deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
Joey Caparas 811d6a5607 replace code blocks!?
2017-04-04 11:23:32 -07:00

6.9 KiB
Raw Blame History

title, description, keywords, search.product, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author, localizationpriority
title description keywords search.product ms.prod ms.mktglfcycl ms.sitesec ms.pagetype author localizationpriority
Python code examples for the custom threat intelligence API Use Python code to create custom threat intelligence using REST API. python, code examples, threat intelligence, custom threat intelligence, rest api, api eADQiWindows 10XVcnh w10 deploy library security mjcaparas high

Python code examples for the custom threat intelligence API

Applies to:

  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 10 Pro
  • Windows 10 Pro Education
  • Windows Defender Advanced Threat Protection (Windows Defender ATP)

Before you begin

You must install the "requests" python library.

These code examples demonstrate the following tasks:

## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.

Replace the auth_url, client_id, and client_secret values with the ones you got from Preferences settings page in the portal:

import json
import requests
from pprint import pprint

auth_url="Your Authorization URL"
client_id="Your Client ID"
client_secret="Your Client Secret"

payload = {"resource": "https://graph.windows.net",
           "client_id": client_id,
           "client_secret": client_secret,
           "grant_type": "client_credentials"}

response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]
## Step 2: Create request session object Add HTTP headers to the session object, including the Authorization header with the token that was obtained. 
with requests.Session() as session:
    session.headers = {
        'Authorization': 'Bearer {}'.format(token),
        'Content-Type': 'application/json',
        'Accept': 'application/json'}
## Step 3: Create calls to the custom threat intelligence API After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: 
    response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
    pprint(json.loads(response.text))

The response is empty on initial use of the API.

## Step 4: Create a new alert definition The following example demonstrates how you to create a new alert definition. 
    alert_definition = {"Name": "The alert's name",
                          "Severity": "Low",
                          "InternalDescription": "An internal description of the alert",
                          "Title": "The Title",
                          "UxDescription": "Description of the alerts",
                          "RecommendedAction": "The alert's recommended action",
                          "Category": "Trojan",
                          "Enabled": True}

      response = session.post(
          "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
          json=alert_definition)
## Step 5: Create a new indicator of compromise You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. 
    alert_definition_id = json.loads(response.text)["Id"]

      ioc = {'Type': "Sha1",
             'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
             'DetectionFunction': "Equals",
             'Enabled': True,
             "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}

      response = session.post(
          "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
          json=ioc)

Complete code

You can use the complete code to create calls to the API.

import json
import requests
from pprint import pprint

auth_url="Your Authorization URL"
client_id="Your Client ID"
client_secret="Your Client Secret"

payload = {"resource": "https://graph.windows.net",
           "client_id": client_id,
           "client_secret": client_secret,
           "grant_type": "client_credentials"}

response = requests.post(auth_url, payload)
token = json.loads(response.text)["access_token"]

with requests.Session() as session:
    session.headers = {
        'Authorization': 'Bearer {}'.format(token),
        'Content-Type': 'application/json',
        'Accept': 'application/json'}

    response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions")
    pprint(json.loads(response.text))

    alert_definition = {"Name": "The alert's name",
                        "Severity": "Low",
                        "InternalDescription": "An internal description of the alert",
                        "Title": "The Title",
                        "UxDescription": "Description of the alerts",
                        "RecommendedAction": "The alert's recommended action",
                        "Category": "Trojan",
                        "Enabled": True}

    response = session.post(
        "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions",
        json=alert_definition)

    alert_definition_id = json.loads(response.text)["Id"]

    ioc = {'Type': "Sha1",
           'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff",
           'DetectionFunction': "Equals",
           'Enabled': True,
           "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)}

    response = session.post(
        "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise",
        json=ioc)

    pprint(json.loads(response.text))

Related topics