deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 13:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add codes

Browse Source
This commit is contained in:
jcaparas 2017-03-02 19:33:28 -08:00
parent faf6603200
commit 953d497b7f
1 changed files with 5 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
View File

@ -37,60 +37,27 @@ The following example demonstrates how to obtain an Azure AD access token that y
Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
[!code[CustomTIAPI](./code/example.ps1#L1-L14)] [!code[-powershell][CustomTIAPI](./code/example.ps1#L1-L14)]
## Create headers ## Create headers
The following example demonstrates how to create headers used for the requests with the API. The following example demonstrates how to create headers used for the requests with the API.
``` [!code[-powershell][CustomTIAPI](./code/example.ps1#L16-L19)]
$headers = @{}
$headers.Add("Content-Type", "application/json")
$headers.Add("Accept", "application/json")
$headers.Add("Authorization", "Bearer {0}" -f $token)
```
## Create calls to the custom threat intelligence API ## Create calls to the custom threat intelligence API
The following example demonstrates how to view all alert definition entities by creating a call to the API. The following example demonstrates how to view all alert definition entities by creating a call to the API.
``` [!code[-powershell][CustomTIAPI](./code/example.ps1#L21-L24)]
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitions =
(Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value
```
If this is the first time to use the API, the response is empty. If this is the first time to use the API, the response is empty.
## Create a new alert definition ## Create a new alert definition
The following example shows how to create a new alert definition. The following example shows how to create a new alert definition.
``` [!code[-powershell][CustomTIAPI](./code/example.ps1#L26-L39)]
$alertDefinitionPayload = @{
"Name"= "The Alert's Name"
"Severity"= "Low"
"InternalDescription"= "An internal description of the Alert"
"Title"= "The Title"
"UxDescription"= "Description of the alerts"
"RecommendedAction"= "The alert's recommended action"
"Category"= "Trojan"
"Enabled"= "true"}
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
```
## Create a new indicator of compromise ## Create a new indicator of compromise
The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
``` [!code[-powershell][CustomTIAPI](./code/example.ps1#L43-L53)]
$iocPayload = @{
"Type"="Sha1"
"Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
$ioc = Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
```