deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

PowerShell page

Browse Source
This commit is contained in:
David Laufer 2018-07-29 16:26:04 +03:00
parent d202f19bf6
commit 97fde0fc12
1 changed files with 53 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md
View File

@ -17,58 +17,85 @@ ms.date: 12/08/2017
Run advanced queries using PowerShell. Please read about [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) before. Run advanced queries using PowerShell. Please read about [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) before.
In this section we share PowerShell samples to retrieve a token and use it to run a query.
## Preparation Instructions ## Preparation Instructions
In this section you will find a PowerShell module that retrieves a token and uses it to run a query. You can download the module and use it to run your own query.
- Download and unzip 'AdvancedHunting' PowerShell module.
- Open a PowerShell window. - Open a PowerShell window.
- If your policy does not allow you to run the PowerShell commands, you can run the below command: - If your policy does not allow you to run the PowerShell commands, you can run the below command:
``` ```
Set-ExecutionPolicy -ExecutionPolicy Bypass Set-ExecutionPolicy -ExecutionPolicy Bypass
``` ```
>Please see PowerShell documentation for full understanding >For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
- Run
```
Import-Module <ModuleFolder>\AdvancedHunting.psd1
```
where <ModuleFolder> is the folder in which you extracted the zip. e.g., Import-Module 'D:\Dev\AAD Auth\AdvancedHunting.psd1'
## Get token ## Get token
- Run - Run
``` ```
$aadToken = Get-WdatpAppToken -Tid <tenantID> -AppId <applicationID> -AppSecret <applicationSecret> $tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
$appId = '00000000-0000-0000-0000-000000000000' # Paste your own app ID here
$appSecret = '00000000-0000-0000-0000-000000000000' # Paste your own app secret here
$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$body = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
$aadToken = $response.access_token
``` ```
where where
- <tenantID>: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
- <applicationID>: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
- <applicationSecret>: Secret of your AAD app - $appSecret: Secret of your AAD app
## Run query ## Run query
Run the below Run the below
``` ```
$response = Invoke-Query -AadToken $aadToken -Query "RegistryEvents | limit 10" $query = 'RegistryEvents | limit 10' # Paste your own query here
$response.results
$response.schema $queryServiceUri = "https://api.securitycenter.windows.com/advancedqueries/query"
$response.results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv $headers = @{
$response.results | ConvertTo-Json | Set-Content "file1.json" 'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $aadToken"
}
$body = ConvertTo-Json -InputObject $query
$webResponse = Invoke-WebRequest -Method Post -Uri $queryServiceUri -Headers $headers -Body $body -ErrorAction Stop
$response = $webResponse | ConvertFrom-Json
$results = $response.Results
$schema = $response.Schema
``` ```
- Line 2 and 3 will show you the results or the schema in the PowerShell window - $results contains the results of your query
- Line 4 outputs the results of the query in CSV format in file file1.csv - $schema contains the schema of the results of your query
- Line 5 outputs the results of the query in JSON format in file file1.json
If you want to run complex queries (or multilines queries), save your query in a file and run the below commands: ### Complex queries
>Replace C:\myQuery.txt with the path to your file.
If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
``` ```
$myQuery = [IO.File]::ReadAllText("C:\myQuery.txt"); $query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file
$queryResults = Invoke-Query -AadToken $aadToken -Query $myQuery
``` ```
## Work with query results
To work with the results you can, for instance, do the below
```
$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv
$results | ConvertTo-Json | Set-Content "file1.json"
```
- Line 1 outputs the results of the query in CSV format in file file1.csv
- Line 2 outputs the results of the query in JSON format in file file1.json
## Related topic ## Related topic
- [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) - [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md)