Jul 27 2023 01:50 AM
Hi,
We're using more and more Hunting queries for analysis and reporting, with on-prem scripts calling the Defender API, and processing/enriching results locally. I find that it's easiest to develop/tweak queries within the Portal, but it's tedious to maintain embedded query code within local scripts.
Can named queries saved within the Defender Portal (eg under 'Shared queries') be accessed remotely via API? Logically, they should be visible to any remote application with the appropriate API token, but I have not seen any documentation addressing this use case.
Cheers,
autopoiesis
Aug 02 2023 05:02 PM
Aug 04 2023 08:55 AM - edited Aug 04 2023 08:59 AM
Thank you for the response, but I think you missed that I was asking whether *named* queries (ie queries which are saved under Shared queries) can be run via API.
For example, if I create a long and complex query and save it under 'Shared queries' as 'Monthly-KPI_Top_CVEs' is it possible to simply run something like (pseudocode):
Invoke-WebRequest -Method POST -Body {"query=Shared/Monthly-KPI_Top_CVEs"} -Uri https://api.securitycenter.microsoft.com/api/advancedqueries/run -Headers <headers>
... and grab the json results exactly as I would if I had included the full KQL in the script itself?
Clearly, any queries saved under 'My queries' are viewable only to me and not usually via API, but any saved under 'Shared queries' should be.
This seems such an obvious (and useful) capability, but I've not seen it documented, or even asked about...
Cheers,
AP
[edits: clarity]