deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

s

Browse Source
This commit is contained in:
Ben Alfasi 2019-08-22 17:01:43 +03:00
parent 39f8a7f3e6
commit eae1eee06d
7 changed files with 50 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.openpublishing.redirection.json
View File

@ -14867,14 +14867,9 @@
"redirect_document_id": true "redirect_document_id": true
}, },
{ {
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md", "source_path": "windows/security/threat-protection/windows-defender-atp/api-power-bi.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token", "redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/api-power-bi",
"redirect_document_id": true "redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token",
"redirect_document_id": true
}, },
{ {
"source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md", "source_path": "windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md",

13
windows/security/threat-protection/TOC.md
View File

@ -418,15 +418,10 @@
####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md) ####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
##### [How to use APIs - Samples]() ##### [How to use APIs - Samples]()
###### [Advanced Hunting API]() ###### [Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md)
####### [Schedule advanced Hunting using Microsoft Flow](microsoft-defender-atp/run-advanced-query-sample-ms-flow.md) ###### [Power BI](microsoft-defender-atp/api-power-bi.md)
####### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md) ###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
####### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md) ###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
####### [Create custom Power BI reports](microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
###### [Multiple APIs]()
####### [PowerShell](microsoft-defender-atp/exposed-apis-full-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md) ###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Windows updates (KB) info]() #### [Windows updates (KB) info]()

70
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-user-token.md → windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -1,8 +1,8 @@
--- ---
title: Advanced Hunting API title: Power BI
ms.reviewer: ms.reviewer:
description: Use this API to run advanced queries description: Create custom reports using Power BI
keywords: apis, supported apis, advanced hunting, query keywords: apis, supported apis, Power BI, reports
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
@ -17,24 +17,17 @@ ms.collection: M365-security-compliance
ms.topic: article ms.topic: article
--- ---
# Create custom reports using Power BI (user authentication) # Create custom reports using Power BI
**Applies to:** **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](prerelease.md)] In this section you will learn create a Power BI report on top of the Microsoft Defender ATP APIs.
Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..)
In this section we share Power BI query sample to run a query using **user token**. ## Connect Power BI to Advanced Hunting API
If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
## Before you begin
You first need to [create an app](exposed-apis-create-app-nativeapp.md).
## Run a query
- Open Microsoft Power BI - Open Microsoft Power BI
@ -46,18 +39,15 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
![Image of open advanced editor](images/power-bi-open-advanced-editor.png) ![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
- Copy the below and paste it in the editor, after you update the values of Query - Copy the below and paste it in the editor:
``` ```
let let
AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
FormattedQuery= Uri.EscapeDataString(Query), Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery,
Response = Json.Document(Web.Contents(AdvancedHuntingUrl)),
TypeMap = #table( TypeMap = #table(
{ "Type", "PowerBiType" }, { "Type", "PowerBiType" },
@ -88,12 +78,18 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
in Table in Table
``` ```
let
Query = "MachineACtions",
Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
in
Source
```
- Click **Done** - Click **Done**
![Image of create advanced query](images/power-bi-create-advanced-query.png)
- Click **Edit Credentials** - Click **Edit Credentials**
![Image of edit credentials](images/power-bi-edit-credentials.png) ![Image of edit credentials](images/power-bi-edit-credentials.png)
@ -108,13 +104,23 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md).
![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png) ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png)
- View the results of your query - Now the results of your query will appear as table and you can start build visualizations on top of it!
![Image of query results](images/power-bi-query-results.png) - You can duplicate this table, rename it and edit the Advanced Hunting query inside to your custom data.
## Connect Power BI to OData APIs
- The only difference from the above example is the query inside the editor.
- Copy the below and paste it in the editor to pull all Machine Actions from your organization:
```
- You can do the same for Alerts and Machines.
- You also can use OData queries for filtering the results, see [Using OData Queries](exposed-apis-odata-samples.md)
## Related topic ## Related topic
- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md)
- [Microsoft Defender ATP APIs](apis-intro.md) - [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) - [Using OData Queries](exposed-apis-odata-samples.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/power-bi-query-results.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 59 KiB

13
windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
View File

@ -413,15 +413,10 @@
####### [Get user related machines](get-user-related-machines.md) ####### [Get user related machines](get-user-related-machines.md)
##### [How to use APIs - Samples]() ##### [How to use APIs - Samples]()
###### [Advanced Hunting API]() ###### [Microsoft Flow](run-advanced-query-sample-ms-flow.md)
####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) ###### [Power BI](api-power-bi.md)
####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) ###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
####### [Advanced Hunting using Python](run-advanced-query-sample-python.md) ###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
###### [Multiple APIs]()
####### [PowerShell](exposed-apis-full-sample-powershell.md)
###### [Using OData Queries](exposed-apis-odata-samples.md) ###### [Using OData Queries](exposed-apis-odata-samples.md)
#### [API for custom alerts]() #### [API for custom alerts]()

2
windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
View File

@ -202,7 +202,7 @@ In general, if you know of a specific threat name, CVE, or KB, you can identify
## Related topic ## Related topic
- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) - [Create custom Power BI reports](api-power-bi.md)

138
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token.md
View File

@ -1,138 +0,0 @@
---
title: Advanced Hunting API
ms.reviewer:
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Create custom reports using Power BI (app authentication)
Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
In this section we share Power BI query sample to run a query using **application token**.
If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial.
>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md).
## Run a query
- Open Microsoft Power BI
- Click **Get Data** > **Blank Query**
![Image of create blank query](images/power-bi-create-blank-query.png)
- Click **Advanced Editor**
![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query
```
let
TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
ResourceAppIdUrl = "https://api.securitycenter.windows.com",
OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
ClientId = Text.Combine({"client_id", AppId}, "="),
ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
AccessToken= AuthResponse[access_token],
Bearer = Text.Combine({"Bearer", AccessToken}, " "),
AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run",
Response = Json.Document(Web.Contents(
AdvancedHuntingUrl,
[
Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
Content=Json.FromValue([#"Query"=Query])
]
)),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
```
- Click **Done**
![Image of create advanced query](images/power-bi-create-advanced-query.png)
- Click **Edit Credentials**
![Image of edit credentials](images/power-bi-edit-credentials.png)
- Select **Anonymous** and click **Connect**
![Image of set credentials](images/power-bi-set-credentials-anonymous.png)
- Repeat the previous step for the second URL
- Click **Continue**
![Image of edit data privacy](images/power-bi-edit-data-privacy.png)
- Select the privacy level you want and click **Save**
![Image of set data privacy](images/power-bi-set-data-privacy.png)
- View the results of your query
![Image of query results](images/power-bi-query-results.png)
## Related topic
- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md)
- [Microsoft Defender ATP APIs](apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)