# Rest API - Advanced Hunting Query

<table align="left">
  <tr>
    <th>Type</th>
      <th>Title</th>
    <th>Description</th>
  </tr>
  <tr>
      <td>Documentation</td>
    <td><b><a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api">Advanced Hunting API</a></td>
    <td>This is the documentation that refers to what permissions is required and request examples you can use to query the MDATP API </td>
  </tr>
</table>

## Pre-requisite

### Configure your tenant info here

In [None]:
$config = @{
    tenantID = "xxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxx"          ## Azure AD Tenant ID
    appID = "xxxxxx-23af-4ae5-a6ed-xxxxxx"                   ## Usually known as Client ID or Application ID
    appSecret = "W_xxxxxxxxxxxxxxxxxx.xxxxxxxxx"             ## This is the secretKey. Important only authorized users have this 
    resourceURI = "https://api.securitycenter.windows.com"   ## This is the resource endpoint for MDATP
}

### (Optional) Store credential to local storage to recall in future.
If you want to store your credentials locally. Here is an example. Otherwise just specify the credential in the configuration above and skip this step.

In [None]:
## Checks to see if config file exist and if not export credential file from above.
$storagePath = ".\MDATP.credential"

## Tries to import the credential file and if it fails, This script will load credential in step 1.1
$config = (Import-CliXml -Path $storagePath)
if (!$config) {
    $config | Export-CliXml -Path $storagePath
    Write-Host -Foregroundcolor green "`nStored new credentials in $($storagePath)"
} else {
    Write-Host -Foregroundcolor green "`nCredential file loaded from $($storagePath)"
}

### Grabs Access Token using credential file to query the MDATP API

In [None]:
## Create header and endpoint URI
$oAuthUri = "https://login.windows.net/$($config.tenantID)/oauth2/token"
$authBody = [Ordered] @{ 
    resource = $config.resourceURI
    client_id = $config.appID
    client_secret = $config.appSecret
    grant_type = 'client_credentials'
}

## Call MDATP Rest API and grab access token using config credentials
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
if ($token) {
    Write-Host -ForeGroundColor Green "`nToken received`n"
}
$token

### Put your Hunting Query here

In [None]:
## Enter your query here
$Query = "
DeviceNetworkEvents 
| where InitiatingProcessFileName =~ 'powershell.exe'
| limit 10
"

## This is the query converted to JSON format
$body = @{Query = $Query} | ConvertTo-JSON
Write-Host -ForeGround Yellow "`nQuery"; $Query
Write-Host -ForeGround Yellow "JSON"; $body

## Query the MDATP API

### Query the MDATP API Grab report schema 

In [None]:
$URI = "https://api.securitycenter.windows.com/api/advancedqueries/run"   ## This is the URL to query with the access token.
$header = @{                                                              ## This is the header
    'Content-Type' = 'application/json'
    Accept = 'application/json'
    Authorization = "Bearer $token" }

$Result = (Invoke-RestMethod -Method POST -Uri $URI -Headers $header -body $body -ErrorAction Stop)
$Result

### Parse report

In [None]:
$includeColumns = @('Timestamp','DeviceName','ActionType','RemoteIP')
$Result.Results | Select-Object -Property $includeColumns