Forum Discussion
Hunting Queries: run via API?
Hi, We're using more and more Hunting queries for analysis and reporting, with on-prem scripts calling the Defender API, and processing/enriching results locally. I find that it's easiest to dev...
Hello look the website maybe can help you
https://swimlane.com/blog/microsoft-defender-advanced-threat-protection-queries/
https://swimlane.com/blog/microsoft-defender-advanced-threat-protection-queries/
Thank you for the response, but I think you missed that I was asking whether *named* queries (ie queries which are saved under Shared queries) can be run via API.
For example, if I create a long and complex query and save it under 'Shared queries' as 'Monthly-KPI_Top_CVEs' is it possible to simply run something like (pseudocode):
Invoke-WebRequest -Method POST -Body {"query=Shared/Monthly-KPI_Top_CVEs"} -Uri https://api.securitycenter.microsoft.com/api/advancedqueries/run -Headers <headers>
... and grab the json results exactly as I would if I had included the full KQL in the script itself?
Clearly, any queries saved under 'My queries' are viewable only to me and not usually via API, but any saved under 'Shared queries' should be.
This seems such an obvious (and useful) capability, but I've not seen it documented, or even asked about...
Cheers,
AP
[edits: clarity]