deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

replace code blocks!?

Browse Source
This commit is contained in:
Joey Caparas
2017-04-04 11:23:32 -07:00
parent 5f28ca87fa
commit 811d6a5607
3 changed files with 281 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -45,7 +45,71 @@ This step will guide you in creating an alert definition and an IOC for a malici
NOTE:<br>
Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application.
[!code[ExampleScript](./code/example-script.ps1#L1-L60)]
```
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
Try
{
$tokenPayload = @{
"resource" = 'https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
"Fetching an access token"
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
"Token fetched successfully"
$headers = @{
"Content-Type" = "application/json"
"Accept" = "application/json"
"Authorization" = "Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitionPayload = @{
"Name" = "Test Alert"
"Severity" = "Medium"
"InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
"Title" = "Test alert."
"UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
"RecommendedAction" = "No recommended action for this test alert."
"Category" = "SuspiciousNetworkTraffic"
"Enabled" = "true"}
"Creating an Alert Definition"
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
"Alert Definition created successfully"
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="IpAddress"
"Value"="52.184.197.12"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
"Creating an Indicator of Compromise"
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
"Indicator of Compromise created successfully"
"All done!"
}
Catch
{
'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
}
```
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.

114
windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
View File

@ -36,19 +36,43 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
[!code[CustomTIAPI](./code/example.ps1#L1-L14)]
```powershell
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
```
<span id="header" />
## Step 2: Create headers used for the requests with the API
Use the following code to create the headers used for the requests with the API:
[!code[CustomTIAPI](./code/example.ps1#L16-L19)]
```powershell
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
```
<span id="calls" />
## Step 3: Create calls to the custom threat intelligence API
After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
[!code[CustomTIAPI](./code/example.ps1#L21-L24)]
```powershell
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
```
The response is empty on initial use of the API.
@ -56,18 +80,96 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
[!code[CustomTIAPI](./code/example.ps1#L26-L39)]
```powershell
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
```
<span id="ioc" />
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
[!code[CustomTIAPI](./code/example.ps1#L43-L53)]
```powershell
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
```
## Complete code
You can use the complete code to create calls to the API.
[!code[CustomTIAPI](./code/example.ps1#L1-L53)]
```powershell
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
$tokenPayload = @{
"resource"='https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
$headers = @{
"Content-Type"="application/json"
"Accept"="application/json"
"Authorization"="Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
$alertDefinitionPayload = @{
"Name"= "The alert's name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
```
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)

114
windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
View File

@ -38,20 +38,45 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
[!code[CustomTIAPI](./code/example.py#L1-L17)]
```
import json
import requests
from pprint import pprint
auth_url="Your Authorization URL"
client_id="Your Client ID"
client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]
```
<span id="session-object" />
## Step 2: Create request session object
Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
[!code[CustomTIAPI](./code/example.py#L19-L23)]
```
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
```
<span id="calls" />
## Step 3: Create calls to the custom threat intelligence API
After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
[!code[CustomTIAPI](./code/example.py#L25-L26)]
```
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
```
The response is empty on initial use of the API.
@ -59,18 +84,95 @@ The response is empty on initial use of the API.
## Step 4: Create a new alert definition
The following example demonstrates how you to create a new alert definition.
[!code[CustomTIAPI](./code/example.py#L28-L39)]
```
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Category": "Trojan",
"Enabled": True}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
```
<span id="ioc" />
## Step 5: Create a new indicator of compromise
You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
[!code[CustomTIAPI](./code/example.py#L41-L51)]
```
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
```
## Complete code
You can use the complete code to create calls to the API.
[!code[CustomTIAPI](./code/example.py#L1-L53)]
```syntax
import json
import requests
from pprint import pprint
auth_url="Your Authorization URL"
client_id="Your Client ID"
client_secret="Your Client Secret"
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Category": "Trojan",
"Enabled": True}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
pprint(json.loads(response.text))
```
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)