python api查询_通过 Python API 指南进行高级搜寻 - Windows security

使用 Python 的高级搜索Advanced Hunting using Python

2020/11/13

本文内容

重要

欢迎使用 Microsoft defender For Endpoint，即 Microsoft Defender 高级威胁防护的新名称。Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. 在此处阅读有关此和其他更新的详细信息。Read more about this and other updates here. 我们将在不久的将来更新产品和文档中的名称。We'll be updating names in products and in the docs in the near future.

应用于：Applies to:

使用 Python 运行高级查询，请参阅高级搜寻 API。Run advanced queries using Python, see Advanced Hunting API.

在此部分中，我们将共享 Python 示例以检索令牌并使用它来运行查询。In this section, we share Python samples to retrieve a token and use it to run a query.

先决条件：你首先需要创建一个应用。Prerequisite: You first need to create an app.

获取令牌Get token

运行以下命令：Run the following commands:

import json

import urllib.request

import urllib.parse

tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here

appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here

appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here

url = "https://login.windows.net/%s/oauth2/token" % (tenantId)

resourceAppIdUri = 'https://api.securitycenter.windows.com'

body = {

'resource' : resourceAppIdUri,

'client_id' : appId,

'client_secret' : appSecret,

'grant_type' : 'client_credentials'

}

data = urllib.parse.urlencode(body).encode("utf-8")

req = urllib.request.Request(url, data)

response = urllib.request.urlopen(req)

jsonResponse = json.loads(response.read())

aadToken = jsonResponse["access_token"]

wherewhere

tenantId：代表要运行查询的租户的 ID (也就是说，查询将在此租户的数据上运行)tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant)

appId：你的 Azure AD 应用的 ID (应用必须具有对 Microsoft Defender for Endpoint 的 "运行高级查询" 权限)appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender for Endpoint)

appSecret：你的 Azure AD 应用的机密appSecret: Secret of your Azure AD app

运行查询Run query

运行以下查询：Run the following query:

query = 'RegistryEvents | limit 10' # Paste your own query here

url = "https://api.securitycenter.windows.com/api/advancedqueries/run"

headers = {

'Content-Type' : 'application/json',

'Accept' : 'application/json',

'Authorization' : "Bearer " + aadToken

}

data = json.dumps({ 'Query' : query }).encode("utf-8")

req = urllib.request.Request(url, data, headers)

response = urllib.request.urlopen(req)

jsonResponse = json.loads(response.read())

schema = jsonResponse["Schema"]

results = jsonResponse["Results"]

架构包含查询结果的架构schema contains the schema of the results of your query

结果包含查询结果results contain the results of your query

复杂查询Complex queries

如果想要运行复杂查询 (或 multilines 查询) ，将查询保存在文件中，而不是在上述示例中的第一行，请运行以下命令：If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:

queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file

query = queryFile.read()

queryFile.close()

处理查询结果Work with query results

您现在可以使用查询结果。You can now use the query results.

若要循环访问结果，请执行以下操作：To iterate over the results do the below:

for result in results:

print(result) # Prints the whole result

print(result["EventTime"]) # Prints only the property 'EventTime' from the result

若要以 CSV 格式将查询结果输出到 "文件" file1.csv，请执行以下操作：To output the results of the query in CSV format in file file1.csv do the below:

import csv

outputFile = open("D:\\Temp\\file1.csv", 'w')