From 3325a4ea9ea5cb0ead75e3eb4d80ce30e922f79e Mon Sep 17 00:00:00 2001 From: lomayor Date: Fri, 13 Dec 2019 17:31:13 -0800 Subject: [PATCH] Undo changes to API topics --- .../exposed-apis-full-sample-powershell.md | 4 ++-- .../microsoft-defender-atp/run-advanced-query-api.md | 2 +- .../run-advanced-query-sample-powershell.md | 2 +- .../run-advanced-query-sample-python.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index e66b4eade4..6314bce713 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -32,7 +32,7 @@ In this section we share PowerShell samples to >**Prerequisite**: You first need to [create an app](apis-intro.md). -## Preparation Instructions +## Preparation instructions - Open a PowerShell window. - If your policy does not allow you to run the PowerShell commands, you can run the below command: @@ -99,7 +99,7 @@ Foreach($alert in $alerts) $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') -$query = "DeviceNetworkEvents +$query = "NetworkCommunicationEvents | where MachineId in ($commaSeparatedMachines) | where RemoteUrl == `"$suspiciousUrl`" | summarize ConnectionsCount = count() by MachineId" diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index bece592d00..8dc833cda8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -81,7 +81,7 @@ Here is an example of the request. POST https://api.securitycenter.windows.com/api/advancedqueries/run Content-type: application/json { - "Query":"DeviceProcessEvents + "Query":"ProcessCreationEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | where ProcessCommandLine contains \"appdata\" | project EventTime, FileName, InitiatingProcessFileName diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index 15aded57d0..e33a799eb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -70,7 +70,7 @@ where Run the following query: ``` -$query = 'DeviceRegistryEvents | limit 10' # Paste your own query here +$query = 'RegistryEvents | limit 10' # Paste your own query here $url = "https://api.securitycenter.windows.com/api/advancedqueries/run" $headers = @{ diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index 6c4831e501..f8b07f534c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -73,7 +73,7 @@ where Run the following query: ``` -query = 'DeviceRegistryEvents | limit 10' # Paste your own query here +query = 'RegistryEvents | limit 10' # Paste your own query here url = "https://api.securitycenter.windows.com/api/advancedqueries/run" headers = {