diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 5fca7a6375..3aabd75f2e 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -157,7 +157,7 @@ ##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) ##### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) ##### [Advanced Hunting using Python](run-advanced-query-sample-python.md) -##### [Create custom Power BI reports](run-advanced-query-sample-power-bi.md) +##### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) ### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md index f3d72bd653..06c9891fa8 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md @@ -124,7 +124,7 @@ The code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDire ``` const string authority = "https://login.windows.net"; - const string wdatpResourceId = "https://api.securitycenter.windows.com/"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md index 20e0d808b8..8d0dee467f 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md @@ -152,7 +152,7 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! const string authority = "https://login.windows.net"; - const string wdatpResourceId = "https://api.securitycenter.windows.com/"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); ClientCredential clientCredential = new ClientCredential(appId, appSecret); diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials.png rename to windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png new file mode 100644 index 0000000000..049d3ed6ee Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png new file mode 100644 index 0000000000..054470d70e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 05a565f9f6..8c862f8208 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -201,7 +201,7 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify ## Related topic -- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi.md) +- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md similarity index 91% rename from windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md rename to windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md index d3abe10318..390baca350 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -19,7 +19,9 @@ Run advanced queries and show results in Microsoft Power BI. Please read about [ In this section we share Power BI query sample to run a query using application token. ->**Prerequisite**: You first need to [create an app](exposed-apis-intro.md). +If you want to use user token instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial. + +>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp). ## Run a query @@ -33,7 +35,7 @@ In this section we share Power BI query sample to run a query using application ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) -- Copy the below and paste it in the editor, after you update the values of _TenantId, _AppId, _AppSecret, _Query +- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query ``` let @@ -108,7 +110,7 @@ In this section we share Power BI query sample to run a query using application - Select **Anonymous** and click **Connect** - ![Image of set credentials](images/power-bi-set-credentials.png) + ![Image of set credentials](images/power-bi-set-credentials-anonymous.png) - Repeat the previous step for the second URL @@ -125,6 +127,7 @@ In this section we share Power BI query sample to run a query using application ![Image of query results](images/power-bi-query-results.png) ## Related topic +- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md) - [Windows Defender ATP APIs](exposed-apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md new file mode 100644 index 0000000000..d4ceebb3fa --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -0,0 +1,112 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Create custom reports using Power BI + +Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. + +In this section we share Power BI query sample to run a query using user token. + +If you want to use application token instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial. + +>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-nativeapp). + +## Run a query + +- Open Microsoft Power BI + +- Click **Get Data** > **Blank Query** + + ![Image of create blank query](images/power-bi-create-blank-query.png) + +- Click **Advanced Editor** + + ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) + +- Copy the below and paste it in the editor, after you update the values of Query + + ``` + let + + Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query", + + Response = Json.Document(Web.Contents( + AdvancedHuntingUrl, + [ + Query=[#"queryText"=Query] + ] + )), + + TypeMap = #table( + { "Type", "PowerBiType" }, + { + { "Double", Double.Type }, + { "Int64", Int64.Type }, + { "Int32", Int32.Type }, + { "Int16", Int16.Type }, + { "UInt64", Number.Type }, + { "UInt32", Number.Type }, + { "UInt16", Number.Type }, + { "Byte", Byte.Type }, + { "Single", Single.Type }, + { "Decimal", Decimal.Type }, + { "TimeSpan", Duration.Type }, + { "DateTime", DateTimeZone.Type }, + { "String", Text.Type }, + { "Boolean", Logical.Type }, + { "SByte", Logical.Type }, + { "Guid", Text.Type } + }), + + Schema = Table.FromRecords(Response[Schema]), + TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), + Results = Response[Results], + Rows = Table.FromRecords(Results, Schema[Name]), + Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) + + in Table + + ``` + +- Click **Done** + + ![Image of create advanced query](images/power-bi-create-advanced-query.png) + +- Click **Edit Credentials** + + ![Image of edit credentials](images/power-bi-edit-credentials.png) + +- Select **Organizational account** > **Sign in** + + ![Image of set credentials](images/power-bi-set-credentials-organizational.png) + +- Enter your credentials and wait to be signed in + +- Click **Connect** + + ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png) + +- View the results of your query + + ![Image of query results](images/power-bi-query-results.png) + +## Related topic +- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md) +- [Windows Defender ATP APIs](exposed-apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)