deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

WDATP API - Fixes

Browse Source
This commit is contained in:
David Laufer 2018-09-02 09:15:49 +03:00
parent 65eee82dc3
commit fb97663537
3 changed files with 10 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -158,7 +158,7 @@
###### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) ###### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) ###### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
###### [Advanced Hunting using Python](run-advanced-query-sample-python.md) ###### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
###### [Create custom Power BI reports](run-advanced-query-sample-power-bi.md) ###### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
##### Multiple APIs ##### Multiple APIs
###### [PowerShell](exposed-apis-full-sample-powershell.md) ###### [PowerShell](exposed-apis-full-sample-powershell.md)

25
windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
View File

@ -20,8 +20,7 @@ Full scenario using multiple APIs from Windows Defender ATP.
In this section we share PowerShell samples to In this section we share PowerShell samples to
- Retrieve a token - Retrieve a token
- Use token to retrieve the latest alerts in Windows Defender ATP - Use token to retrieve the latest alerts in Windows Defender ATP
- Run a query to retrieve command line of the process related to the alert, if the alert has medium priority and is still in progress - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
- Remediate the machine related to the alert if teh command line
>**Prerequisite**: You first need to [create an app](exposed-apis-intro.md). >**Prerequisite**: You first need to [create an app](exposed-apis-intro.md).
@ -42,22 +41,17 @@ Set-ExecutionPolicy -ExecutionPolicy Bypass
> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) > - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) > - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
> - $appSecret: Secret of your AAD app > - $appSecret: Secret of your AAD app
> - $suspiciousUrl: The URL
$tenantId = 'b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c'
$appId = 'c71cd133-0e50-4bd4-a1a8-ec14152af1c4'
$appSecret = '8zFkg61mDxH7DuMGFJHZd6CRr9J5HNMuJGIV6p0shMY='
``` ```
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here $tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here $appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here $appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice' $resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
$oAuthUri = "https://login.windows-ppe.net/$TenantId/oauth2/token" $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
# TODO!!!!!!!!! $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{ $authBody = [Ordered] @{
resource = "$resourceAppIdUri" resource = "$resourceAppIdUri"
client_id = "$appId" client_id = "$appId"
@ -69,8 +63,7 @@ $aadToken = $authResponse.access_token
#Get latest alert #Get latest alert
$alertUrl = "https://wdatpapi-eus-stg.cloudapp.net/api/alerts?`$top=10" $alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
# TODO!!!!!!!!! $alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
$headers = @{ $headers = @{
'Content-Type' = 'application/json' 'Content-Type' = 'application/json'
Accept = 'application/json' Accept = 'application/json'
@ -83,7 +76,7 @@ $machinesToInvestigate = New-Object System.Collections.ArrayList
Foreach($alert in $alerts) Foreach($alert in $alerts)
{ {
echo $alert.id $alert.machineId $alert.severity $alert.status #echo $alert.id $alert.machineId $alert.severity $alert.status
$isSevereAlert = $alert.severity -in 'Medium', 'High' $isSevereAlert = $alert.severity -in 'Medium', 'High'
$isOpenAlert = $alert.status -in 'InProgress', 'New' $isOpenAlert = $alert.status -in 'InProgress', 'New'
@ -100,15 +93,15 @@ $commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
$query = "NetworkCommunicationEvents $query = "NetworkCommunicationEvents
| where MachineId in ($commaSeparatedMachines) | where MachineId in ($commaSeparatedMachines)
| where RemoteUrl == `"www.bing.com`" | where RemoteUrl == `"$suspiciousUrl`"
| summarize ConnectionsCount = count() by MachineId" | summarize ConnectionsCount = count() by MachineId"
$queryUrl = "https://wdatpapi-eus-stg.cloudapp.net/advancedqueries/query" $queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query"
# TODO!!!!!!!!! $queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query"
$queryBody = ConvertTo-Json -InputObject $query $queryBody = ConvertTo-Json -InputObject $query
$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop $queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
$response = ($queryResponse | ConvertFrom-Json).Results $response = ($queryResponse | ConvertFrom-Json).Results
$response
``` ```

131
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi.md
View File

@ -1,131 +0,0 @@
---
title: Advanced Hunting API
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 30/07/2018
---
# Create custom reports using Power BI
Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
In this section we share Power BI query sample to run a query using application token.
>**Prerequisite**: You first need to [create an app](exposed-apis-intro.md).
## Run a query
- Open Microsoft Power BI
- Click **Get Data** > **Blank Query**
![Image of create blank query](images/power-bi-create-blank-query.png)
- Click **Advanced Editor**
![Image of open advanced editor](images/power-bi-open-advanced-editor.png)
- Copy the below and paste it in the editor, after you update the values of _TenantId, _AppId, _AppSecret, _Query
```
let
TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here
AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here
AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here
Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here
ResourceAppIdUrl = "https://securitycenter.onmicrosoft.com/windowsatpservice",
OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""),
Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="),
ClientId = Text.Combine({"client_id", AppId}, "="),
ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="),
GrantType = Text.Combine({"grant_type", "client_credentials"}, "="),
Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"),
AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])),
AccessToken= AuthResponse[access_token],
Bearer = Text.Combine({"Bearer", AccessToken}, " "),
AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query",
Response = Json.Document(Web.Contents(
AdvancedHuntingUrl,
[
Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer],
Content=Json.FromValue(Query)
]
)),
TypeMap = #table(
{ "Type", "PowerBiType" },
{
{ "Double", Double.Type },
{ "Int64", Int64.Type },
{ "Int32", Int32.Type },
{ "Int16", Int16.Type },
{ "UInt64", Number.Type },
{ "UInt32", Number.Type },
{ "UInt16", Number.Type },
{ "Byte", Byte.Type },
{ "Single", Single.Type },
{ "Decimal", Decimal.Type },
{ "TimeSpan", Duration.Type },
{ "DateTime", DateTimeZone.Type },
{ "String", Text.Type },
{ "Boolean", Logical.Type },
{ "SByte", Logical.Type },
{ "Guid", Text.Type }
}),
Schema = Table.FromRecords(Response[Schema]),
TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
Results = Response[Results],
Rows = Table.FromRecords(Results, Schema[Name]),
Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
in Table
```
- Click **Done**
![Image of create advanced query](images/power-bi-create-advanced-query.png)
- Click **Edit Credentials**
![Image of edit credentials](images/power-bi-edit-credentials.png)
- Select **Anonymous** and click **Connect**
![Image of set credentials](images/power-bi-set-credentials.png)
- Repeat the previous step for the second URL
- Click **Continue**
![Image of edit data privacy](images/power-bi-edit-data-privacy.png)
- Select the privacy level you want and click **Save**
![Image of set data privacy](images/power-bi-set-data-privacy.png)
- View the results of your query
![Image of query results](images/power-bi-query-results.png)
## Related topic
- [Windows Defender ATP APIs](exposed-apis-intro.md)
- [Advanced Hunting API](run-advanced-query-api.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)