Using the API to upload offline scans to the EDR cloud
NAVIGATION > Admin > Users & Tokens > API Tokens
NAVIGATION > My Profile > API Tokens
SECURITY Datto EDR subscription with administrator or analyst-level platform access
SECURITY Service account or administrator-level rights on the target endpoint
If an endpoint cannot connect to the internet due to a network outage or because of security considerations, you can perform manual offline scans of the host and use the Import-ICSurvey function to upload the results to our analysis engine for review.
This article describes how to use the API to upload one or multiple offline survey files at a time. To learn how to perform an offline scan, refer to Scanning an offline endpoint.
Procedure
Before you can run HTTP requests against your EDR instance, you'll need to generate an API token for use with the EDR PowerShell module.
-
If you are an EDR administrator, follow the Admin user steps in Generating Datto EDR API tokens to create the token. If you are an EDR analyst, follow the All other users steps.
-
Give the token a name that identifies its function, such as "PowerShell API (JSMITH-PC)."
-
Once you've generated the token, proceed to the next section of this article.
-
On the endpoint from which you'd like to communicate with the API, launch an administrative instance of PowerShell.
NOTE If you are a non-Windows user, you may be able to use PowerShell Core to complete these steps. Datto is unable to provide support for third-party applications.
-
Install the PowerShell EDR module by running the following command.
PS > Install-Module InfocyteHUNTAPI
-
If you see the message, "You are installing the modules from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the Set-PSRepository cmdlet. Are you sure you want to install the modules from 'PSGallery'?" select [A] Yes to All.
-
Register your Datto EDR instance with the API token. Doing so will store the token and server information in a global variable for use with API commands.
Replace <instanceName> with the first part of your EDR instance's address. As an example, for the URL https://alpo1.infocyte.com, enter alpo1.
Replace <token> with the PowerShell API token ID you generated for the endpoint.
-
You'll see a message stating that your authorization token is being set for the specified URL.
PS > Set-ICToken -Instance <instanceName> -Token <token> -save
-
You're now ready to import your offline scans. To learn how to do, proceed to the next section of this article.
You'll upload scans to your EDR instance by running special PowerShell commands. You can upload a single survey or an entire folder of surveys. The uploaded data may take several minutes to appear in EDR. By default, the information will upload to the offline scans location, but you can change the destination.
Single survey
To import a single survey result, run the following command. Replace <path to survey.json.gz> with the full path to the survey.
PS > Import-ICSurvey -Path <path to survey.json.gz>
EXAMPLE Import-ICSurvey -Path C:\Users\Administrator\Surveys\HostSurvey.json.gz
Multiple surveys
To import multiple surveys, run the following command. Replace <path to survey folder> with the full path to the directory where the surveys are stored on the endpoint.
PS > Get-ChildItem <path to survey folder> -filter *json.gz | Import-ICSurvey
EXAMPLE Get-ChildItem C:\Users\Administrator\Surveys\ -filter *json.gz | Import-ICSurvey
Changing the location.
By default, the Import-ICSurvey command will load the survey results into the OfflineScans location. If you’d like to load the scans into an existing location, include the TargetGroupId value of your preferred group in your import command. Replace <id> with this value.
EXAMPLE Get-ChildItem C:\Users\Administrator\Surveys\ -filter *json.gz | Import-ICSurvey -TargetGroupId <id>
If you don't know the ID of your preferred location, you can obtain it by running the Get-ICTargetGroup
command.