Merged PR 12321: [WDATP] Update advanced hunting URL

windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md

@@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
 ## HTTP request
 ```
-POST /api/CreateAlertByReference
+POST https://api.securitycenter.windows.com/api/CreateAlertByReference
 ```
 
 ## Request headers

windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md

@@ -101,7 +101,7 @@ $query = "NetworkCommunicationEvents
 | where RemoteUrl  == `"$suspiciousUrl`"
 | summarize ConnectionsCount = count() by MachineId"
 
-$queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query"
+$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run"
 
 $queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
 $queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop

windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md

@@ -23,7 +23,7 @@ ms.date: 12/08/2017
 
 Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
 Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
-The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore" and "RbacGroupId"
+The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
 
 ## Permissions
 

windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md

@@ -46,7 +46,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
 
 ## HTTP request
 ```
-POST /advancedqueries/query
+POST https://api.securitycenter.windows.com/api/advancedqueries/run
 ```
 
 ## Request headers
@@ -80,7 +80,7 @@ Here is an example of the request.
 > - api-uk.securitycenter.windows.com
 
 ```
-POST https://api.securitycenter.windows.com/advancedqueries/query
+POST https://api.securitycenter.windows.com/api/advancedqueries/run
 Content-type: application/json
 {
 	"Query":"ProcessCreationEvents  

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md

@@ -40,15 +40,15 @@ Use the following basic flow as an example.
 	![Image of MsFlow choose an action](images/ms-flow-choose-action.png)
 
 	- Set method to be POST
-	- Uri is https://api.securitycenter.windows.com/advancedqueries/query or one of the region specific locations
-		- US: https://api-us.securitycenter.windows.com/advancedqueries/query
-		- Europe: https://api-eu.securitycenter.windows.com/advancedqueries/query
-		- United Kingdom: https://api-uk.securitycenter.windows.com/advancedqueries/query
+	- Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations
+		- US: https://api-us.securitycenter.windows.com/api/advancedqueries/run
+		- Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run
+		- United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run
 	- Add the Header: Content-Type              application/json
 	- In the body write your query surrounded by single quotation mark (')
 	- In the Advanced options select Authentication to be Active Directory OAuth
 	- Set the Tenant with proper AAD Tenant Id
-	- Audience is https://securitycenter.onmicrosoft.com/windowsatpservice
+	- Audience is https://api.securitycenter.windows.com
 	- Client ID is your application ID
 	- Credential Type should be Secret
 	- Secret is the application secret generated in the Azure Active directory.

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md

@@ -59,7 +59,7 @@ If you want to use **user token** instead please refer to [this](run-advanced-qu
 		AccessToken= AuthResponse[access_token],
 		Bearer = Text.Combine({"Bearer", AccessToken}, " "),
     
-		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query",
+		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
     
 		Response = Json.Document(Web.Contents(
 			AdvancedHuntingUrl, 

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md

@@ -48,7 +48,7 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
 
 		Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId",
     
-		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query",
+		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
     
 		Response = Json.Document(Web.Contents(
 			AdvancedHuntingUrl, 

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md

@@ -71,7 +71,7 @@ Run the following query:
 ```
 $query = 'RegistryEvents | limit 10' # Paste your own query here
 
-$url = "https://api.securitycenter.windows.com/advancedqueries/query"
+$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
 $headers = @{ 
 	'Content-Type' = 'application/json'
 	Accept = 'application/json'

windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md

@@ -71,7 +71,7 @@ where
 ```
 query = 'RegistryEvents | limit 10' # Paste your own query here
 
-url = "https://api.securitycenter.windows.com/advancedqueries/query"
+url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
 headers = { 
 	'Content-Type' : 'application/json',
 	'Accept' : 'application/json',