# MDATP - Use query from Github Repository


## Replace variables with pertaining to your environment

In [40]:
############ This is the credentials used to authenticate with the Graph API ###################
$credentials = @{
    tenantDomain = "domain.com"
    tenantId = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"        ## AAD Tenant ID
    client_id = "ae4fa870-23af-4ae5-a6ed-xxxxx"     ## Application Client ID
    client_secret = "x~xxxxxxx~xxxxx~xxxxxxxxx-xxx"   ## Application Client Secret
}

## Import required modules and credentials 

In [1]:
$modules = @('pp-core','graph') ## These are the modules to import 
$credentialPath = "~/.credentials/graph.credential" ## Where to store credentials

################## Import Graph Authentication Module #############################
ForEach ($module in $modules) {
    Import-Module "~/Notebooks/Powershell-Playground/PowerShell/custom-modules/$module" -Force  ## import module 
    Get-Command -Module "$module"                                                        ## list commands in this module 
}

$credentials = Get-StoredCredentials -credentialPath $credentialPath


CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-DecryptedStringUsingMasterPassword             0.0        pp-core
Function        Get-EncryptedStringUsingMasterPassword             0.0        pp-core
Function        Get-HashOfString                                   0.0        pp-core
Function        Get-MasterPassword                                 0.0        pp-core
Function        Get-StoredCredentials                              0.0        pp-core
Function        Invoke-CheckCredentials                            0.0        pp-core
Function        New-StoreCredentials                               0.0        pp-core
Function        Get-MSGraphAuthToken                               0.0        graph
Function        Invoke-GraphAuthentication                         0.0        graph
Function        Invoke-MSGraphQuery                        

 ·········





## Authenticate with Graph API and get access Token for MDATP Resource

In [2]:
## Get a token if authenticates properly.
$authParams = @{
    tenantId = $credentials.tenantId
    client_id = $credentials.client_id
    client_secret = $credentials.client_secret
    resource = "https://api.securitycenter.windows.com"    ## resource Dont change since we want to query MDATP REST API Resource
    grant_type = "client_credentials"  ## This is using a appliation ID and secret to authenticate
}; $authParams

$tokenResponse = Invoke-GraphAuthentication -authParams $authParams
$tokenResponse


Name                           Value
----                           -----
client_id                      ae4fa870-23af-4ae5-a6ed-5ab1811858c7
tenantId                       de40cf7e-ad5f-4245-a317-14be39cbb0ef
resource                       https://api.securitycenter.windows.com
client_secret                  5~Q5En6ecx9d~ZtuqPf~YRBLw5S858-7WS
grant_type                     client_credentials
[92m
Authentication Parameters detected[0m
Personal Access Token (PAT) grant_type

----------------------------------------------------------------------------
Authentiating with Microsoft Graph API using a Personal Access Token (PAT)
[37mhttps://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app[0m
----------------------------------------------------------------------------
Requesting Token at https://login.microsoftonline.com/de40cf7e-ad5f-4245-a317-14be39cbb0ef/oauth2/token
[92m

Received Token![0m
[92mConnected and Access Token received and will expire [0m

token_type 

## Pull raw query from Github
Be sure to provide the <font color=Green><b>RAW Content</b></font> and not a the github link of the source

In [3]:
$rawGithubLink = "https://raw.githubusercontent.com/microsoft/Microsoft-threat-protection-Hunting-Queries/master/Discovery/URL%20Detection.txt"
$Response = Invoke-WebRequest -Method GET -URI $rawGithubLink
$Response.Content



// This query finds network communication to specific URL
// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster.
// Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com"
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents  
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc



## Put your Hunting Query here

In [4]:
## Put your query on the 3rd Line below $Query and make sure it ends with #@
$Query = @"
// This query finds network communication to specific URL
// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster.
// Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com"
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents  
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc
"@

$body = @{Query = $Query} | ConvertTo-JSON

Write-Host -ForeGround Yellow "`nQuery"; $Query
Write-Host -ForeGround Yellow "JSON"; $body

[93m
Query[0m
// This query finds network communication to specific URL
// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a "whole term" and runs faster.
// Example: RemoteUrl has "microsoft" matches "www.microsoft.com" but not "microsoftonline.com"
let partialRemoteUrlToDetect = "microsoft.com"; // Change this to a URL you'd like to find machines connecting to
DeviceNetworkEvents  
| where Timestamp > ago(7d)
and RemoteUrl has partialRemoteUrlToDetect // Can be changed to "contains" operator as explained above
| project Timestamp, DeviceName, DeviceId, ReportId
| top 100 by Timestamp desc
[93mJSON[0m
{
  "Query": "// This query finds network communication to specific URL\n// Please note that in line #7 it filters RemoteUrl using has operator, which looks for a \"whole term\" and runs faster.\n// Example: RemoteUrl has \"microsoft\" matches \"www.microsoft.com\" but not \"microsoftonline.com\"\nlet partialRemoteUrlToDetect = \"microsoft.com\"; 

## Query the MDATP API Grab report schema 

In [5]:
$URI = "https://api.securitycenter.windows.com/api/advancedqueries/run"
$authHeader = @{ 
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $($tokenResponse.access_token)" }
$authHeader
$Result = (Invoke-RestMethod -Method POST -Uri $URI -Headers $authHeader -body $body -ErrorAction Stop)
$Result.Schema


Name                           Value
----                           -----
Accept                         application/json
Content-Type                   application/json
Authorization                  Bearer 
[91mInvoke-RestMethod: 
[96mLine |
[96m   7 | [0m $Result = ([96mInvoke-RestMethod -Method POST -Uri $URI -Headers $authHea[0m …
[96m     | [91m            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[91m[96m     | [91mResponse status code does not indicate success: 401 (Unauthorized).[0m



## Parse report

In [22]:
$includeColumns = @('Timestamp','DeviceName','ActionType','RemoteIP')
$Result.Results | Select-Object -Property $includeColumns


Timestamp             DeviceName        ActionType RemoteIP
---------             ----------        ---------- --------
6/16/2020 2:13:41 AM  jingtoso-desktop1            
6/16/2020 2:12:11 AM  win10-oobe-test              
6/16/2020 2:06:25 AM  jingtoso-desktop1            
6/16/2020 2:06:24 AM  jingtoso-desktop1            
6/16/2020 2:06:19 AM  jingtoso-desktop1            
6/16/2020 2:03:16 AM  jingtoso-desktop1            
6/16/2020 2:03:15 AM  jingtoso-desktop1            
6/16/2020 2:02:54 AM  jingtoso-desktop1            
6/16/2020 2:01:16 AM  win10-oobe-test              
6/16/2020 2:00:07 AM  win10-oobe-test              
6/16/2020 1:55:00 AM  jingtoso-desktop1            
6/16/2020 1:53:00 AM  jingtoso-desktop1            
6/16/2020 1:42:12 AM  win10-oobe-test              
6/16/2020 1:40:20 AM  jingtoso-desktop1            
6/16/2020 1:16:01 AM  win10-oobe-test              
6/16/2020 12:48:07 AM jing-lab                     
6/16/2020 12:12:11 AM win10-oobe-test          