# Querying MDATP Data

<h2 style="color: red; border: solid; padding: 5pt">This version of the notebook is deprecated<br>
Please see MicrosoftDefender.ipynb</h2>

MSTICpy versions > 0.3.0

### Description
This Notebook provides details and examples of how to connect to and query data from the MDATP Advanced Hunting API.

### Installation

In [None]:
%pip install --upgrade msticpy

### Authentication

Authentication for the MDATP Advanced Hunting API is handled via an Azure AD application. Before you can authenticate you will need to register an application and provide it with the required permissions. MSTICpy supports Application Context authentication to the API.
Detailed instructions on registering an application can be found here: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp

Once created you will require the following details:
* Application (client) ID
* Directory (tenant) ID
* Client secret

These details can be found in the Azure Portal under Azure Active Directory > App Registrations.

Once collected the easiest way to manage these details is via msticpyconfig.yaml - simply add them to the file in the following format:

In [None]:
'''
MDATPApp:
  Args:
    clientId: "{Application (client) ID}"
    clientSecret: "{Client Secret}"
    tenantId: "{Directory (tenant) ID}"
'''

You can then initialize a data provider for MDATP and connect the provider:

In [5]:
from msticpy.data.data_providers import QueryProvider
mdatp_prov = QueryProvider('MDATP')
#app_name is the value of the heading in msticpyconfig.yaml that the app details are stored under.
mdatp_prov.connect(app_name="MDATPApp")

Connected.


{'token_type': 'Bearer',
 'expires_in': '3599',
 'ext_expires_in': '3599',
 'expires_on': '1578009447',
 'not_before': '1578005547',
 'resource': 'https://api.securitycenter.windows.com',
 'access_token': None}

Once connected the MDATP data connector functions in a similar manner to other data connectors. You can list queries:

In [9]:
mdatp_prov.list_queries()

['MDATP.file_path',
 'MDATP.host_alerts',
 'MDATP.host_connections',
 'MDATP.ip_alerts',
 'MDATP.ip_connections',
 'MDATP.list_alerts',
 'MDATP.list_connections',
 'MDATP.list_filehash',
 'MDATP.list_files',
 'MDATP.list_host_processes',
 'MDATP.process_cmd_line',
 'MDATP.process_creations',
 'MDATP.process_paths',
 'MDATP.protocol_connections',
 'MDATP.sha1_alerts',
 'MDATP.url_alerts',
 'MDATP.url_connections',
 'MDATP.user_files',
 'MDATP.user_logons',
 'MDATP.user_network',
 'MDATP.user_processes',
 'MDATPHunting.accessibility_persistence',
 'MDATPHunting.av_sites',
 'MDATPHunting.b64_pe',
 'MDATPHunting.brute_force',
 'MDATPHunting.cve_2018_1000006l',
 'MDATPHunting.cve_2018_1111',
 'MDATPHunting.cve_2018_4878',
 'MDATPHunting.doc_with_link',
 'MDATPHunting.dropbox_link',
 'MDATPHunting.email_link',
 'MDATPHunting.email_smartscreen',
 'MDATPHunting.malware_recycle',
 'MDATPHunting.network_scans',
 'MDATPHunting.powershell_downloads',
 'MDATPHunting.service_account_powershell',
 'M

Get details about avaliable queries:

In [20]:
mdatp_prov.MDATP.list_alerts('?')

Query:  list_connections
Data source:  MDATP
Retrieves list of network connections for a host

Parameters
----------
add_query_items: str (optional)
    Additional query clauses
end: datetime (optional)
    Query end time
start: datetime (optional)
    Query start time
    (default value is: -30)
table: str (optional)
    Table name
    (default value is: NetworkCommunicationEvents  )
Query:
 {table} | where EventTime >= datetime({start}) | where EventTime <= datetime({end}) {add_query_items}


Execute queries with default parameters:

In [39]:
mdatp_prov.MDATP.list_alerts()

Unnamed: 0,AlertId,EventTime,MachineId,ComputerName,Severity,Category,Title,FileName,SHA1,RemoteUrl,RemoteIP,ReportId,Table
0,da637111553314888493_-215032980,2019-12-08T17:22:37.8742974Z,f17cf15efe963a9810a0ad1c1842db543bba8775,pradeepg-win10entn-1809,Medium,DefenseEvasion,Suspicious process injection observed,notepad.exe,b6d237154f2e528f0b503b58b025862d66b02b73,,,454,MiscEvents
1,da637111470533220658_-1814166510,2019-12-05T12:34:34.7864124Z,1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739,olaa-win10pro-1607,Informational,Execution,[Test Alert] Suspicious Powershell commandline,powershell.exe,044a0cf1f6bc478a7172bf207eef1e201a18ba02,,,4369,ProcessCreationEvents
2,da637111470533220658_-1814166510,2019-12-05T12:34:34.7864124Z,1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739,olaa-win10pro-1607,Informational,Execution,[Test Alert] Suspicious Powershell commandline,cmd.exe,99ae9c73e9bee6f9c76d6f4093a9882df06832cf,,,4369,ProcessCreationEvents
3,da637111448595540767_-885088719,2019-12-05T12:11:25.5486226Z,499bdd5330f78dc82d0051c8d7a9eb9d69f88333,nestorw-win10pro-1803,Informational,Execution,[Test Alert] Suspicious Powershell commandline,powershell.exe,1b3b40fbc889fd4c645cc12c85d0805ac36ba254,,,14968,ProcessCreationEvents
4,da637111448595540767_-885088719,2019-12-05T12:11:25.5486226Z,499bdd5330f78dc82d0051c8d7a9eb9d69f88333,nestorw-win10pro-1803,Informational,Execution,[Test Alert] Suspicious Powershell commandline,cmd.exe,3ce71813199abae99348f61f0caa34e2574f831c,,,14968,ProcessCreationEvents
5,da637111835325717564_-1865655676,2019-12-05T16:05:46.4778106Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Medium,DefenseEvasion,Suspicious process injection observed,powershell.exe,36c5d12033b2eaf251bae61c00690ffb17fddc87,,,2376,MiscEvents
6,da637111835325717564_-1865655676,2019-12-05T16:05:46.4778106Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Medium,DefenseEvasion,Suspicious process injection observed,notepad.exe,d487580502354c61808c7180d1a336beb7ad4624,,,2376,MiscEvents
7,da637111691253610692_623907060,2019-12-05T16:50:16.9477916Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Informational,Execution,[Test Alert] Suspicious Powershell commandline,powershell.exe,36c5d12033b2eaf251bae61c00690ffb17fddc87,,,915,ProcessCreationEvents
8,da637111691253610692_623907060,2019-12-05T16:50:16.9477916Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Informational,Execution,[Test Alert] Suspicious Powershell commandline,cmd.exe,8dca9749cd48d286950e7a9fa1088c937cbccad4,,,915,ProcessCreationEvents
9,da637111691236503999_-1316647445,2019-12-05T16:56:18.6397738Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Medium,DefenseEvasion,Suspicious process injection observed,RuntimeBroker.exe,7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27,,,1190,MiscEvents


Execute queries with custom parameters:

In [37]:
mdatp_prov.MDATP.list_alerts(start="-30", add_query_items="| summarize count() by Severity")

Unnamed: 0,Severity,count_
0,Medium,29
1,Informational,14
2,Low,1


Print a fully constructed query for debug purposes:

In [40]:
mdatp_prov.MDATP.list_alerts("print", start="-30", add_query_items="| summarize count() by Severity")

' AlertEvents | where EventTime >= datetime(2019-12-03T23:24:40.794583Z) | where EventTime <= datetime(2020-01-02T23:24:40.794583Z) | summarize count() by Severity'

Execute a custom query:

In [43]:
query = "AlertEvents | sample 10"
mdatp_prov.exec_query(query)

Unnamed: 0,AlertId,EventTime,MachineId,ComputerName,Severity,Category,Title,FileName,SHA1,RemoteUrl,RemoteIP,ReportId,Table
0,da637111553314888493_-215032980,2019-12-08T17:22:37.8742974Z,f17cf15efe963a9810a0ad1c1842db543bba8775,pradeepg-win10entn-1809,Medium,DefenseEvasion,Suspicious process injection observed,notepad.exe,b6d237154f2e528f0b503b58b025862d66b02b73,,,454,MiscEvents
1,da637111536085551266_1012263407,2019-12-08T17:11:14.931633Z,f17cf15efe963a9810a0ad1c1842db543bba8775,pradeepg-win10entn-1809,Informational,Execution,[Test Alert] Suspicious Powershell commandline,cmd.exe,8c5437cd76a89ec983e3b364e219944da3dab464,,,137,ProcessCreationEvents
2,da637111470533220658_-1814166510,2019-12-05T12:34:34.7864124Z,1e9f8f18585e70ef1f167fbf5e8bf7c3dccc5739,olaa-win10pro-1607,Informational,Execution,[Test Alert] Suspicious Powershell commandline,cmd.exe,99ae9c73e9bee6f9c76d6f4093a9882df06832cf,,,4369,ProcessCreationEvents
3,da637111448595540767_-885088719,2019-12-05T12:11:25.5486226Z,499bdd5330f78dc82d0051c8d7a9eb9d69f88333,nestorw-win10pro-1803,Informational,Execution,[Test Alert] Suspicious Powershell commandline,powershell.exe,1b3b40fbc889fd4c645cc12c85d0805ac36ba254,,,14968,ProcessCreationEvents
4,da637111691236503999_-1316647445,2019-12-05T16:56:18.6397738Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Medium,DefenseEvasion,Suspicious process injection observed,RuntimeBroker.exe,7ae43b9b9df5c5b8c0b26c36ff02557ceef13e27,,,1190,MiscEvents
5,da637111835325717564_-1865655676,2019-12-05T16:05:46.4778106Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Medium,DefenseEvasion,Suspicious process injection observed,powershell.exe,36c5d12033b2eaf251bae61c00690ffb17fddc87,,,2376,MiscEvents
6,da637111835325717564_-1865655676,2019-12-05T16:05:46.4778106Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Medium,DefenseEvasion,Suspicious process injection observed,notepad.exe,d487580502354c61808c7180d1a336beb7ad4624,,,2376,MiscEvents
7,da637111691253610692_623907060,2019-12-05T16:50:16.9477916Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Informational,Execution,[Test Alert] Suspicious Powershell commandline,powershell.exe,36c5d12033b2eaf251bae61c00690ffb17fddc87,,,915,ProcessCreationEvents
8,da637111691253610692_623907060,2019-12-05T16:50:16.9477916Z,be333ec5312b6aaf4936cc33784577857108bc3a,arifb-win10edun-1903,Informational,Execution,[Test Alert] Suspicious Powershell commandline,cmd.exe,8dca9749cd48d286950e7a9fa1088c937cbccad4,,,915,ProcessCreationEvents
9,da637111536085551266_1012263407,2019-12-08T15:59:28.1181531Z,f17cf15efe963a9810a0ad1c1842db543bba8775,pradeepg-win10entn-1809,Informational,Execution,[Test Alert] Suspicious Powershell commandline,cmd.exe,8c5437cd76a89ec983e3b364e219944da3dab464,,,130,ProcessCreationEvents
