From d59e0420a897f537aaf6ff0bb122985c5523b537 Mon Sep 17 00:00:00 2001 From: David Laufer Date: Sun, 29 Jul 2018 17:58:27 +0300 Subject: [PATCH] Fixes --- ...vanced-threat-protection-sample-ms-flow.md | 26 +++++++++---------- ...ced-threat-protection-sample-powershell.md | 12 ++++++--- 2 files changed, 21 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md index 6c598db614..cdb421726e 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md @@ -23,9 +23,7 @@ Schedule advanced query. ## Use case -You need to schedule an advanced query and use the result for follow up actions and processing. - -You can use [Microsoft Flow](https://flow.microsoft.com/) (or Logic Apps) for it! +If you need to schedule an advanced query and use the results for follow up actions and processing, you can use [Microsoft Flow](https://flow.microsoft.com/) (or Logic Apps) for it! ## Define a flow to run query and parse results @@ -59,24 +57,26 @@ You will find below a very basic flow example: ## Expand the flow to use the query results - The below section shows how to use the parsed results to insert them in SQL database. +The below section shows how to use the parsed results to insert them in SQL database. - This is an example only, you could perform on your results any other action supported by Microsoft Flow. +This is an example only, you could perform on your results any other action supported by Microsoft Flow. - - Add an 'Apply to each' action - - Select the Results json (which was an output of the last parse action) - - Add an 'Insert row' action – you will need to supply the connection details - - Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime. +- Add an 'Apply to each' action +- Select the Results json (which was an output of the last parse action) +- Add an 'Insert row' action – you will need to supply the connection details +- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime. - ![Image of insert into DB](images/ms-flow-insert-db.png) +![Image of insert into DB](images/ms-flow-insert-db.png) - The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: +The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: - ![Image of select from DB](images/ms-flow-read-db.png) +![Image of select from DB](images/ms-flow-read-db.png) + +## Full flow definition You can find below the full definition - ![Image of E2E flow](images/ms-flow-e2e.png) +![Image of E2E flow](images/ms-flow-e2e.png) ## Related topic - [Advanced Hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md index fd190ebf51..23236d1f8b 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md @@ -89,15 +89,19 @@ If you want to run complex queries (or multilines queries), save your query in a ## Work with query results -To work with the results you can, for instance, do the below +You can now use the query results. + +To output the results of the query in CSV format in file file1.csv do the below: ``` $results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv -$results | ConvertTo-Json | Set-Content "file1.json" ``` -- Line 1 outputs the results of the query in CSV format in file file1.csv -- Line 2 outputs the results of the query in JSON format in file file1.json​ +To output the results of the query in JSON format in file file1.json​ do the below: + +``` +$results | ConvertTo-Json | Set-Content "file1.json" +``` ## Related topic