diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 37387715ac..bd3158924c 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -158,7 +158,7 @@ ###### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) ###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) ###### [Advanced Hunting using Python](run-advanced-query-sample-python.md) -###### [Create custom Power BI reports](run-advanced-query-sample-power-bi.md) +###### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) ##### Multiple APIs ###### [PowerShell](exposed-apis-full-sample-powershell.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md index cc35edb442..3983803de5 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md @@ -20,8 +20,7 @@ Full scenario using multiple APIs from Windows Defender ATP. In this section we share PowerShell samples to - Retrieve a token - Use token to retrieve the latest alerts in Windows Defender ATP - - Run a query to retrieve command line of the process related to the alert, if the alert has medium priority and is still in progress - - Remediate the machine related to the alert if teh command line + - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL. >**Prerequisite**: You first need to [create an app](exposed-apis-intro.md). @@ -42,22 +41,17 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass > - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) > - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) > - $appSecret: Secret of your AAD app - - -$tenantId = 'b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c' -$appId = 'c71cd133-0e50-4bd4-a1a8-ec14152af1c4' -$appSecret = '8zFkg61mDxH7DuMGFJHZd6CRr9J5HNMuJGIV6p0shMY=' - +> - $suspiciousUrl: The URL ``` $tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here $appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here $appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here +$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here $resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice' -$oAuthUri = "https://login.windows-ppe.net/$TenantId/oauth2/token" -# TODO!!!!!!!!! $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" $authBody = [Ordered] @{ resource = "$resourceAppIdUri" client_id = "$appId" @@ -69,8 +63,7 @@ $aadToken = $authResponse.access_token #Get latest alert -$alertUrl = "https://wdatpapi-eus-stg.cloudapp.net/api/alerts?`$top=10" -# TODO!!!!!!!!! $alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10" +$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' @@ -83,7 +76,7 @@ $machinesToInvestigate = New-Object System.Collections.ArrayList Foreach($alert in $alerts) { - echo $alert.id $alert.machineId $alert.severity $alert.status + #echo $alert.id $alert.machineId $alert.severity $alert.status $isSevereAlert = $alert.severity -in 'Medium', 'High' $isOpenAlert = $alert.status -in 'InProgress', 'New' @@ -100,15 +93,15 @@ $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') $query = "NetworkCommunicationEvents | where MachineId in ($commaSeparatedMachines) -| where RemoteUrl == `"www.bing.com`" +| where RemoteUrl == `"$suspiciousUrl`" | summarize ConnectionsCount = count() by MachineId" -$queryUrl = "https://wdatpapi-eus-stg.cloudapp.net/advancedqueries/query" -# TODO!!!!!!!!! $queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query" +$queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query" $queryBody = ConvertTo-Json -InputObject $query $queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop $response = ($queryResponse | ConvertFrom-Json).Results +$response ``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md deleted file mode 100644 index d3abe10318..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Advanced Hunting API -description: Use this API to run advanced queries -keywords: apis, supported apis, advanced hunting, query -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 30/07/2018 ---- - -# Create custom reports using Power BI - -Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. - -In this section we share Power BI query sample to run a query using application token. - ->**Prerequisite**: You first need to [create an app](exposed-apis-intro.md). - -## Run a query - -- Open Microsoft Power BI - -- Click **Get Data** > **Blank Query** - - ![Image of create blank query](images/power-bi-create-blank-query.png) - -- Click **Advanced Editor** - - ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) - -- Copy the below and paste it in the editor, after you update the values of _TenantId, _AppId, _AppSecret, _Query - - ``` - let - - TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here - AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here - AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here - Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here - - ResourceAppIdUrl = "https://securitycenter.onmicrosoft.com/windowsatpservice", - OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""), - - Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="), - ClientId = Text.Combine({"client_id", AppId}, "="), - ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="), - GrantType = Text.Combine({"grant_type", "client_credentials"}, "="), - - Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"), - - AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])), - AccessToken= AuthResponse[access_token], - Bearer = Text.Combine({"Bearer", AccessToken}, " "), - - AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query", - - Response = Json.Document(Web.Contents( - AdvancedHuntingUrl, - [ - Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer], - Content=Json.FromValue(Query) - ] - )), - - TypeMap = #table( - { "Type", "PowerBiType" }, - { - { "Double", Double.Type }, - { "Int64", Int64.Type }, - { "Int32", Int32.Type }, - { "Int16", Int16.Type }, - { "UInt64", Number.Type }, - { "UInt32", Number.Type }, - { "UInt16", Number.Type }, - { "Byte", Byte.Type }, - { "Single", Single.Type }, - { "Decimal", Decimal.Type }, - { "TimeSpan", Duration.Type }, - { "DateTime", DateTimeZone.Type }, - { "String", Text.Type }, - { "Boolean", Logical.Type }, - { "SByte", Logical.Type }, - { "Guid", Text.Type } - }), - - Schema = Table.FromRecords(Response[Schema]), - TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), - Results = Response[Results], - Rows = Table.FromRecords(Results, Schema[Name]), - Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) - - in Table - - ``` - -- Click **Done** - - ![Image of create advanced query](images/power-bi-create-advanced-query.png) - -- Click **Edit Credentials** - - ![Image of edit credentials](images/power-bi-edit-credentials.png) - -- Select **Anonymous** and click **Connect** - - ![Image of set credentials](images/power-bi-set-credentials.png) - -- Repeat the previous step for the second URL - -- Click **Continue** - - ![Image of edit data privacy](images/power-bi-edit-data-privacy.png) - -- Select the privacy level you want and click **Save** - - ![Image of set data privacy](images/power-bi-set-data-privacy.png) - -- View the results of your query - - ![Image of query results](images/power-bi-query-results.png) - -## Related topic -- [Windows Defender ATP APIs](exposed-apis-intro.md) -- [Advanced Hunting API](run-advanced-query-api.md) -- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) -- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)