From b4bf8944b6f30d28fa7b02530c9ffcb6dd0fb8e3 Mon Sep 17 00:00:00 2001 From: David Laufer Date: Sun, 29 Jul 2018 17:39:59 +0300 Subject: [PATCH] Fixes --- .../threat-protection/windows-defender-atp/TOC.md | 2 +- ...fender-advanced-threat-protection-sample-ms-flow.md | 10 +++++----- ...der-advanced-threat-protection-sample-powershell.md | 5 ++++- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 2cbcc1047c..5231c2461b 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -100,7 +100,7 @@ ### [**Beta!** Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md) #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) ##### [Advanced Hunting](run-advanced-query-windows-defender-advanced-threat-protection.md) -#### [Examples how to use APIs] +#### How to use APIs - Samples ##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md) ##### [Advanced Hunting using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md index 7ca777cbc5..6c598db614 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md @@ -59,24 +59,24 @@ You will find below a very basic flow example: ## Expand the flow to use the query results -The below section shows how to use the parsed results to insert them in SQL database. + The below section shows how to use the parsed results to insert them in SQL database. -This is an example only, you could perform on your results any other action supported by Microsoft Flow. + This is an example only, you could perform on your results any other action supported by Microsoft Flow. - Add an 'Apply to each' action - Select the Results json (which was an output of the last parse action) - Add an 'Insert row' action – you will need to supply the connection details - Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime. - ![Image of select from DB](images/ms-flow-insert-db.png) + ![Image of insert into DB](images/ms-flow-insert-db.png) -The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: + The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: ![Image of select from DB](images/ms-flow-read-db.png) You can find below the full definition - ![Image of select from DB](images/ms-flow-e2e.png) + ![Image of E2E flow](images/ms-flow-e2e.png) ## Related topic - [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md index 4a68c2a45c..fd190ebf51 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md @@ -26,11 +26,13 @@ In this section we share PowerShell samples to retrieve a token and use it to ru ``` Set-ExecutionPolicy -ExecutionPolicy Bypass ``` + >For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) ## Get token -- Run +- Run the below + ``` $tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here $appId = '00000000-0000-0000-0000-000000000000' # Paste your own app ID here @@ -48,6 +50,7 @@ $response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorActi $aadToken = $response.access_token ``` + where - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)