deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/powershell-example-code.md
Daniel Simpson 9efe39d7be fixing URL for eval link
2019-09-20 11:18:00 -07:00

6.4 KiB
Raw Blame History

title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
title description keywords search.product search.appverid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.author author ms.localizationpriority manager audience ms.collection ms.topic
PowerShell code examples for the custom threat intelligence API Use PowerShell code to create custom threat intelligence using REST API. powershell, code examples, threat intelligence, custom threat intelligence, rest api, api eADQiWindows 10XVcnh met150 w10 deploy library security macapara mjcaparas medium dansimp ITPro M365-security-compliance article

PowerShell code examples for the custom threat intelligence API (Deprecated)

Applies to:

This article provides PowerShell code examples for using the custom threat intelligence API.

These code examples demonstrate the following tasks:

## Step 1: Obtain an Azure AD access token The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.

Replace the authUrl, clientid, and clientSecret values with the ones you got from Settings page in the portal:

$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'

$tokenPayload = @{
    "resource"='https://graph.windows.net'
    "client_id" = $clientId
    "client_secret" = $clientSecret
    "grant_type"='client_credentials'}

$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
## Step 2: Create headers used for the requests with the API Use the following code to create the headers used for the requests with the API: 
$headers = @{
    "Content-Type"="application/json"
    "Accept"="application/json"
    "Authorization"="Bearer {0}" -f $token }

$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
## Step 3: Create calls to the custom threat intelligence API After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: 
$alertDefinitions =
    (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value

The response is empty on initial use of the API.

## Step 4: Create a new alert definition The following example demonstrates how you to create a new alert definition. 
$alertDefinitionPayload = @{
    "Name"= "The alert's name"
    "Severity"= "Low"
    "InternalDescription"= "An internal description of the Alert"
    "Title"= "The Title"
    "UxDescription"= "Description of the alerts"
    "RecommendedAction"= "The alert's recommended action"
    "Category"= "Trojan"
    "Enabled"= "true"}

$alertDefinition =
    Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
        -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
## Step 5: Create a new indicator of compromise You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. 
$iocPayload = @{
    "Type"="Sha1"
    "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
    "DetectionFunction"="Equals"
    "Enabled"="true"
    "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }


$ioc =
    Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
         -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)

Complete code

You can use the complete code to create calls to the API.

$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'

$tokenPayload = @{
    "resource"='https://graph.windows.net'
    "client_id" = $clientId
    "client_secret" = $clientSecret
    "grant_type"='client_credentials'}

$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token

$headers = @{
    "Content-Type"="application/json"
    "Accept"="application/json"
    "Authorization"="Bearer {0}" -f $token }

$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"

$alertDefinitions =
    (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value

$alertDefinitionPayload = @{
    "Name"= "The alert's name"
    "Severity"= "Low"
    "InternalDescription"= "An internal description of the Alert"
    "Title"= "The Title"
    "UxDescription"= "Description of the alerts"
    "RecommendedAction"= "The alert's recommended action"
    "Category"= "Trojan"
    "Enabled"= "true"}

$alertDefinition =
    Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
        -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)

$alertDefinitionId = $alertDefinition.Id

$iocPayload = @{
    "Type"="Sha1"
    "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff"
    "DetectionFunction"="Equals"
    "Enabled"="true"
    "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }


$ioc =
    Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
         -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics