使用 Python 的高级搜索Advanced Hunting using Python
2020/11/13
本文内容
重要
欢迎使用 Microsoft defender For Endpoint,即 Microsoft Defender 高级威胁防护的新名称。Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. 在此处阅读有关此和其他更新的详细信息。Read more about this and other updates here. 我们将在不久的将来更新产品和文档中的名称。We'll be updating names in products and in the docs in the near future.
应用于:Applies to:
使用 Python 运行高级查询,请参阅 高级搜寻 API。Run advanced queries using Python, see Advanced Hunting API.
在此部分中,我们将共享 Python 示例以检索令牌并使用它来运行查询。In this section, we share Python samples to retrieve a token and use it to run a query.
先决条件:你首先需要 创建一个应用。Prerequisite: You first need to create an app.
获取令牌Get token
运行以下命令:Run the following commands:
import json
import urllib.request
import urllib.parse
tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
url = "https://login.windows.net/%s/oauth2/token" % (tenantId)
resourceAppIdUri = 'https://api.securitycenter.windows.com'
body = {
'resource' : resourceAppIdUri,
'client_id' : appId,
'client_secret' : appSecret,
'grant_type' : 'client_credentials'
}
data = urllib.parse.urlencode(body).encode("utf-8")
req = urllib.request.Request(url, data)
response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
aadToken = jsonResponse["access_token"]
wherewhere
tenantId:代表要运行查询的租户的 ID (也就是说,查询将在此租户的数据上运行)tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)
appId:你的 Azure AD 应用的 ID (应用必须具有对 Microsoft Defender for Endpoint 的 "运行高级查询" 权限)appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint)
appSecret:你的 Azure AD 应用的机密appSecret: Secret of your Azure AD app
运行查询Run query
运行以下查询:Run the following query:
query = 'RegistryEvents | limit 10' # Paste your own query here
url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
headers = {
'Content-Type' : 'application/json',
'Accept' : 'application/json',
'Authorization' : "Bearer " + aadToken
}
data = json.dumps({ 'Query' : query }).encode("utf-8")
req = urllib.request.Request(url, data, headers)
response = urllib.request.urlopen(req)
jsonResponse = json.loads(response.read())
schema = jsonResponse["Schema"]
results = jsonResponse["Results"]
架构包含查询结果的架构schema contains the schema of the results of your query
结果包含查询结果results contain the results of your query
复杂查询Complex queries
如果想要运行复杂查询 (或 multilines 查询) ,将查询保存在文件中,而不是在上述示例中的第一行,请运行以下命令:If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file
query = queryFile.read()
queryFile.close()
处理查询结果Work with query results
您现在可以使用查询结果。You can now use the query results.
若要循环访问结果,请执行以下操作:To iterate over the results do the below:
for result in results:
print(result) # Prints the whole result
print(result["EventTime"]) # Prints only the property 'EventTime' from the result
若要以 CSV 格式将查询结果输出到 "文件" file1.csv,请执行以下操作:To output the results of the query in CSV format in file file1.csv do the below:
import csv
outputFile = open("D:\\Temp\\file1.csv", 'w')
output = csv.writer(outputFile)
output.writerow(results[0].keys())
for result in results:
output.writerow(result.values())
outputFile.close()
若要以 JSON 格式将查询结果输出到 "文件 file1.js" 中,请执行以下操作:To output the results of the query in JSON format in file file1.json do the below:
outputFile = open("D:\\Temp\\file1.json", 'w')
json.dump(results, outputFile)
outputFile.close()
相关主题Related topic