET", url, headers=headers)
    if response.status_code != 200:
        print("Error getting labels list, check the resource name")
        print(response.text)
        return None
    else:
        responsejson = json.loads(response.text)
        print(responsejson)

In [None]:
get_label('TestLabel1')

### Labels - Delete

In [None]:
# Deletes a label in a workspace
def delete_label(labelName):
    ''' Deletes a label in a workspace '''
    labelName = labelName.replace(' ', '')
    global planeType
    planeType = 'control'
    azure_auth()
    url = f"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Easm/workspaces/{resourceName}/labels/{labelName}?api-version=2022-04-01-preview"
    headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}'
    }
    response = requests.request("DELETE", url, headers=headers)
    #responsejson = json.loads(response.text)
    print(response)

In [None]:
delete_label('TestLabel1')

### Labels - Update

In [None]:
# Labels Update endpoint - requires a URL encoded query string
#   and a post body containing the label properties to update 
#   example labelBody: '{"properties": {"color": "blue", "displayName": "This is a test label - #2"}}'

def update_labels(labelName, labelBody):
    ''' Labels Update endpoint - requires a URL encoded query string 
    and a post body containing the label properties to update 
    example labelBody: {"properties": {"color": "blue", "displayName": "This is a test label - #2"}} '''
    labelName = labelName.replace(' ', '')
    global planeType
    planeType = 'control'
    azure_auth()
    url = f"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Easm/workspaces/{resourceName}/labels/{labelName}?api-version=2022-04-01-preview"
    payload = json.loads(json.dumps(labelBody))
    headers = {
        'User-Agent': 'MDEASM Python Notebook',
        'Authorization': f'Bearer {bearerToken}',
        'Content-Type': 'application/json'
    }
    response = requests.request("PATCH", url, headers=headers, data=payload)
    if response.status_code != 200:
        print("Error creating label")
        print(response.text)
        return None
    else:
        responsejson = json.loads(response.text)
        print(responsejson)

In [None]:
update_labels('TestLabel1', '{"properties": {"color": "blue", "displayName": "This is a test label - #2"}}')