deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Fixes

Browse Source
This commit is contained in:
David Laufer 2018-07-29 17:39:59 +03:00
parent 97fde0fc12
commit b4bf8944b6
3 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -100,7 +100,7 @@
### [**Beta!** Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md) ### [**Beta!** Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md)
#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md)
##### [Advanced Hunting](run-advanced-query-windows-defender-advanced-threat-protection.md) ##### [Advanced Hunting](run-advanced-query-windows-defender-advanced-threat-protection.md)
#### [Examples how to use APIs] #### How to use APIs - Samples
##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md) ##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md)
##### [Advanced Hunting using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md) ##### [Advanced Hunting using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md)

10
windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md
View File

@ -59,24 +59,24 @@ You will find below a very basic flow example:
## Expand the flow to use the query results ## Expand the flow to use the query results
The below section shows how to use the parsed results to insert them in SQL database. The below section shows how to use the parsed results to insert them in SQL database.
This is an example only, you could perform on your results any other action supported by Microsoft Flow. This is an example only, you could perform on your results any other action supported by Microsoft Flow.
- Add an 'Apply to each' action - Add an 'Apply to each' action
- Select the Results json (which was an output of the last parse action) - Select the Results json (which was an output of the last parse action)
- Add an 'Insert row' action you will need to supply the connection details - Add an 'Insert row' action you will need to supply the connection details
- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime. - Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime.
![Image of select from DB](images/ms-flow-insert-db.png) ![Image of insert into DB](images/ms-flow-insert-db.png)
The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table:
![Image of select from DB](images/ms-flow-read-db.png) ![Image of select from DB](images/ms-flow-read-db.png)
You can find below the full definition You can find below the full definition
![Image of select from DB](images/ms-flow-e2e.png) ![Image of E2E flow](images/ms-flow-e2e.png)
## Related topic ## Related topic
- [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) - [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md)

5
windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md
View File

@ -26,11 +26,13 @@ In this section we share PowerShell samples to retrieve a token and use it to ru
``` ```
Set-ExecutionPolicy -ExecutionPolicy Bypass Set-ExecutionPolicy -ExecutionPolicy Bypass
``` ```
>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) >For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token ## Get token
- Run - Run the below
``` ```
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here $tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
$appId = '00000000-0000-0000-0000-000000000000' # Paste your own app ID here $appId = '00000000-0000-0000-0000-000000000000' # Paste your own app ID here
@ -48,6 +50,7 @@ $response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorActi
$aadToken = $response.access_token $aadToken = $response.access_token
``` ```
where where
- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)