Merged PR 10826: Add sample for Power BI custom reports using Advanced Hunting API

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -157,6 +157,7 @@
 ##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
 ##### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
 ##### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+##### [Create custom Power BI reports](run-advanced-query-sample-power-bi.md)
 
 
 ### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md

@@ -74,9 +74,12 @@ This page explains how to create an app, get an access token to Windows Defender
 
     ![Image of select permissions](images/webapp-select-permission.png)
 
-	- In order to send telemetry events to WDATP, check 'Write timeline events' permission
-	- In order to send TI events to WDATP, check 'Read and write IOCs belonging to the app' permission
-	- In order to run advanced queries in WDATP, check 'Run advanced queries' permission
+	For instance,
+
+	- In order to [run advanced queries](run-advanced-query-api.md), check 'Run advanced queries' permission
+	- In order to [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), check 'Isolate machine' permission
+
+	To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
 
 7. Click **Done**
 

windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md

@@ -200,5 +200,10 @@ There are a couple of tabs on the report that's generated:
 In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention.
 
 
+## Related topic
+- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi.md)
+
+
+
 
 

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md

@@ -0,0 +1,131 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Create custom reports using Power BI
+
+Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
+
+In this section we share Power BI query sample to run a query using application token.
+
+>**Prerequisite**: You first need to [create an app](exposed-apis-intro.md).
+
+## Run a query
+
+- Open Microsoft Power BI
+
+- Click **Get Data** > **Blank Query**
+
+    ![Image of create blank query](images/power-bi-create-blank-query.png)
+
+- Click **Advanced Editor**
+
+    ![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
+
+- Copy the below and paste it in the editor, after you update the values of _TenantId, _AppId, _AppSecret, _Query
+
+	```
+	let 
+
+		TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
+		AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
+		AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
+		Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
+    
+		ResourceAppIdUrl = "https://securitycenter.onmicrosoft.com/windowsatpservice",
+		OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
+
+		Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
+		ClientId = Text.Combine({"client_id", AppId}, "="),
+		ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
+		GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
+	
+		Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
+
+		AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
+		AccessToken= AuthResponse[access_token],
+		Bearer = Text.Combine({"Bearer", AccessToken}, " "),
+    
+		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query",
+    
+		Response = Json.Document(Web.Contents(
+			AdvancedHuntingUrl, 
+			[
+				Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
+				Content=Json.FromValue(Query)
+			]
+		)),
+
+		TypeMap = #table(
+			{ "Type", "PowerBiType" },
+			{
+				{ "Double",   Double.Type },
+				{ "Int64",    Int64.Type },
+				{ "Int32",    Int32.Type },
+				{ "Int16",    Int16.Type },
+				{ "UInt64",   Number.Type },
+				{ "UInt32",   Number.Type },
+				{ "UInt16",   Number.Type },
+				{ "Byte",     Byte.Type },
+				{ "Single",   Single.Type },
+				{ "Decimal",  Decimal.Type },
+				{ "TimeSpan", Duration.Type },
+				{ "DateTime", DateTimeZone.Type },
+				{ "String",   Text.Type },
+				{ "Boolean",  Logical.Type },
+				{ "SByte",    Logical.Type },
+				{ "Guid",     Text.Type }
+			}),
+
+		Schema = Table.FromRecords(Response[Schema]),
+		TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
+		Results = Response[Results],
+		Rows = Table.FromRecords(Results, Schema[Name]),
+		Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
+        
+	in Table
+
+	```
+
+- Click **Done**
+
+    ![Image of create advanced query](images/power-bi-create-advanced-query.png)
+
+- Click **Edit Credentials**
+
+    ![Image of edit credentials](images/power-bi-edit-credentials.png)
+
+- Select **Anonymous** and click **Connect**
+
+    ![Image of set credentials](images/power-bi-set-credentials.png)
+
+- Repeat the previous step for the second URL
+
+- Click **Continue**
+
+    ![Image of edit data privacy](images/power-bi-edit-data-privacy.png)
+
+- Select the privacy level you want and click **Save**
+
+    ![Image of set data privacy](images/power-bi-set-data-privacy.png)
+
+- View the results of your query
+
+    ![Image of query results](images/power-bi-query-results.png)
+
+## Related topic
+- [Windows Defender ATP APIs](exposed-apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)