Microsoft Defender for Endpoint Data Extraction Guide (for SIM Template)

Microsoft Defender for Endpoint collects endpoint and application inventory data via the Defender sensor.
The relevant data sources for SIM import include:

• Devices (Machine Inventory) – Device name, OS, and onboarding status.

• Software Inventory – Installed software name, version, and vendor detected per device.

• Microsoft Defender for Endpoint REST API – Programmatic access to device and software inventory data.

Note: Software inventory visibility requires Device Inventory / Software Inventory to be enabled in Microsoft Defender for Endpoint.

Prerequisites

For Console (UI) Method

• Access to the Microsoft 365 Defender Portal (https://security.microsoft.com).

• Role with permission to view Endpoints and Software Inventory (e.g. Security Reader, Security Administrator).

• Devices onboarded and actively reporting to Microsoft Defender for Endpoint.

• Permission to export data from inventory views.

For API Method

• Azure AD application with API permissions for Microsoft Defender for Endpoint.

• Required permissions:

  • Machine.Read.All

  • Software.Read.All

• Client ID, Tenant ID, and Client Secret for OAuth2 authentication.

• A PowerShell or REST-capable environment (PowerShell, curl, Postman).

• Access to the Defender API endpoint (https://api.security.microsoft.com).

Recommended Query or Method

Two supported extraction methods are available.

Option 1: Microsoft 365 Defender Portal Export (UI)

This method is suitable for manual or ad-hoc exports.

Steps

1. Log in to the Microsoft 365 Defender Portal.

2. Navigate to Endpoints → Software inventory.

3. Apply filters as required (e.g. all devices, specific OS).

4. Ensure the following fields are visible:

   • Device name

   • Software name

   • Version

   • Vendor / Publisher

5. Click Export and choose CSV.

6. Save the file as MDE_SIM_Export.csv.

Tip: You can also export from Endpoints → Device inventory and include software-related fields in the export.

Option 2: Microsoft Defender for Endpoint API (Recommended for Automation)

For automated or large-scale exports, use the Defender for Endpoint REST API.

Step 1: Authenticate with OAuth2

# Microsoft Defender for Endpoint SIM Template Export Script
# Requires Azure AD App Registration with MDE permissions

$TenantId = "YOUR_TENANT_ID"
$ClientId = "YOUR_CLIENT_ID"
$ClientSecret = "YOUR_CLIENT_SECRET"
$ExportPath = "C:\Exports\MDE_SIM_Export.csv"

# Get OAuth2 token
$Body = @{
    grant_type    = "client_credentials"
    client_id     = $ClientId
    client_secret = $ClientSecret
    scope         = "https://api.security.microsoft.com/.default"
}

$TokenResponse = Invoke-RestMethod -Method Post `
    -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" `
    -Body $Body `
    -ContentType "application/x-www-form-urlencoded"

$AccessToken = $TokenResponse.access_token

Step 2: Retrieve Software Inventory

$Headers = @{
    "Authorization" = "Bearer $AccessToken"
    "Accept"        = "application/json"
}

# Retrieve software inventory
$Url = "https://api.security.microsoft.com/api/software"
$SoftwareResponse = Invoke-RestMethod -Uri $Url -Headers $Headers -Method Get

$ExportData = @()

foreach ($Software in $SoftwareResponse.value) {
    foreach ($Device in $Software.devices) {
        $ExportData += [PSCustomObject]@{
            "Device Name"        = $Device.deviceName
            "Software Name"      = $Software.name
            "Software Version"   = $Device.version
            "Software Publisher" = $Software.vendor
        }
    }
}

# Export to CSV
$ExportData | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8
Write-Host "Export complete: $ExportPath"

For large environments, handle pagination using the @odata.nextLink value returned by the API.

Exporting to CSV

• Console Method:
  Export directly from Endpoints → Software inventory as CSV.

• API Method:
  The PowerShell script generates MDE_SIM_Export.csv automatically.

Ensure the CSV includes the following headers: