### Get installed software response example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-installed-software.md This example demonstrates a successful JSON response containing a list of installed software, including details like name, vendor, and vulnerability information. ```json { "@odata.context": "https://api.security.microsoft.com/api/$metadata#Software", "value": [ { "id": "microsoft-_-internet_explorer", "name": "internet_explorer", "vendor": "microsoft", "weaknesses": 67, "publicExploit": true, "activeAlert": false, "exposedMachines": 42115, "impactScore": 46.2037163 } ] } ``` -------------------------------- ### Get installed software request example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-installed-software.md This example shows how to make a GET request to the API to retrieve installed software for a specific machine ID. ```http GET https://api.security.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ``` -------------------------------- ### Get Software by ID Request Example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-software-by-id.md This example demonstrates how to make a GET request to retrieve software details using its ID. ```http GET https://api.security.microsoft.com/api/Software/microsoft-_-edge ``` -------------------------------- ### Install and Start Caddy HTTP Server Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/mac-support-offline-security-intelligence-update.md Installs and configures the Caddy web server on macOS using Homebrew, then starts it to serve files from a specified directory. It checks for Homebrew and Caddy installation, creates a basic Caddyfile, and runs the server. ```bash #!/bin/bash # caddy_http_server.sh # Installs and configures Caddy HTTP server on macOS PORT=8080 FOLDER="." if [ ! -z "$1" ]; then PORT=$1 fi if [ ! -z "$2" ]; then FOLDER=$2 fi check_homebrew() { if ! command -v brew &> /dev/null; then echo "Homebrew is required to install Caddy." read -p "Would you like to install Homebrew? (y/n): " install_brew if [[ "$install_brew" =~ ^[Yy]$ ]]; then echo "Installing Homebrew..." /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" export PATH="/opt/homebrew/bin:$PATH" else echo "Please install Caddy manually and restart this script." exit 1 fi fi } install_caddy() { if ! brew list caddy &> /dev/null; then echo "Installing Caddy via Homebrew..." brew install caddy else echo "Caddy is already installed." fi } # Check for Caddy if ! command -v caddy &> /dev/null; then echo "Caddy is not installed." check_homebrew install_caddy else echo "Caddy is already installed." fi # Create a simple Caddyfile cat < Caddyfile localhost:${PORT} { root * ${FOLDER} file_server browse } EOL echo "Caddyfile created. Starting Caddy server on port $PORT..." caddy run --config ./Caddyfile ``` -------------------------------- ### Start Filebeat Service Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/includes/connector-details.md Start the Filebeat service to begin collecting and sending NetFlow data. ```bash systemctl start filebeat ``` -------------------------------- ### Run Docker Image (Interactive) Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/includes/connector-details.md Runs the Docker image interactively, mounting a persistent volume for data storage. This command starts the connector in the foreground. ```bash sudo docker run -it -v $(pwd)/docker_persistent_volume:/app mgulledge/netskope-microsoft-sentinel-plugin:netskopewebtransactions ``` -------------------------------- ### Install Microsoft Log Analytics Plugin for Logstash Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/includes/connector-details.md Install the Azure Log Analytics plugin for Logstash using the provided command. ```bash sudo /usr/share/logstash/bin/logstash-plugin install microsoft-logstash-output-azure-loganalytics ``` -------------------------------- ### NordStellar Connector Configuration Parameters Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/includes/connector-details.md These parameters are used to configure the Microsoft Sentinel integration within the NordStellar portal. Ensure all values are correctly provided during setup. ```text - Tenant ID (Directory ID): - Application (Client) ID: - Client Secret: - Data Collection Endpoint URI: - Data Collection Rule Immutable ID: - Stream Name: ``` -------------------------------- ### Prepare VS Code for Azure Function Development Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/includes/connector-details.md Ensures Visual Studio Code is correctly configured for developing Azure Functions. This involves installing necessary extensions and setting up the environment. ```Shell # Install Azure Functions Core Tools npm install -g azure-functions-core-tools@4 --unsafe-perm true # Install VS Code Azure Functions extension # (This is typically done through the VS Code Extensions Marketplace) ``` -------------------------------- ### Assemble Endpoint URL for Azure Data Collection Rules Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/includes/connector-details.md This example shows how to construct the Endpoint URL for sending data to Azure Data Collection Rules. Ensure you have the correct Collection URL, DCR ID, and table name. ```text https:///dataCollectionRules//streams/Custom-KeeperSecurityEventNewLogs?api-version=2023-01-01 ``` -------------------------------- ### SQL Server Example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-for-cloud/powershell-unified-api-quickstart.md Example of how to run the Quickstart-VaScan.ps1 script for a SQL Server. ```powershell .EXAMPLE # SQL Server .\Quickstart-VaScan.ps1 -ServerResourceId "/subscriptions/.../Microsoft.Sql/servers/myServer" ``` -------------------------------- ### Example APT sources list output Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/linux-install-manually.md This is an example output from displaying APT sources list, showing configured repositories. ```console deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod insiders-fast main deb [arch=amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod bionic main ``` -------------------------------- ### Microsoft Graph API Request with Start and End Time Attributes Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/data-connector-connection-rules-reference.md Example of a GET request to Microsoft Graph API for calendar events, specifying separate attributes for start and end times. ```json "request": { "apiEndpoint": "https://graph.microsoft.com/v1.0/me/calendarView", "httpMethod": "Get", "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", "queryWindowInMin": 10, "retryCount": 3, "rateLimitQPS": 20, "headers": { "Accept": "application/json" }, "StartTimeAttributeName": "startDateTime", "EndTimeAttributeName": "endDateTime" } ``` -------------------------------- ### SQL Managed Instance Example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-for-cloud/powershell-unified-api-quickstart.md Example of how to run the Quickstart-VaScan.ps1 script for a SQL Managed Instance. ```powershell . Quickstart-VaScan.ps1 -ServerResourceId "/subscriptions//resourceGroups//providers/Microsoft.Sql/managedInstances/" ``` -------------------------------- ### List all security resources Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-for-cloud/resource-graph-samples.md This query lists all security resources. It's a basic example to get started with Defender for Cloud data in Resource Graph. ```kql securityresources | project name, type, location, resourceGroup, subscriptionId | order by name asc ``` -------------------------------- ### SQL Managed Instance Example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-for-cloud/powershell-unified-api-quickstart.md Example of how to run the Quickstart-VaScan.ps1 script for a SQL Managed Instance. ```powershell .EXAMPLE # SQL Managed Instance .\Quickstart-VaScan.ps1 -ServerResourceId "/subscriptions/.../Microsoft.Sql/managedInstances/myMI" ``` -------------------------------- ### Get all devices with a computer DNS name starting with a specific prefix Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/exposed-apis-odata-samples.md This example shows how to filter devices based on a pattern in their computer DNS name. ```APIDOC ## GET /api/machines ### Description Retrieves a list of devices where the computer DNS name starts with a specified string. ### Method GET ### Endpoint https://api.security.microsoft.com/api/machines ### Query Parameters - **$filter** (string) - Required - OData filter expression. Example: `startswith(computerDnsName,'mymachine')` ``` -------------------------------- ### Configure and run kickstart script for secure SNC configuration Source: https://github.com/microsoftdocs/defender-docs/blob/public/sentinel/sap/deploy-command-line.md This example demonstrates how to download and run the kickstart script with parameters for configuring secure SNC communication. It includes parameters for cryptographic libraries, certificates, and certificate authorities. ```bash wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/sapcon-sentinel-kickstart.sh chmod +x ./sapcon-sentinel-kickstart.sh --use-snc --cryptolib /home/azureuser/libsapcrypto.so --sapgenpse /home/azureuser/sapgenpse --client-cert /home/azureuser/client.crt --client-key /home/azureuser/client.key --cacert /home/azureuser/issuingca.crt --cacert /home/azureuser/rootca.crt --server-cert /home/azureuser/server.crt ``` -------------------------------- ### Request example for getting a recommendation Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-recommendation-by-id.md Example of an HTTP GET request to retrieve a security recommendation for Google Chrome. ```http GET https://api.security.microsoft.com/api/recommendations/va-_-google-_-chrome ``` -------------------------------- ### Run the Defender deployment tool for installation and onboarding Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/linux-install-with-defender-deployment-tool.md Installs the latest agent version and onboards the device to the Defender portal. Device may take 5-20 minutes to appear in the Device Inventory. ```bash sudo bash defender_deployment_tool.sh ``` -------------------------------- ### Example Request to Get Vulnerability by ID Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-vulnerability-by-id.md This is an example of a GET request to the API endpoint for retrieving details about the CVE-2019-0608 vulnerability. ```http GET https://api.security.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ``` -------------------------------- ### Get Package SAS URI Request Example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-package-sas-uri.md An example of a GET request to the GetPackageUri API, demonstrating the endpoint structure. ```http GET https://api.security.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri ``` -------------------------------- ### Response Example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-machines-by-software.md This example shows the structure of a successful JSON response, listing devices with the specified software installed. ```json { "@odata.context": "https://api.security.microsoft.com/api/$metadata#MachineReferences", "value": [ { "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762", "computerDnsName": "dave_desktop", "osPlatform": "Windows10" "Windows11", "rbacGroupName": "GroupTwo" }, { "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d", "computerDnsName": "jane_PC", "osPlatform": "Windows10" "Windows11", "rbacGroupName": "GroupTwo" } ... ] } ``` -------------------------------- ### Example Request for Get MachineAction Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/api/get-machineaction-object.md This is an example of an HTTP GET request to retrieve a machine action using a specific ID. ```http GET https://api.security.microsoft.com/api/machineactions/aaaabbbb-0000-cccc-1111-dddd2222eeee ``` -------------------------------- ### Example repository list output Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/linux-install-manually.md This is an example output from listing repositories, showing available repository aliases. ```console ... packages-microsoft-com-prod packages-microsoft-com-prod 316 packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2 ... ``` -------------------------------- ### Configuration File Example Source: https://github.com/microsoftdocs/defender-docs/blob/public/defender-endpoint/defender-deployment-tool-windows.md An example of a configuration file (MdeConfig.txt) used to pass multiple parameters to the Defender deployment tool for installation. ```text # Only absolute paths can be used for the parameters accepting paths # Configures the tool to perform offboarding. # Add the parameter "YES" to proceed with offboarding without user approval. # Offboard: False # Used with "Offboard" and "Uninstall" parameters. # Yes: False # Downloads the installation files for all Windows versions supported by the tool to a specific location for staging purposes. # Stage: # Specifies the path to the folder containing the installation files. To stage installation files, use the "Stage" parameter. # Source: # Specifies the full path to the .onboarding or .offboarding file if it is not placed in the current folder. # File: # Proxy to use during and after installation. Empty string by default. Proxy: # Prevents any dialogs from displaying. False by default. Quiet: False # Allows device reboots if needed. False by default AllowReboot: False # Prevents the tool from resuming activities after a reboot. False by default. NoResumeAfterReboot: False # Windows Server only. Sets Defender antivirus to run in passive mode. Passive: False # Installs updates but does not perform onboarding, even if an onboarding file is present. False by default. UpdateOnly: False # Displays detailed information. False by default. Verbose: False # Checks for prerequisites and logs results but does not proceed with installation or onboarding. False by default. Precheck: False # Offboards the device and uninstalls any components that were added during onboarding. # Will use the .offboarding file in the current folder if no path was specified. # Add the parameter "YES" to proceed without user approval. Uninstall: False # Optionally removes the specified workspace connection used by Microsoft Monitoring Agent (MMA). Empty string by default. RemoveMMA: # Allows offboarding to proceed even if there is no connectivity. False by default. Offline: False ```