deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add code examples

Browse Source
This commit is contained in:
Joey Caparas
2017-03-14 14:47:16 -07:00
parent 92956721a0
commit 15f539cc49
1 changed files with 79 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md
View File

@ -21,15 +21,67 @@ localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Use this method in the Windows Defender ATP API to get alerts in JSON format.
Windows Defender ATP supports the OAuth 2.0 protocol to consume alerts from the portal.
In general, the OAuth 2.0 protocol supports four types of flows:
- Authorization grant flow
- Implicit flow
- Client credentials flow
- Resource owner flow
For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
Windows Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server.
The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
The _Client credential flow_ uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
Use the following method in the Windows Defender ATP API to get alerts in JSON format.
## Before you begin
- Before calling the Windows Defender ATP endpoint to get alerts, you'll need to enable the threat intelligence application in Azure Active Directory. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). <br><br>
- Have the access token that you generated from the **SIEM integration** feature ready for use in the request header.
- Before calling the Windows Defender ATP endpoint to get alerts, you'll need to enable the threat intelligence application in Azure Active Directory (AAD). For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
- Application ID (unique to your application)
- App key, or secret (unique to your application)
- Your app's OAuth 2.0 token endpoint
- Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`.
## Get an access token
Before creating calls to the endpoint, you'll need to get an access token.
You'll use the access token to access the protected resource, which are alerts in Windows Defender ATP.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
```syntax
POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
```
The response will include an access token and expiry information.
```json
{
"token type": "Bearer",
"expires in": "3599"
"ext_expires_in": "0",
"expires_on": "1488720683",
"not_before": "1488720683",
"resource": "https://WDATPAlertExport.Seville.onmicrosoft.com",
"access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
}
```
You can now use the value in the *access_token* field in a request to the Windows Defender ATP API.
## Request
### Request syntax
With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append the access token to the Authorization header of each request.
### Request syntax
Method | Request URI
:---|:---|
GET| Use the URI applicable for your region. <br><br> **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` </br> **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
@ -104,6 +156,29 @@ Here is an example return value:
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
```
## Code examples
### Get access token
The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API.
```syntax
AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId));
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);
```
### Use token to connect to the alerts endpoint
```
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
string alertsJson = response.Content.ReadAsStringAsync().Result;
Console.WriteLine("Got alert list: {0}", alertsJson);
```
## Error codes
The Windows Defender ATP REST API returns the following error codes caused by an invalid request.