Hunting Queries: run via API?

autopoiesis · ‎Jul 27 2023

Hi,

We're using more and more Hunting queries for analysis and reporting, with on-prem scripts calling the Defender API, and processing/enriching results locally. I find that it's easiest to develop/tweak queries within the Portal, but it's tedious to maintain embedded query code within local scripts.

Can named queries saved within the Defender Portal (eg under 'Shared queries') be accessed remotely via API? Logically, they should be visible to any remote application with the appropriate API token, but I have not seen any documentation addressing this use case.

Cheers,

autopoiesis

raphaelcustodiosoares · ‎Aug 02 2023

Hello look the website maybe can help you

https://swimlane.com/blog/microsoft-defender-advanced-threat-protection-queries/

autopoiesis · ‎Aug 04 2023

Hi @raphaelcustodiosoares,

Thank you for the response, but I think you missed that I was asking whether *named* queries (ie queries which are saved under Shared queries) can be run via API.

For example, if I create a long and complex query and save it under 'Shared queries' as 'Monthly-KPI_Top_CVEs' is it possible to simply run something like (pseudocode):

Invoke-WebRequest -Method POST -Body {"query=Shared/Monthly-KPI_Top_CVEs"} -Uri https://api.securitycenter.microsoft.com/api/advancedqueries/run -Headers <headers>

... and grab the json results exactly as I would if I had included the full KQL in the script itself?

Clearly, any queries saved under 'My queries' are viewable only to me and not usually via API, but any saved under 'Shared queries' should be.

This seems such an obvious (and useful) capability, but I've not seen it documented, or even asked about...

Cheers,
AP

[edits: clarity]

Hunting Queries: run via API?

Hunting Queries: run via API?

Re: Hunting Queries: run via API?

Re: Hunting Queries: run via API?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Hunting Queries: run via API?