Nóta
Aðgangur að þessari síðu krefst heimildar. Þú getur prófað aðskrá þig inn eða breyta skráasöfnum.
Aðgangur að þessari síðu krefst heimildar. Þú getur prófað að breyta skráasöfnum.
Note
If you're a US Government customer, use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, instead of using api.security.microsoft.com, use a server closer to your geolocation:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
- ina.api.security.microsoft.com
- aea.api.security.microsoft.com
Run advanced queries using Python, see Advanced Hunting API.
In this section, we share Python samples to retrieve a token and use it to run a query.
Prerequisite: You first need to create an app.
Get token
- Run the following commands:
import json
import urllib.request
import urllib.parse
tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
url = "https://login.microsoftonline.com/%s/oauth2/token" % (tenantId)
resourceAppIdUri = 'https://api.security.microsoft.com'
body = {
'resource' : resourceAppIdUri,
'client_id' : appId,
'client_secret' : appSecret,
'grant_type' : 'client_credentials'
}
data = urllib.parse.urlencode(body).encode("utf-8")
req = urllib.request.Request(url, data)
response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
aadToken = jsonResponse["access_token"]
Where:
tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query is run on the data of this tenant)appId: ID of your Microsoft Entra app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint)appSecret: Secret of your Microsoft Entra app
Run query
Run the following query:
query = 'DeviceRegistryEvents | limit 10' # Paste your own query here
url = "https://api.security.microsoft.com/api/advancedqueries/run"
headers = {
'Content-Type' : 'application/json',
'Accept' : 'application/json',
'Authorization' : "Bearer " + aadToken
}
data = json.dumps({ 'Query' : query }).encode("utf-8")
req = urllib.request.Request(url, data, headers)
response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
schema = jsonResponse["Schema"]
results = jsonResponse["Results"]
- schema contains the schema of the results of your query
- results contain the results of your query
Complex queries
If you want to run complex queries (or multiline queries), save your query in a file and, instead of the first line in the previous example, run the following command:
queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file
query = queryFile.read()
queryFile.close()
Work with query results
You can now use the query results.
To iterate over the results, use the following command:
for result in results:
print(result) # Prints the whole result
print(result["EventTime"]) # Prints only the property 'EventTime' from the result
To output the results of the query in CSV format in file file1.csv, use the following command:
import csv
outputFile = open("D:\\Temp\\file1.csv", 'w')
output = csv.writer(outputFile)
output.writerow(results[0].keys())
for result in results:
output.writerow(result.values())
outputFile.close()
To output the results of the query in JSON format in file file1.json, use the following command:
outputFile = open("D:\\Temp\\file1.json", 'w')
json.dump(results, outputFile)
outputFile.close()
Related articles
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.