WDATP API - Fixes

2025-05-16 15:27:22 +00:00 · 2018-09-02 09:15:49 +03:00 · 2018-09-02 09:15:49 +03:00 · fb97663537
commit fb97663537
parent 65eee82dc3
3 changed files with 10 additions and 148 deletions
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@ -158,7 +158,7 @@
 ###### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
 ###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
 ###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
-###### [Create custom Power BI reports](run-advanced-query-sample-power-bi.md)
+###### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
 ##### Multiple APIs
 ###### [PowerShell](exposed-apis-full-sample-powershell.md)

--- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
+++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
@ -20,8 +20,7 @@ Full scenario using multiple APIs from Windows Defender ATP.
 In this section we share PowerShell samples to 
 - Retrieve a token 
 - Use token to retrieve the latest alerts in Windows Defender ATP
- - Run a query to retrieve command line of the process related to the alert, if the alert has medium priority and is still in progress
- - Remediate the machine related to the alert if teh command line
+ - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.

 >**Prerequisite**: You first need to [create an app](exposed-apis-intro.md).

@ -42,22 +41,17 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass
 > - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
 > - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
 > - $appSecret: Secret of your AAD app
-
-
-$tenantId = 'b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c'
-$appId = 'c71cd133-0e50-4bd4-a1a8-ec14152af1c4'
-$appSecret = '8zFkg61mDxH7DuMGFJHZd6CRr9J5HNMuJGIV6p0shMY='
-
+> - $suspiciousUrl: The URL


 ```
 $tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
 $appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
 $appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here

 $resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
-$oAuthUri = "https://login.windows-ppe.net/$TenantId/oauth2/token"
-# TODO!!!!!!!!! $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
 $authBody = [Ordered] @{
 	resource = "$resourceAppIdUri"
 	client_id = "$appId"
@ -69,8 +63,7 @@ $aadToken = $authResponse.access_token


 #Get latest alert
-$alertUrl = "https://wdatpapi-eus-stg.cloudapp.net/api/alerts?`$top=10"
-# TODO!!!!!!!!! $alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
+$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
 $headers = @{ 
 	'Content-Type' = 'application/json'
 	Accept = 'application/json'
@ -83,7 +76,7 @@ $machinesToInvestigate = New-Object System.Collections.ArrayList

 Foreach($alert in $alerts)
 {
-	echo $alert.id	$alert.machineId	$alert.severity	$alert.status
+	#echo $alert.id	$alert.machineId	$alert.severity	$alert.status

 	$isSevereAlert = $alert.severity -in 'Medium', 'High'
 	$isOpenAlert = $alert.status -in 'InProgress', 'New'
@ -100,15 +93,15 @@ $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')

 $query = "NetworkCommunicationEvents
 | where MachineId in ($commaSeparatedMachines)
-| where RemoteUrl  == `"www.bing.com`"
+| where RemoteUrl  == `"$suspiciousUrl`"
 | summarize ConnectionsCount = count() by MachineId"

-$queryUrl = "https://wdatpapi-eus-stg.cloudapp.net/advancedqueries/query"
-# TODO!!!!!!!!! $queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query"
+$queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query"

 $queryBody = ConvertTo-Json -InputObject $query
 $queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
 $response =  ($queryResponse | ConvertFrom-Json).Results
+$response

 ```

--- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md
@ -1,131 +0,0 @@
---
-title: Advanced Hunting API
-description: Use this API to run advanced queries
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 30/07/2018
---
-
-# Create custom reports using Power BI
-
-Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
-
-In this section we share Power BI query sample to run a query using application token.
-
->**Prerequisite**: You first need to [create an app](exposed-apis-intro.md).
-
-## Run a query
-
- Open Microsoft Power BI
-
- Click **Get Data** > **Blank Query**
-
-    ![Image of create blank query](images/power-bi-create-blank-query.png)
-
- Click **Advanced Editor**
-
-    ![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
-
- Copy the below and paste it in the editor, after you update the values of _TenantId, _AppId, _AppSecret, _Query
-
-	```
-	let 
-
-		TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
-		AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
-		AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
-		Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
-    
-		ResourceAppIdUrl = "https://securitycenter.onmicrosoft.com/windowsatpservice",
-		OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
-
-		Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
-		ClientId = Text.Combine({"client_id", AppId}, "="),
-		ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
-		GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
-	
-		Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
-
-		AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
-		AccessToken= AuthResponse[access_token],
-		Bearer = Text.Combine({"Bearer", AccessToken}, " "),
-    
-		AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query",
-    
-		Response = Json.Document(Web.Contents(
-			AdvancedHuntingUrl, 
-			[
-				Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
-				Content=Json.FromValue(Query)
-			]
-		)),
-
-		TypeMap = #table(
-			{ "Type", "PowerBiType" },
-			{
-				{ "Double",   Double.Type },
-				{ "Int64",    Int64.Type },
-				{ "Int32",    Int32.Type },
-				{ "Int16",    Int16.Type },
-				{ "UInt64",   Number.Type },
-				{ "UInt32",   Number.Type },
-				{ "UInt16",   Number.Type },
-				{ "Byte",     Byte.Type },
-				{ "Single",   Single.Type },
-				{ "Decimal",  Decimal.Type },
-				{ "TimeSpan", Duration.Type },
-				{ "DateTime", DateTimeZone.Type },
-				{ "String",   Text.Type },
-				{ "Boolean",  Logical.Type },
-				{ "SByte",    Logical.Type },
-				{ "Guid",     Text.Type }
-			}),
-
-		Schema = Table.FromRecords(Response[Schema]),
-		TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
-		Results = Response[Results],
-		Rows = Table.FromRecords(Results, Schema[Name]),
-		Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
-        
-	in Table
-
-	```
-
- Click **Done**
-
-    ![Image of create advanced query](images/power-bi-create-advanced-query.png)
-
- Click **Edit Credentials**
-
-    ![Image of edit credentials](images/power-bi-edit-credentials.png)
-
- Select **Anonymous** and click **Connect**
-
-    ![Image of set credentials](images/power-bi-set-credentials.png)
-
- Repeat the previous step for the second URL
-
- Click **Continue**
-
-    ![Image of edit data privacy](images/power-bi-edit-data-privacy.png)
-
- Select the privacy level you want and click **Save**
-
-    ![Image of set data privacy](images/power-bi-set-data-privacy.png)
-
- View the results of your query
-
-    ![Image of query results](images/power-bi-query-results.png)
-
-## Related topic
- [Windows Defender ATP APIs](exposed-apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)