diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index d3069c4d21..0639090a11 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -14867,14 +14867,9 @@ "redirect_document_id": true }, { -"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token", -"redirect_document_id": true -}, -{ -"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md", -"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token", -"redirect_document_id": true + "source_path": "windows/security/threat-protection/windows-defender-atp/api-power-bi.md", + "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-power-bi", + "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md", diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 5f3fdf726a..84208d8683 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -418,15 +418,10 @@ ####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md) ##### [How to use APIs - Samples]() -###### [Advanced Hunting API]() -####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md) -####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) -####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md) -####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md) - -###### [Multiple APIs]() -####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md) - +###### [Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md) +###### [Power BI](microsoft-defender-atp/api-power-bi.md) +###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md) +###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) #### [Windows updates (KB) info]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md similarity index 51% rename from windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md rename to windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index c292829e80..811a9cae2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -1,8 +1,8 @@ --- -title: Advanced Hunting API +title: Power BI ms.reviewer: -description: Use this API to run advanced queries -keywords: apis, supported apis, advanced hunting, query +description: Create custom reports using Power BI +keywords: apis, supported apis, Power BI, reports search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -17,24 +17,17 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Create custom reports using Power BI (user authentication) +# Create custom reports using Power BI -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -[!include[Prerelease information](prerelease.md)] +In this section you will learn create a Power BI report on top of the Microsoft Defender ATP APIs. -Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. +The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..) -In this section we share Power BI query sample to run a query using **user token**. - -If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial. - -## Before you begin -You first need to [create an app](exposed-apis-create-app-nativeapp.md). - -## Run a query +## Connect Power BI to Advanced Hunting API - Open Microsoft Power BI @@ -46,18 +39,15 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md). ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) -- Copy the below and paste it in the editor, after you update the values of Query +- Copy the below and paste it in the editor: - ``` +``` let + AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'", - Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", + HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries", - FormattedQuery= Uri.EscapeDataString(Query), - - AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery, - - Response = Json.Document(Web.Contents(AdvancedHuntingUrl)), + Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])), TypeMap = #table( { "Type", "PowerBiType" }, @@ -88,12 +78,18 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md). in Table - ``` +``` + let + + Query = "MachineACtions", + + Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true]) + in + Source +``` - Click **Done** - ![Image of create advanced query](images/power-bi-create-advanced-query.png) - - Click **Edit Credentials** ![Image of edit credentials](images/power-bi-edit-credentials.png) @@ -108,13 +104,23 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md). ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png) -- View the results of your query +- Now the results of your query will appear as table and you can start build visualizations on top of it! - ![Image of query results](images/power-bi-query-results.png) +- You can duplicate this table, rename it and edit the Advanced Hunting query inside to your custom data. + +## Connect Power BI to OData APIs + +- The only difference from the above example is the query inside the editor. + +- Copy the below and paste it in the editor to pull all Machine Actions from your organization: + +``` + +- You can do the same for Alerts and Machines. + +- You also can use OData queries for filtering the results, see [Using OData Queries](exposed-apis-odata-samples.md) ## Related topic -- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md) - [Microsoft Defender ATP APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) -- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) -- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) +- [Using OData Queries](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png deleted file mode 100644 index b94ee3a009..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index 48dac8442f..6a33e88ccf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -413,15 +413,10 @@ ####### [Get user related machines](get-user-related-machines.md) ##### [How to use APIs - Samples]() -###### [Advanced Hunting API]() -####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) -####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) -####### [Advanced Hunting using Python](run-advanced-query-sample-python.md) -####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) - -###### [Multiple APIs]() -####### [PowerShell](exposed-apis-full-sample-powershell.md) - +###### [Microsoft Flow](run-advanced-query-sample-ms-flow.md) +###### [Power BI](api-power-bi.md) +###### [Advanced Hunting using Python](run-advanced-query-sample-python.md) +###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) ###### [Using OData Queries](exposed-apis-odata-samples.md) #### [API for custom alerts]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md index ea8a219a7d..8a85c8796f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md @@ -202,7 +202,7 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify ## Related topic -- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) +- [Create custom Power BI reports](api-power-bi.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md deleted file mode 100644 index 9febf311eb..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -title: Advanced Hunting API -ms.reviewer: -description: Use this API to run advanced queries -keywords: apis, supported apis, advanced hunting, query -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Create custom reports using Power BI (app authentication) - -Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. - -In this section we share Power BI query sample to run a query using **application token**. - -If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial. - ->**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md). - -## Run a query - -- Open Microsoft Power BI - -- Click **Get Data** > **Blank Query** - - ![Image of create blank query](images/power-bi-create-blank-query.png) - -- Click **Advanced Editor** - - ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) - -- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query - - ``` - let - - TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here - AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here - AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here - Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here - - ResourceAppIdUrl = "https://api.securitycenter.windows.com", - OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""), - - Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="), - ClientId = Text.Combine({"client_id", AppId}, "="), - ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="), - GrantType = Text.Combine({"grant_type", "client_credentials"}, "="), - - Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"), - - AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])), - AccessToken= AuthResponse[access_token], - Bearer = Text.Combine({"Bearer", AccessToken}, " "), - - AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run", - - Response = Json.Document(Web.Contents( - AdvancedHuntingUrl, - [ - Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer], - Content=Json.FromValue([#"Query"=Query]) - ] - )), - - TypeMap = #table( - { "Type", "PowerBiType" }, - { - { "Double", Double.Type }, - { "Int64", Int64.Type }, - { "Int32", Int32.Type }, - { "Int16", Int16.Type }, - { "UInt64", Number.Type }, - { "UInt32", Number.Type }, - { "UInt16", Number.Type }, - { "Byte", Byte.Type }, - { "Single", Single.Type }, - { "Decimal", Decimal.Type }, - { "TimeSpan", Duration.Type }, - { "DateTime", DateTimeZone.Type }, - { "String", Text.Type }, - { "Boolean", Logical.Type }, - { "SByte", Logical.Type }, - { "Guid", Text.Type } - }), - - Schema = Table.FromRecords(Response[Schema]), - TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), - Results = Response[Results], - Rows = Table.FromRecords(Results, Schema[Name]), - Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) - - in Table - - ``` - -- Click **Done** - - ![Image of create advanced query](images/power-bi-create-advanced-query.png) - -- Click **Edit Credentials** - - ![Image of edit credentials](images/power-bi-edit-credentials.png) - -- Select **Anonymous** and click **Connect** - - ![Image of set credentials](images/power-bi-set-credentials-anonymous.png) - -- Repeat the previous step for the second URL - -- Click **Continue** - - ![Image of edit data privacy](images/power-bi-edit-data-privacy.png) - -- Select the privacy level you want and click **Save** - - ![Image of set data privacy](images/power-bi-set-data-privacy.png) - -- View the results of your query - - ![Image of query results](images/power-bi-query-results.png) - -## Related topic -- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md) -- [Microsoft Defender ATP APIs](apis-intro.md) -- [Advanced Hunting API](run-advanced-query-api.md) -- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) -- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)