# MDATP - Use query from Github Repository

## Import Credential from graph.credential file

In [11]:
$storagePath = ".\Credentials\graph.credential"
$config = (Import-CliXml -Path $storagePath)
if (!$config) {
    $config | Export-CliXml -Path $storagePath
} else {
    Write-Host -Foregroundcolor green "`nCredential file loaded from $($storagePath)"
}

[92m
Credential file loaded from .\Credentials\graph.credential[0m


## Grabs Access Token to access environment

In [23]:
$resourceURI = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$($config.tenantID)/oauth2/token"
$authBody = [Ordered] @{
    resource = $resourceURI
    client_id = $config.appID
    client_secret = $config.appSecret
    grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
if ($token) {
    Write-Host -ForeGroundColor Green "Token received"
}
$token

[92mToken received[0m
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlNzWnNCTmhaY0YzUTlTNHRycFFCVEJ5TlJSSSIsImtpZCI6IlNzWnNCTmhaY0YzUTlTNHRycFFCVEJ5TlJSSSJ9.eyJhdWQiOiJodHRwczovL2FwaS5zZWN1cml0eWNlbnRlci53aW5kb3dzLmNvbSIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2RlNDBjZjdlLWFkNWYtNDI0NS1hMzE3LTE0YmUzOWNiYjBlZi8iLCJpYXQiOjE1OTIyNzU1ODQsIm5iZiI6MTU5MjI3NTU4NCwiZXhwIjoxNTkyMjc5NDg0LCJhaW8iOiI0MmRnWU5pcTU2VmdJakZaYUk2aVZIV0w1dTF2QUE9PSIsImFwcGlkIjoiYWU0ZmE4NzAtMjNhZi00YWU1LWE2ZWQtNWFiMTgxMTg1OGM3IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZGU0MGNmN2UtYWQ1Zi00MjQ1LWEzMTctMTRiZTM5Y2JiMGVmLyIsIm9pZCI6IjMwYzExZThiLWMwZGItNDkwMC05MDUwLTg5MmZlZmEwYjNmMCIsInJvbGVzIjpbIkV2ZW50LldyaXRlIiwiVXJsLlJlYWQuQWxsIiwiSXAuUmVhZC5BbGwiLCJUaS5SZWFkLkFsbCIsIlVzZXIuUmVhZC5BbGwiLCJTZWN1cml0eVJlY29tbWVuZGF0aW9uLlJlYWQuQWxsIiwiQWxlcnQuUmVhZC5BbGwiLCJTb2Z0d2FyZS5SZWFkLkFsbCIsIlNlY3VyaXR5Q29uZmlndXJhdGlvbi5SZWFkLkFsbCIsIkZpbGUuUmVhZC5BbGwiLCJWdWxuZXJhYmlsaXR5LlJlYWQuQWxsIiwiTWFjaGluZS5SZWFkLkFsbCI

## Pull raw query from Github
Be sure to provide the <font color=Green><b>RAW Content</b></font> and not a the github link of the source

In [24]:
$rawGithubLink = "https://raw.githubusercontent.com/microsoft/Microsoft-threat-protection-Hunting-Queries/master/Discovery/URL%20Detection.txt"
$Response = Invoke-WebRequest -Method GET -URI $rawGithubLink
$Response.Content



// This query finds network communication to specific URL
// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster.
// Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com"
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents  
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc



## Put your Hunting Query here

In [20]:
## Put your query on the 3rd Line below $Query and make sure it ends with #@
$Query = @"
// This query finds network communication to specific URL
// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster.
// Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com"
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents  
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc
"@

$body = @{Query = $Query} | ConvertTo-JSON

Write-Host -ForeGround Yellow "`nQuery"; $Query
Write-Host -ForeGround Yellow "JSON"; $body

[93m
Query[0m
// This query finds network communication to specific URL
// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster.
// Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com"
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents  
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc
[93mJSON[0m
{
  "Query": "// This query finds network communication to specific URL\n// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a \"whole term\" and runs faster.\n// Example: RemoteUrl has \"microsoft\" matches \"www.microsoft.com\" but not \"microsoftonline.com\"\nlet partialRemoteUrlToDetect = \"microsoft.com\"; 

## Query the MDATP API Grab report schema 

In [21]:
$URI = "https://api.securitycenter.windows.com/api/advancedqueries/run"
$authHeader = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $token" }
$authHeader
$Result = (Invoke-RestMethod -Method POST -Uri $URI -Headers $authHeader -body $body -ErrorAction Stop)
$Result.Schema


Name                           Value
----                           -----
Accept                         application/json
Content-Type                   application/json
Authorization                  Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlNzWnNCTmhaY0Yz…

Name : Timestamp
Type : DateTime


Name : DeviceName
Type : String


Name : DeviceId
Type : String


Name : ReportId
Type : Int64




## Parse report

In [22]:
$includeColumns = @('Timestamp','DeviceName','ActionType','RemoteIP')
$Result.Results | Select-Object -Property $includeColumns


Timestamp             DeviceName        ActionType RemoteIP
---------             ----------        ---------- --------
6/16/2020 2:13:41 AM  jingtoso-desktop1            
6/16/2020 2:12:11 AM  win10-oobe-test              
6/16/2020 2:06:25 AM  jingtoso-desktop1            
6/16/2020 2:06:24 AM  jingtoso-desktop1            
6/16/2020 2:06:19 AM  jingtoso-desktop1            
6/16/2020 2:03:16 AM  jingtoso-desktop1            
6/16/2020 2:03:15 AM  jingtoso-desktop1            
6/16/2020 2:02:54 AM  jingtoso-desktop1            
6/16/2020 2:01:16 AM  win10-oobe-test              
6/16/2020 2:00:07 AM  win10-oobe-test              
6/16/2020 1:55:00 AM  jingtoso-desktop1            
6/16/2020 1:53:00 AM  jingtoso-desktop1            
6/16/2020 1:42:12 AM  win10-oobe-test              
6/16/2020 1:40:20 AM  jingtoso-desktop1            
6/16/2020 1:16:01 AM  win10-oobe-test              
6/16/2020 12:48:07 AM jing-lab                     
6/16/2020 12:12:11 AM win10-oobe-test          