Best practices for leveraging Microsoft 365 Defender API's - Episode Three

Published Apr 26 2021 09:15 AM 2,188 Views
Microsoft

In the previous episode, we described how you can easily use PowerBi to represent Microsoft 365 data in a visual format. In this episode, we will explore another way you can interact with the Microsoft 365 Defender API. We will describe how to automate data analysis and hunting using Jupyter notebook.

 

Automate your hunting queries 

While hunting and conducting investigations on a specific threat or IOC, you may want to use multiple queries to obtain wider optics on the possible threats or IOCs in your network. You may also want to leverage queries that are used by other hunters and use it as a pivot point to perform deep analysis and find anomalous behaviors. You can find a wide variety of examples in our Git repository where various queries related to the same campaign or attack technique are shared.  

In scenarios such as this, it is sensible to leverage the power of automation to run the queries rather than running individual queries one-by-one.  

This is where Jupyter Notebook is particularly useful. It takes in a JSON file with hunting queries as input and executes all the queries in sequence. The results are saved in a .csv file that you can analyze and share. 

 

Before you begin 

JUPYTER NOTEBOOK 

If you're not familiar with Jupyter Notebooks, you can start by visiting https://jupyter.org for more information. You can also get an excellent overview on how to use Microsoft 365 APIs with Jupyter Notebook by reading Automating Security Operations Using Windows Defender ATP APIs with Python and Jupyter Notebooks.   

 

VISUAL STUDIO CODE EXTENSION 

If you currently use Visual Studio Code, make sure to check out the Jupyter extension 

msftdario_27-1619422918103.png

Figure 1. Visual Studio Code – Jupyter Notebook extension 

 

Another option to use Jupyter Notebook is the Microsoft Azure Machine Learning service. 

Microsoft Azure Machine Learning is the best way to share your experiment with others and for collaboration. 

Please refer to Azure Machine Learning - ML as a Service | Microsoft Azure for additional details. 

msftdario_28-1619422918116.png

Figure 2. Microsoft Azure Machine Learning 

 

In order to create an instance, create a resource group and add the Machine Learning resource. The resource group lets you control all of the resources from a single entry point. 

msftdario_29-1619422918122.png

Figure 3. Microsoft Azure Machine Learning - Resource 

 

When you’re done, you can run the same Jupyter Notebook you are running locally on your device.  

msftdario_30-1619422918118.png

Figure 4. Microsoft Azure Machine Learning Studio 

 

App Registration 

The easy way to access the API programmatically is to register an app in your tenant and assign the required permissions. This way, you can authenticate using the application ID and application secret. 

Follow these steps to build your custom application. 

msftdario_31-1619422977477.png

Figure 5. App registration 

  

Select "NEW REGISTRATION". 

  

msftdario_32-1619422977481.png

Figure 6. Register an application 

 

Provide the Name of your app, for example, MicrosoftMTP, and select Register. 

Once done, select "API Permission". 

  

msftdario_33-1619422977495.png

Figure 7. API Permissions 

  

Select "Add a permission". 

msftdario_34-1619422977484.png

Figure 8. Add permission 

 

Select the "APIs my organization uses". 

  

msftdario_35-1619422977485.png

  Figure 9. Alert Status 

  

msftdario_36-1619422977486.png

Figure 10. Request API permission 

  

Search for Microsoft Threat Protection and select it. 

msftdario_37-1619422977487.png

Figure 11. Microsoft Threat Protection API 

 

Select "Application Permission". 

msftdario_38-1619422977489.png

Figure 12. Application Permissions 

 

Then select: 

  • AdvancedHunting.Read.All 
  • Incident.Read.All 

 

msftdario_39-1619422977491.png

Figure 13. Microsoft 365 Defender API - Read permission 

 

Once done select "Add permissions". 

msftdario_40-1619422977492.png

Figure 14. Microsoft 365 Defender API - Add permission 

 

Get Started 

Now that we have the application ready to access the API via code, let’s try to see is any of the Qakbot queries shared in Microsoft 365 Defender Git produce any results. 

msftdario_41-1619423114158.png

 

Figure 15. Microsoft 365 Defender – Hunting Queries 

 

The following queries will be used in this tutorial:  

 

Javascript use by Qakbot malware 

Process injection by Qakbot malware 

Registry edits by campaigns using Qakbot malware 

Self-deletion by Qakbot malware 

Outlook email access by campaigns using Qakbot malware 

Browser cookie theft by campaigns using Qakbot malware 

Detect .jse file creation events 

 

We need to grab the queries that we want to submit and populate a JSON file with this formatPlease be sure that you are properly managing the escape character in the JSON file (if you use Visual Studio Code (VSCode) you can find extensions that can make the ESCAPE/UNESCAPE process easiest, just pick your favorite one). 

 

 

 

 

 

[ 
        { 
            "Description": "Find Qakbot overwriting its original binary with calc.exe", 
            "Name": "Replacing Qakbot binary with calc.exe", 
            "Query": "DeviceProcessEvents | where FileName =~ \"ping.exe\" | where InitiatingProcessFileName =~ \"cmd.exe\" | where InitiatingProcessCommandLine has \"calc.exe\" and InitiatingProcessCommandLine has \"-n 6\" and InitiatingProcessCommandLine has \"127.0.0.1\" | project ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp", 
            "Mitre": "T1107 File Deletion", 
            "Source": "MDE" 
        } 
] 

 

 

 

 

 

Once you have all your queries properly filled, we must provide the following parameters to the script in order to configure the correct credential, the JSON file, and the output folder. 

msftdario_42-1619423295313.png

Figure 16. Jupyter Notebook – Authentication 

 

Because we registered an Azure Application and we used the application secret to receive an access token, the token is valid for 1 hour. Within the code verify if we need to renew this token before submitting the query. 

msftdario_43-1619423295303.png

Figure 17. Application Token lifetime validation 

 

When building such flow we should take into consideration Microsoft 365 Defender Advanced hunting API quotas and resources allocation. For more information, see Advanced Hunting API | Microsoft Docs.  

msftdario_44-1619423295312.png

Figure 18. API quotas and resources allocation taking into consideration 

 

 We run the code by loading the query from the JSON file we defined as input. We then view the progress and the execution status on screen. 

msftdario_45-1619423295315.png

Figure 19. Query Execution 

 

The blue message indicates the number of queries that is currently running and its progress. 

The green message shows the name of the query that is being run. 

The grey message shows the details of the submitted query. 

If there are any results you will see the first 5 records, and then all the records will be saved in a .csv file in the output folder you defined. 

 

msftdario_46-1619423295309.png

Figure 20.  Query results - First 5 records 

 

Bonus 

You can post the summary of the query execution in a Teams channel, you need to add Incoming Webhook in your teams. 

 

msftdario_47-1619423368892.png

Figure 21.  Incoming Webhook 

 

Then you need to select which Teams channel you want to add the app. 

msftdario_48-1619423368929.png

Figure 22.  Incoming Webhook – add to a team 

 

Select “Set up a connector”. 

msftdario_49-1619423368932.png

Figure 23.  Incoming Webhook – Setup a connector 

 

Specify a name. 

msftdario_50-1619423368937.png

Figure 24.  Incoming Webhook – Config 

 

Now you need to copy the URL, then paste the URL in the Jupyter Notebook. 

msftdario_51-1619423368906.png

Figure 25.  Incoming Webhook – teamurl variable 

 

Then remove the comment from the latest line in the code to send the message to Teams. 

msftdario_52-1619423368909.png

Figure 26.  Incoming Webhook – teamsurl variable 

 

You should receive a similar message like the following in the Teams channel: 

msftdario_53-1619423368914.png

Figure 27.  Query result summary – Teams Message 

 

Conclusion 

In this post, we demonstrated how you can use the Microsoft 365 Defender APIs and Jupyter Notebook to automate execution of hunting queries playbook. We hope you found this helpful! 

 

Appendix  

For more information about Microsoft 365 Defender APIs and the features discussed in this article, please read: 

The sample Notebook discussed in the post is available in the github repository
Microsoft-365-Defender-Hunting-Queries/M365D APIs ep3.ipynb at master · microsoft/Microsoft-365-Defe...

 

As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or start a discussion in Microsoft 365 Defender community

%3CLINGO-SUB%20id%3D%22lingo-sub-2290463%22%20slang%3D%22en-US%22%3EBest%20practices%20for%20leveraging%20Microsoft%20365%20Defender%20API's%20-%20Episode%20Three%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2290463%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3EI%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3En%20the%20pre%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Evious%20episode%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E%2C%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Ewe%20described%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Ehow%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Eyou%20can%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Eeasily%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Euse%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20%20BCX8%20SCXW7484756%22%3EPowerBi%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Erepresent%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3EMicrosoft%20365%20data%20in%20a%20visual%20format%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3EI%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3En%20this%20episode%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E%2C%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Ewe%20will%20explore%20another%20way%20you%20can%20interact%20with%20the%20Microsoft%20365%20Defender%20API%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E.%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20%20BCX8%20SCXW7484756%22%3EW%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Ee%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Ewill%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Edescribe%20how%20to%20automate%20data%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Eanalysis%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eand%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Ehunting%20using%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20%20BCX8%20SCXW7484756%22%3EJupyter%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW7484756%22%3Enotebook.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAutomate%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Byour%20hunting%20queries%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhile%20hunting%20and%20conducting%20investigations%20on%20a%20specific%20threat%20or%20IOC%2C%20you%20may%20want%20to%20use%20multiple%20queries%20to%20obtain%20wider%20optics%20on%20the%26nbsp%3Bpossible%26nbsp%3Bthreats%26nbsp%3Bor%20IOCs%20in%20your%20network.%26nbsp%3BYou%20may%20also%26nbsp%3Bwant%26nbsp%3Bto%20leverage%26nbsp%3Bqueries%20that%26nbsp%3Bare%20used%20by%20other%26nbsp%3Bhunters%26nbsp%3Band%20use%20it%26nbsp%3Bas%20a%20pivot%20point%20to%20perform%20deep%20analysis%26nbsp%3Band%26nbsp%3Bfind%20anomalous%26nbsp%3Bbehaviors.%26nbsp%3BYou%20can%26nbsp%3Bfind%20a%20wide%20variety%20of%20examples%20in%20our%20Git%20repository%20where%20various%20queries%20related%20to%20the%20same%20campaign%20or%20attack%20technique%26nbsp%3Bare%26nbsp%3Bshared.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20scenarios%20such%20as%20this%2C%20it%20is%20sensible%20to%20leverage%20the%20power%20of%20automation%20to%20run%20the%20queries%20rather%20than%20running%20individual%20queries%20one-by-one.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThis%20is%20where%26nbsp%3BJupyter%26nbsp%3BNotebook%20is%20particularly%20useful.%20It%20takes%20in%20a%20JSON%20file%20with%20hunting%20queries%20as%20input%20and%20executes%20all%20the%20queries%20in%20sequence.%26nbsp%3BThe%20results%26nbsp%3Bare%26nbsp%3Bsaved%20in%20a%20.csv%20file%26nbsp%3Bthat%20you%20can%20analyze%20and%20share.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSTRONG%3EBefore%20you%20begin%26nbsp%3B%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EJUPYTER%26nbsp%3BNOTEBOOK%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%26nbsp%3Byou're%26nbsp%3Bnot%20familiar%20with%26nbsp%3BJupyter%26nbsp%3BNotebooks%2C%20you%20can%20start%20by%26nbsp%3Bvisiting%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fjupyter.org%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%3Ehttps%3A%2F%2Fjupyter.org%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfor%20more%20information.%20You%20can%20also%20get%20an%20excellent%20overview%20on%20how%20to%20use%20Microsoft%20365%20APIs%20with%26nbsp%3BJupyter%26nbsp%3BNotebook%20by%20reading%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fautomating-security-operations-using-windows-defender-atp-apis%2Fba-p%2F294434%2522HYPERLINK%2520%2522https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fautomating-security-operations-using-windows-defender-atp-apis%2Fba-p%2F294434%22%20target%3D%22_blank%22%3E%3CSPAN%3EAutomating%20Security%20Operations%20Using%20Windows%20Defender%20ATP%20APIs%20with%20Python%20and%20Jupyter%20Notebooks%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EVISUAL%20STUDIO%20CODE%20EXTENSION%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20you%20currently%20use%20Visual%20Studio%20Code%2C%20make%20sure%20to%20check%20out%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fcode.visualstudio.com%2Fdocs%2Fpython%2Fjupyter-support%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3EJupyter%26nbsp%3Bextension%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_27-1619422918103.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275494iAC4E92D9D340881C%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_27-1619422918103.png%22%20alt%3D%22msftdario_27-1619422918103.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%201.%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EVisual%20Studio%20Code%20%E2%80%93%26nbsp%3BJupyter%26nbsp%3BNotebook%20extension%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAnother%20option%20to%20use%26nbsp%3BJupyter%26nbsp%3BNotebook%20is%20the%20Microsoft%20Azure%20Machine%20Learning%20service.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Azure%20Machine%20Learning%20is%20the%20best%20way%20to%20share%20your%20experiment%20with%20others%20and%20for%20collaboration.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EPlease%20refer%26nbsp%3Bto%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fservices%2Fmachine-learning%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3EAzure%20Machine%20Learning%20-%20ML%20as%20a%20Service%20%7C%20Microsoft%20Azure%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bfor%20additional%20details.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_28-1619422918116.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275495i5405139951168417%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_28-1619422918116.png%22%20alt%3D%22msftdario_28-1619422918116.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%202.%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Azure%20Machine%20Learning%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIn%20order%20to%26nbsp%3Bcreate%20an%20instance%2C%20create%20a%20resource%20group%20and%20add%20the%20Machine%20Learning%20resource.%20The%20resource%20group%20lets%20you%20control%26nbsp%3Ball%20of%26nbsp%3Bthe%20resources%20from%20a%26nbsp%3Bsingle%20entry%26nbsp%3Bpoint.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_29-1619422918122.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275496i4C07B6EF950DFE13%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_29-1619422918122.png%22%20alt%3D%22msftdario_29-1619422918122.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%203.%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Azure%20Machine%20Learning%20-%20Resource%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhen%26nbsp%3Byou%E2%80%99re%26nbsp%3Bdone%2C%20you%20can%20run%20the%20same%26nbsp%3BJupyter%26nbsp%3BNotebook%20you%20are%20running%20locally%20on%20your%20device.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_30-1619422918118.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275497i0903E08B9D73835B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_30-1619422918118.png%22%20alt%3D%22msftdario_30-1619422918118.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%204.%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20Azure%20Machine%20Learning%20Studio%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20size%3D%226%22%3EApp%20Registration%26nbsp%3B%3C%2FFONT%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20easy%20way%20to%20access%20the%20API%20programmatically%20is%20to%20register%20an%26nbsp%3Bapp%26nbsp%3Bin%20your%20tenant%20and%20assign%20the%20required%20permissions.%26nbsp%3BThis%20way%2C%26nbsp%3Byou%20can%26nbsp%3Bauthenticate%26nbsp%3Busing%26nbsp%3Bthe%26nbsp%3Bapplication%26nbsp%3BID%20and%20application%26nbsp%3Bsecret.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFollow%20these%20steps%20to%20build%20your%26nbsp%3Bcustom%20application.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%225%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EConnect%20to%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fportal.azure.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehttps%3A%2F%2Fportal.azure.com%2F%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%225%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApp%20registration%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_31-1619422977477.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275498iEE7D37ACAE8D10C5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_31-1619422977477.png%22%20alt%3D%22msftdario_31-1619422977477.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B5.%20App%20registration%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESelect%20%22%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENEW%20REGISTRATION%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_32-1619422977481.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275499i4A2139669C94FD0F%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_32-1619422977481.png%22%20alt%3D%22msftdario_32-1619422977481.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B6.%20Register%20an%26nbsp%3Bapplication%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EProvide%20the%20Name%20of%20your%20app%2C%26nbsp%3Bfor%20example%2C%26nbsp%3BMicrosoftMTP%2C%20and%20select%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERegister.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20done%2C%20select%20%22%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAPI%20Permission%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_33-1619422977495.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275500iA438603DFFFF9D39%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_33-1619422977495.png%22%20alt%3D%22msftdario_33-1619422977495.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B7.%26nbsp%3BAPI%20Permissions%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESelect%20%22%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%20a%26nbsp%3Bpermission%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_34-1619422977484.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275501i6ABD153E531083F6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_34-1619422977484.png%22%20alt%3D%22msftdario_34-1619422977484.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%208.%20Add%26nbsp%3Bpermission%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESelect%20the%20%22%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAPIs%20my%20organization%20uses%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_35-1619422977485.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275502iA6D5C39F93F4A3E2%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_35-1619422977485.png%22%20alt%3D%22msftdario_35-1619422977485.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B9.%26nbsp%3BAlert%20Status%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_36-1619422977486.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275503i410AB7C9E7C86815%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_36-1619422977486.png%22%20alt%3D%22msftdario_36-1619422977486.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2010.%26nbsp%3BRequest%26nbsp%3BAPI%26nbsp%3Bpermission%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESearch%20for%20Microsoft%20Threat%20Protection%20and%20select%20it.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_37-1619422977487.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275504i528D90288484BE75%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_37-1619422977487.png%22%20alt%3D%22msftdario_37-1619422977487.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B11.%20Microsoft%20Threat%20Protection%20API%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESelect%20%22%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EApplication%26nbsp%3BPermission%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_38-1619422977489.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275505i6F61A4E72DCDFEB9%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_38-1619422977489.png%22%20alt%3D%22msftdario_38-1619422977489.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B12.%26nbsp%3BApplication%26nbsp%3BPermissions%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThen%20select%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%225%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdvancedHunting.Read.All%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%225%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EIncident.Read.All%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_39-1619422977491.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275506i756E6063B46F42DF%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_39-1619422977491.png%22%20alt%3D%22msftdario_39-1619422977491.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B13.%20Microsoft%26nbsp%3B365%20Defender%26nbsp%3BAPI%20-%20Read%26nbsp%3Bpermission%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%20done%20select%20%22%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdd%20permissions%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%22.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_40-1619422977492.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275507i34715905C5A0D267%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_40-1619422977492.png%22%20alt%3D%22msftdario_40-1619422977492.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2014.%26nbsp%3BMicrosoft%26nbsp%3B365%20Defender%26nbsp%3BAPI%20-%20Add%20permission%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EGet%20Started%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20we%20have%20the%20application%20ready%20to%20access%20the%20API%20via%20code%2C%26nbsp%3Blet%E2%80%99s%26nbsp%3Btry%26nbsp%3Bto%20see%20is%20any%20of%20the%26nbsp%3BQakbot%26nbsp%3Bqueries%26nbsp%3Bshared%26nbsp%3Bin%20Microsoft%20365%20Defender%20Git%26nbsp%3Bproduce%20any%20results.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_41-1619423114158.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275508iEC90B9464327B611%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_41-1619423114158.png%22%20alt%3D%22msftdario_41-1619423114158.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2015.%20Microsoft%26nbsp%3B365%20Defender%26nbsp%3B%E2%80%93%20Hunting%20Queries%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20following%20queries%20will%20be%20used%20in%20this%26nbsp%3Btutorial%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FExecution%2Fqakbot-campaign-suspicious-javascript.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3E%3CSTRONG%3EJavascript%26nbsp%3Buse%20by%26nbsp%3BQakbot%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3Emalware%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FDefense%2520evasion%2Fqakbot-campaign-process-injection.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3E%3CSTRONG%3EProcess%26nbsp%3Binjection%26nbsp%3Bby%26nbsp%3BQakbot%26nbsp%3Bmalware%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FPersistence%2Fqakbot-campaign-registry-edit.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3E%3CSTRONG%3ERegistry%20edits%20by%20campaigns%20using%26nbsp%3BQakbot%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3Emalware%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FDefense%2520evasion%2Fqakbot-campaign-self-deletion.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3E%3CSTRONG%3ESelf-deletion%20by%26nbsp%3BQakbot%3C%2FSTRONG%3E%3CSTRONG%3E%26nbsp%3Bmalware%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FDiscovery%2Fqakbot-campaign-outlook.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3E%3CSTRONG%3EOutlook%20email%20access%20by%20campaigns%20using%26nbsp%3BQakbot%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3Emalware%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FDiscovery%2Fqakbot-campaign-esentutl.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3E%3CSTRONG%3EBrowser%20cookie%20theft%20by%20campaigns%20using%26nbsp%3BQakbot%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3Emalware%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FDelivery%2Fdetect-jscript-file-creation.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%3E%3CSTRONG%3EDetect%20.jse%26nbsp%3Bfile%20creation%26nbsp%3B%3C%2FSTRONG%3E%3CSTRONG%3Eevents%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A240%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW241710012%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3EWe%20need%20to%20grab%20the%20queries%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3Bth%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Eat%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3Bwe%20want%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Esubmit%20and%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3Bpopulate%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3EJS%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3EON%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Efile%20with%20this%20format%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW241710012%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3EPlease%20be%20sure%20that%20you%20are%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Eproperly%20managing%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3Bthe%20escape%20char%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Eacter%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3Bin%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3EJSON%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Efile%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW241710012%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Eif%20you%20use%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3EVisual%20Studio%20Code%20(%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20SCXW241710012%20BCX8%22%3EVSCode%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E)%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E%26nbsp%3Byou%20can%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3Efind%20extensions%20that%20can%20make%20the%20ESCAPE%2FUNESCAPE%20process%20easiest%2C%20just%20pick%20your%20favorite%20one%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E)%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW241710012%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW241710012%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%5B%20%0A%20%20%20%20%20%20%20%20%7B%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Description%22%3A%20%22Find%20Qakbot%20overwriting%20its%20original%20binary%20with%20calc.exe%22%2C%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Name%22%3A%20%22Replacing%20Qakbot%20binary%20with%20calc.exe%22%2C%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Query%22%3A%20%22DeviceProcessEvents%20%7C%20where%20FileName%20%3D~%20%5C%22ping.exe%5C%22%20%7C%20where%20InitiatingProcessFileName%20%3D~%20%5C%22cmd.exe%5C%22%20%7C%20where%20InitiatingProcessCommandLine%20has%20%5C%22calc.exe%5C%22%20and%20InitiatingProcessCommandLine%20has%20%5C%22-n%206%5C%22%20and%20InitiatingProcessCommandLine%20has%20%5C%22127.0.0.1%5C%22%20%7C%20project%20ProcessCommandLine%2C%20InitiatingProcessCommandLine%2C%20InitiatingProcessParentFileName%2C%20DeviceId%2C%20Timestamp%22%2C%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Mitre%22%3A%20%22T1107%20File%20Deletion%22%2C%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%22Source%22%3A%20%22MDE%22%20%0A%20%20%20%20%20%20%20%20%7D%20%0A%5D%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%221%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EOnce%26nbsp%3Byou%20have%26nbsp%3Ball%26nbsp%3Byour%20queries%20properly%20filled%2C%26nbsp%3Bwe%26nbsp%3Bmust%26nbsp%3Bprovide%20the%20following%20parameters%20to%20the%26nbsp%3Bscript%26nbsp%3Bin%20order%20to%26nbsp%3Bconfigure%20the%20correct%20credential%2C%20the%26nbsp%3BJSON%26nbsp%3Bfile%2C%26nbsp%3Band%20the%20output%26nbsp%3Bfolder.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_42-1619423295313.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275510iC566C110E58BA191%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_42-1619423295313.png%22%20alt%3D%22msftdario_42-1619423295313.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2016.%26nbsp%3BJupyter%26nbsp%3BNotebook%20%E2%80%93%20Authentication%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBecause%20we%20registered%20an%20Azure%20Application%20and%20we%20used%20the%20application%20secret%20to%20receive%20an%20access%20token%2C%20the%26nbsp%3Btoken%26nbsp%3Bis%20valid%20for%201%26nbsp%3Bhour.%26nbsp%3BWithin%26nbsp%3Bthe%20code%26nbsp%3Bverify%26nbsp%3Bif%20we%20need%20to%20renew%20this%20token%20before%20submitting%20the%20query.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_43-1619423295303.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275511iEB92C7F012FDBA82%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_43-1619423295303.png%22%20alt%3D%22msftdario_43-1619423295303.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2017.%20Application%20Token%20lifetime%20validation%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhen%20building%20such%26nbsp%3Bflow%26nbsp%3Bwe%20should%20take%20into%20consideration%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fapi-advanced-hunting%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMicrosoft%20365%20Defender%26nbsp%3BAdvanced%20hunting%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EAPI%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bquotas%20and%20resources%20allocation.%26nbsp%3BFor%20more%20information%2C%26nbsp%3Bsee%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Frun-advanced-query-api%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdvanced%20Hunting%20API%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_44-1619423295312.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275512i9E4C4A84C884CB39%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_44-1619423295312.png%22%20alt%3D%22msftdario_44-1619423295312.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2018.%26nbsp%3BAPI%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CI%3E%3CSPAN%20data-contrast%3D%22auto%22%3Equotas%20and%20resources%20allocation%26nbsp%3Btaking%20into%26nbsp%3Bconsideration%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3BWe%20run%20the%20code%20by%20loading%20the%20query%20from%20the%20JSON%20file%20we%20defined%20as%20input.%20We%20then%20view%26nbsp%3Bthe%20progress%26nbsp%3Band%20the%20execution%20status%20on%20screen.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_45-1619423295315.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275514iA368CEFC42CD307D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_45-1619423295315.png%22%20alt%3D%22msftdario_45-1619423295315.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2019.%20Query%20Execution%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20blue%20message%26nbsp%3Bindicates%20the%20number%20of%26nbsp%3Bqueries%26nbsp%3Bthat%20is%20currently%20running%20and%20its%26nbsp%3Bprogress.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20green%20message%26nbsp%3Bshows%26nbsp%3Bthe%20name%20of%20the%26nbsp%3Bquery%26nbsp%3Bthat%20is%20being%20run.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20grey%20message%26nbsp%3Bshows%26nbsp%3Bthe%26nbsp%3Bdetails%20of%20the%26nbsp%3Bsubmitted%26nbsp%3Bquery.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20there%26nbsp%3Bare%26nbsp%3Bany%20results%20you%26nbsp%3Bwill%20see%20the%20first%205%20records%2C%26nbsp%3Band%20then%26nbsp%3Ball%20the%20records%26nbsp%3Bwill%20be%20saved%20in%20a%20.csv%20file%20in%20the%20output%20folder%20you%26nbsp%3Bdefined.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_46-1619423295309.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275513iAE907D36738B5188%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_46-1619423295309.png%22%20alt%3D%22msftdario_46-1619423295309.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2020.%20%26nbsp%3BQuery%20results%20-%20First%205%20records%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EBonus%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EYou%20can%20post%20the%20summary%20of%20the%20query%20execution%26nbsp%3Bin%26nbsp%3Ba%20Teams%26nbsp%3Bchannel%2C%26nbsp%3Byou%20need%20to%20add%20Incoming%20Webhook%20in%20your%20teams.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_47-1619423368892.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275515i5CC21E072AD844B6%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_47-1619423368892.png%22%20alt%3D%22msftdario_47-1619423368892.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B21.%20%26nbsp%3BIncoming%20Webhook%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EThen%20you%20need%20to%20select%26nbsp%3Bwhich%20Teams%20channel%20you%20want%20to%20add%20the%20app.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_48-1619423368929.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275516iAD0237C3E665DA96%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_48-1619423368929.png%22%20alt%3D%22msftdario_48-1619423368929.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B22.%20%26nbsp%3BIncoming%20Webhook%20%E2%80%93%20add%20to%20a%26nbsp%3Bteam%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESelect%20%E2%80%9C%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ESet%20up%20a%20connector%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%9D.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_49-1619423368932.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275517iA259064BB4EEC3F5%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_49-1619423368932.png%22%20alt%3D%22msftdario_49-1619423368932.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B23.%20%26nbsp%3BIncoming%20Webhook%20%E2%80%93%20Setup%20a%20connector%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESpecify%26nbsp%3Ba%20name.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_50-1619423368937.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275520iFD7D69696342509D%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_50-1619423368937.png%22%20alt%3D%22msftdario_50-1619423368937.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B24.%20%26nbsp%3BIncoming%20Webhook%20%E2%80%93%20Config%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20you%20need%20to%20copy%20the%20URL%2C%20then%20paste%20the%20URL%20in%20the%26nbsp%3BJupyter%26nbsp%3BNotebook.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_51-1619423368906.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275518i3DC155A4A2AA4CB8%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_51-1619423368906.png%22%20alt%3D%22msftdario_51-1619423368906.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B25.%20%26nbsp%3BIncoming%20Webhook%20%E2%80%93%26nbsp%3Bteamurl%26nbsp%3Bvariable%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThen%20remove%20the%20comment%20from%20the%20latest%20line%20in%20the%20code%20to%20send%20the%20message%20to%26nbsp%3BTeams.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_52-1619423368909.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275519i6CEF0A10DF9CFA38%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_52-1619423368909.png%22%20alt%3D%22msftdario_52-1619423368909.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%26nbsp%3B26.%20%26nbsp%3BIncoming%20Webhook%20%E2%80%93%26nbsp%3Bteamsurl%26nbsp%3Bvariable%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EYou%20should%20receive%20a%26nbsp%3Bsimilar%26nbsp%3Bmessage%20like%26nbsp%3Bthe%20following%20in%26nbsp%3Bthe%26nbsp%3BTeams%26nbsp%3Bchannel%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22msftdario_53-1619423368914.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F275521i6E4A5717F42BC017%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22msftdario_53-1619423368914.png%22%20alt%3D%22msftdario_53-1619423368914.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EFigure%2027.%20%26nbsp%3BQuery%20result%20summary%20%E2%80%93%20Teams%20Message%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CFONT%20size%3D%226%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConclusion%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EIn%20this%20post%2C%20we%20demonstrated%20how%20you%20can%20use%20the%20Microsoft%20365%26nbsp%3BDefender%26nbsp%3BAPIs%20and%26nbsp%3BJupyter%26nbsp%3BNotebook%20to%26nbsp%3Bautomate%26nbsp%3Bexecution%20of%26nbsp%3Bhunting%20queries%26nbsp%3Bplaybook.%20We%26nbsp%3Bhope%26nbsp%3Byou%20found%20this%26nbsp%3Bhelpful!%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20aria-level%3D%222%22%3E%3CFONT%20size%3D%225%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAppendix%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFor%20more%20information%20about%20Microsoft%20365%20Defender%20APIs%20and%20the%20features%20discussed%20in%20this%20article%2C%20please%20read%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fapi-access%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAccess%20the%20Microsoft%20365%20Defender%20APIs%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fapi-advanced-hunting%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAdvanced%20hunting%20APIs%20-%20Microsoft%20365%20security%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-best-practices%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdvanced%20hunting%20best%20practices%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2522%2520%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft-365-Defender-Hunting-Queries%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-365-defender%2Fbest-practices-for-leveraging-microsoft-365-defender-api-s%2Fba-p%2F2198820%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EBest%20practices%20for%20leveraging%20Microsoft%20365%20Defender%20API's%20-%20Episode%20Two%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoftteams%2Fplatform%2Fwebhooks-and-connectors%2Fhow-to%2Fconnectors-using%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESending%20messages%20to%20Connectors%20and%20Webhooks%20-%20Teams%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%226%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%225%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-defender-for-endpoint%2Fautomating-security-operations-using-windows-defender-atp-apis%2Fba-p%2F294434%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAutomating%20Security%20Operations%20Using%20Windows%20Defender%20ATP%20APIs%20with%20Python%20and%26nbsp%3BJupyter%26nbsp%3BNotebooks%20-%20Microsoft%20Tech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20sample%20Notebook%20discussed%20in%20the%20post%20is%20available%20in%20the%20github%20repository%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoft%2FMicrosoft-365-Defender-Hunting-Queries%2Fblob%2Fmaster%2FNotebooks%2FM365D%2520APIs%2520ep3.ipynb%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft-365-Defender-Hunting-Queries%2FM365D%20APIs%20ep3.ipynb%20at%20master%20%C2%B7%20microsoft%2FMicrosoft-365-Defender-Hunting-Queries%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233117%26quot%3B%3Atrue%2C%26quot%3B134233118%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EAs%20always%2C%26nbsp%3Bwe%E2%80%99d%26nbsp%3Blove%20to%20know%20what%20you%20think.%20Leave%20us%20feedback%20directly%20on%20Microsoft%20365%20security%20center%20or%20start%20a%20discussion%20in%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-365-defender%2Fbd-p%2FMicrosoftThreatProtection%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20365%20Defender%20community%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2290463%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EIn%3C%2FSPAN%3E%3CSPAN%3E%20this%20episode%20we%20%3C%2FSPAN%3E%3CSPAN%3Ewill%3C%2FSPAN%3E%20%3CSPAN%3Edemonstrate%3C%2FSPAN%3E%20%3CSPAN%3Euse%20cases%20%3C%2FSPAN%3E%3CSPAN%3Edetailing%20%3C%2FSPAN%3E%3CSPAN%3Ehow%20to%20access%20the%20API%20data%20and%20use%20this%20information%20%3C%2FSPAN%3E%3CSPAN%3Ei%3C%2FSPAN%3E%3CSPAN%3En%20other%3C%2FSPAN%3E%3CSPAN%3E%20products%3C%2FSPAN%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20time%20we%20will%20use%20the%20APIs%20to%20programmatically%20access%20the%20data%20using%20Jupyter%20Notebook%20and%20Python%20code%2C%20this%20use%20can%20ca%20be%20helpful%20to%20automate%20investigation%20based%20on%20well%20know%20behaviors%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Apr 26 2021 09:15 AM
Updated by:
www.000webhost.com