deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-24 11:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
Ben Alfasi 68dd01b885 s
2019-03-13 16:39:46 +02:00

153 lines
4.8 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Advanced Hunting API
description: Use this API to run advanced queries
keywords: apis, supported apis, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 09/03/2018
---
# Advanced hunting API
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Prerelease information](prerelease.md)]
This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting).
## Limitations
1. You can only run a query on data from the last 30 days
2. The results will include a maximum of 10,000 rows
3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day)
4. The maximal execution time of a single request is 10 minutes.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | AdvancedQuery.Read.All | 'Run advanced queries'
Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have 'View Data' AD role
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
## HTTP request
```
POST https://api.securitycenter.windows.com/api/advancedqueries/run
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Query | Text | The query to run. **Required**.
## Response
If successful, this method returns 200 OK, and _QueryResponse_ object in the response body.
## Example
Request
Here is an example of the request.
>[!NOTE]
>For better performance, you can use server closer to your geo location:
> - api-us.securitycenter.windows.com
> - api-eu.securitycenter.windows.com
> - api-uk.securitycenter.windows.com
```
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Content-type: application/json
{
"Query":"ProcessCreationEvents
| where InitiatingProcessFileName =~ \"powershell.exe\"
| where ProcessCommandLine contains \"appdata\"
| project EventTime, FileName, InitiatingProcessFileName
| limit 2"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 200 OK
Content-Type: application/json
{
"Schema": [{
"Name": "EventTime",
"Type": "DateTime"
},
{
"Name": "FileName",
"Type": "String"
},
{
"Name": "InitiatingProcessFileName",
"Type": "String"
}],
"Results": [{
"EventTime": "2018-07-09T07:16:26.8017265",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe"
},
{
"EventTime": "2018-07-08T19:00:02.7798905",
"FileName": "gpresult.exe",
"InitiatingProcessFileName": "powershell.exe"
}]
}
```
## Troubleshoot issues
- Error: (403) Forbidden / (401) Unauthorized
If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission.
Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.
If the 'roles' section in the token does not include the necessary permission:
- The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or,
- The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent).
## Related topic
- [Windows Defender ATP APIs](apis-intro.md)
- [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md)
- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)
Reference in New Issue View Git Blame Copy Permalink