deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add sample python code update python topic

Browse Source
This commit is contained in:
jcaparas
2017-03-02 20:47:34 -08:00
parent 8bf1e05b7f
commit ede9d961e6
2 changed files with 78 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
windows/keep-secure/code/exampe.py Normal file
View File

@ -0,0 +1,53 @@
import json
import requests
from pprint import pprint
tenant_id="{your tenant ID}"
client_id="{your client ID}"
client_secret="{your client secret}"
auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id)
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
alert_definition = {"Name": "The alert's name",
"Severity": "Low",
"InternalDescription": "An internal description of the alert",
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Category": "Trojan",
"Enabled": True}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
pprint(json.loads(response.text))

97
windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
View File

@ -27,95 +27,48 @@ localizationpriority: high
You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library.
These code examples demonstrate the following tasks: These code examples demonstrate the following tasks:
- [Obtain an Azure AD access token](#obtain-an-azure-ad-access-token) - [Obtain an Azure AD access token](#token)
- [Create request session object](#create-a-request's-session-object) - [Create request session object](#session-object)
- [Create calls to the custom threat intelligence API](#create-calls-to-the-custom-threat-intelligence-api) - [Create calls to the custom threat intelligence API](#calls)
- [Create a new alert definition](#create-a-new-alert-definition) - [Create a new alert definition](#alert-definition)
- [Create a new indicator of compromise](#create-a-new-indicator-of-compromise) - [Create a new indicator of compromise](#ioc)
## Obtain an Azure AD access token <span id="token" />
## Step 1: Obtain an Azure AD access token
The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
``` [!code[CustomTIAPI](./code/example.py1#L1-L17)]
import json
import requests
from pprint import pprint
tenant_id="{your tenant ID}"
client_id="{your client ID"
client_secret="{your client secret}"
full_auth_url = r"https://login.windows.net/{0}/oauth2/token".format(tenant_id)
payload = {"resource": "https://graph.windows.net",
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "client_credentials"}
response = requests.post(full_auth_url, payload) <span id="session-object" />
token = json.loads(response.text)["access_token"] ## Step 2: Create request session object
```
## Create request session object
Add HTTP headers to the session object, including the Authorization header with the token that was obtained. Add HTTP headers to the session object, including the Authorization header with the token that was obtained.
``` [!code[CustomTIAPI](./code/example.py1#L19-L23)]
with requests.Session() as session:
session.headers = {
'Authorization': 'Bearer {}'.format(token),
'Content-Type': 'application/json',
'Accept': 'application/json'}
```
## Create calls to the custom threat intelligence API <span id="calls" />
The following example shows how to view all of the alert definition entities by creating a call to the API. ## Step 3: Create calls to the custom threat intelligence API
After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities:
>[!NOTE] [!code[CustomTIAPI](./code/example.py1#L25-L26)]
> All code is still within the ```with``` statement with the same indention level.
```json
response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
pprint(json.loads(response.text))
```
If this is the first time to use the API, the response is empty. If this is the first time to use the API, the response is empty.
## Create a new alert definition <span id="alert-definition" />
## Step 4: Create a new alert definition
The following example shows how to create a new alert definition. The following example shows how to create a new alert definition.
``` [!code[CustomTIAPI](./code/example.py1#L28-L39)]
alert_definition = {"Name": "The Alert's Name", <span id="ioc" />
"Severity": "Low", ## Step 5: Create a new indicator of compromise
"InternalDescription": "An internal description of the Alert", You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise.
"Title": "The Title",
"UxDescription": "Description of the alerts",
"RecommendedAction": "The alert's recommended action",
"Category": "Trojan",
"Enabled": True}
response = session.post( [!code[CustomTIAPI](./code/example.py1#L41-L51)]
"https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
json=alert_definition)
```
## Create a new indicator of compromise ## Complete code
The following example shows how to use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. You can use the complete code to create calls to the API.
``` [!code[CustomTIAPI](./code/example.py1#L1-L51)]
alert_definition_id = json.loads(response.text)["Id"]
ioc = {'Type': "Sha1",
'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
'DetectionFunction': "Equals",
'Enabled': True,
"AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}
response = session.post(
"https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
json=ioc)
```