diff --git a/Notebooks/WDATP APIs Demo Notebook.ipynb b/Notebooks/WDATP APIs Demo Notebook.ipynb index 7850cb7d..b4d662fb 100644 --- a/Notebooks/WDATP APIs Demo Notebook.ipynb +++ b/Notebooks/WDATP APIs Demo Notebook.ipynb @@ -1611,16 +1611,16 @@ "One of the most powerful things you can do with API is run hunting queries. This allows you to access \n", "the rich data that WDATP collects from endpoints. The following tables are exposed as part of Advanced hunting:\n", "\n", - "- AlertEvents - Alerts on Windows Defender Security Center\n", - "- MachineInfo - Machine information, including OS information\n", - "- MachineNetworkInfo - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains\n", - "- ProcessCreationEvents - Process creation and related events\n", - "- NetworkCommunicationEvents - Network connection and related events\n", - "- FileCreationEvents - File creation, modification, and other file system events\n", - "- RegistryEvents - Creation and modification of registry entries\n", - "- LogonEvents - Login and other authentication events\n", - "- ImageLoadEvents - DLL loading events\n", - "- MiscEvents - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts" + "- DeviceAlertEvents - Alerts on Windows Defender Security Center\n", + "- DeviceInfo - Machine information, including OS information\n", + "- DeviceNetworkInfo - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains\n", + "- DeviceProcessEvents - Process creation and related events\n", + "- DeviceNetworkEvents - Network connection and related events\n", + "- DeviceFileEvents - File creation, modification, and other file system events\n", + "- DeviceRegistryEvents - Creation and modification of registry entries\n", + "- DeviceLogonEvents - Login and other authentication events\n", + "- DeviceImageLoadEvents - DLL loading events\n", + "- DeviceEvents - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts" ] }, { @@ -1722,11 +1722,11 @@ "## look for process creation events where someone ran: net.exe user foo /domain\n", "\n", "wdatp_api.query( query = '''\n", - "ProcessCreationEvents\n", - "| where EventTime > ago(3d)\n", + "DeviceProcessEvents\n", + "| where Timestamp > ago(3d)\n", "| where FileName == 'net.exe'\n", "| where ProcessCommandLine contains ' user ' and ProcessCommandLine contains ' /do' and ProcessCommandLine !contains ' /ad'\n", - "| project EventTime, ProcessCommandLine , InitiatingProcessCommandLine , InitiatingProcessParentFileName , AccountName \n", + "| project Timestamp, ProcessCommandLine , InitiatingProcessCommandLine , InitiatingProcessParentFileName , AccountName \n", "| sort by InitiatingProcessParentFileName\n", "''')" ] @@ -3984,20 +3984,20 @@ "# build a hunting query that gets data around the time of the alert\n", "get_records_qry = '''\n", "let alertId = \"%s\";\n", - "let alert = AlertEvents | where AlertId == alertId | summarize AlertFirstEventTime=min(EventTime) by MachineId;\n", - "let machineId = toscalar(alert | project MachineId);\n", + "let alert = DeviceAlertEvents | where AlertId == alertId | summarize AlertFirstEventTime=min(Timestamp) by DeviceId;\n", + "let machineId = toscalar(alert | project DeviceId);\n", "let timestamp = toscalar(alert | project AlertFirstEventTime);\n", "let lookupPeriod = 10m;\n", - "find in (ProcessCreationEvents, NetworkCommunicationEvents, FileCreationEvents) \n", - "where EventTime between ((timestamp - lookupPeriod) .. lookupPeriod)\n", - " and MachineId == machineId\n", - "| project-away ComputerName, InitiatingProcessAccountDomain, InitiatingProcessAccountSid // demo env only\n", + "find in (DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents) \n", + "where Timestamp between ((timestamp - lookupPeriod) .. lookupPeriod)\n", + " and DeviceId == machineId\n", + "| project-away DeviceName, InitiatingProcessAccountDomain, InitiatingProcessAccountSid // demo env only\n", "| take 1000\n", "''' % (alert_df.id.values[0])\n", "\n", "related_data_df = wdatp_api.query(query=get_records_qry)\n", "print (\"Number of records found %d\" % len(related_data_df))\n", - "related_data_df " + "related_data_df" ] }, { @@ -7111,14 +7111,14 @@ "source": [ "# this query gets a handful of machines named desktop \n", "query = '''\n", - "let machine_list = MachineInfo | where EventTime > ago(1d) | where ComputerName startswith 'desktop-' | summarize by ComputerName, MachineId | take 5;\n", - "NetworkCommunicationEvents\n", - "| where EventTime > ago(5d) | where isnotempty(MachineId)\n", + "let machine_list = DeviceInfo | where Timestamp > ago(1d) | where DeviceName startswith 'desktop-' | summarize by DeviceName, DeviceId | take 5;\n", + "DeviceNetworkEvents\n", + "| where Timestamp > ago(5d) | where isnotempty(DeviceId)\n", "| where RemoteIPType == 'Public' and RemoteIP contains ('.') and RemotePort in ('80') \n", "| extend MaskedIP = strcat(split(RemoteIP,'.')[0],'.', split(RemoteIP,'.')[1], '.*.*')\n", - "| summarize by MachineId, MaskedIP \n", - "| join kind=inner (machine_list) on MachineId \n", - "| summarize by ComputerName, MaskedIP\n", + "| summarize by DeviceId, MaskedIP \n", + "| join kind=inner (machine_list) on DeviceId \n", + "| summarize by DeviceName, MaskedIP \n", "'''\n", "df = wdatp_api.query(query)\n", "print (\"rows returned = %d\" % len(df))\n", @@ -8791,13 +8791,10 @@ "## query WDATP data for hashes of files recorded in alerts\n", "\n", "df_results = wdatp_api.query(query = '''\n", - "AlertEvents \n", - "| where EventTime > ago(7d) and SHA1 != ''\n", + "DeviceAlertEvents \n", + "| where Timestamp > ago(7d) and SHA1 != ''\n", "| summarize by SHA1\n", - "| take 100\n", - "'''\n", - ")\n", - "print(\"Number of hashes = %d\" % len(df_results))" + "| take 100" ] }, { @@ -10076,4 +10073,4 @@ }, "nbformat": 4, "nbformat_minor": 2 -} +} \ No newline at end of file