{"id":9711,"date":"2019-07-18T12:27:00","date_gmt":"2019-07-18T18:27:00","guid":{"rendered":"https:\/\/swimlane.com\/resource\/microsoft-defender-advanced-threat-protection-queries\/"},"modified":"2026-04-06T04:49:32","modified_gmt":"2026-04-06T10:49:32","slug":"microsoft-defender-%ea%b3%a0%ea%b8%89-%ec%9c%84%ed%98%91-%eb%b0%a9%ec%a7%80-%ec%bf%bc%eb%a6%ac","status":"publish","type":"sw_resource","link":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/","title":{"rendered":"Microsoft Defender \uace0\uae09 \uc704\ud611 \ubc29\uc9c0 \ucffc\ub9ac"},"content":{"rendered":"\n\n\n<section class=\"bs-section bs-section-50ac0cc438dbf2f3b380783c05a3c736bb0670e7 bs-section---default bs-section--blog-inner-banner  \"><style>.bs-section.bs-section-50ac0cc438dbf2f3b380783c05a3c736bb0670e7{ background-color: #000743;} <\/style><div class=\"container\">\n<div class=\"bs-row row  flex-md-row-reverse bs-row---default\">\n<div class=\" bs-column col-sm-12 col-md-12 col-lg-6   bs-column-6770b3369b6c61539d3140cb52ed6bc5ec393625 bs-column---default bs-column--right d-flex flex-column justify-content-end    \"><figure class=\"wp-block-post-featured-image\"><img decoding=\"async\" src=\"https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection.png\" class=\"attachment-post-thumbnail size-post-thumbnail wp-post-image\" alt=\"Over-the-shoulder view of a developer looking at lines of code on a dark computer monitor.\" style=\"object-fit:cover;\" srcset=\"https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection.png 800w, https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection-300x202.png 300w, https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection-768x516.png 768w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><\/figure><\/div>\n\n\n\n<div class=\" bs-column col-sm-12  col-md-12 col-lg-6   bs-column-2ba18c9b6304620af4785b54fe900bf0ce0fc4d5 bs-column---default d-flex flex-column    \"><div class=\"wp-block-post-date\"><time datetime=\"2019-07-18T12:27:00-06:00\">7\uc6d4 18, 2019<\/time><\/div>\n\n<h1 class=\"wp-block-post-title has-text-color has-white-color\">Microsoft Defender Advanced Threat Protection Queries<\/h1>\n\n\n<div class=\"bs-div bs-div-44a15e4b99450b7aaf810333a0fbaa4ff5112133 bs-div---default\"><div class=\"bs-div__inner d-flex flex-wrap align-items-center    \">\n<a class=\"bs-post__author has-text-align-center\" href=\"https:\/\/swimlane.com\/ko\/author\/Nick_Tausek\/\">\n\t<div class=\"profile-desc\">\n\t\t<figure>\n\t\t\t<img decoding=\"async\" src=\"https:\/\/swimlane.com\/wp-content\/uploads\/author_Nick_Tausek.jpg\" alt=\"user-avatar\">\n\t\t<\/figure>\n\t\t<span class=\"prefix\"><\/span>\n\t\t<span class=\"name\">\n\t\t\tNick Tausek\t\t<\/span>\n\t<\/div>\n<\/a>\n\n\n\n<div class=\"reading-time\">\n    <span class=\"reading-time__time\">4 <\/span> Minute Read\n<\/div><\/div><\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n\n\n\n\n\n\n\n\n\n<section class=\"bs-section bs-section-205a03f93391472c82564395e3b5684e68c8ef7d bs-section---default bs-section--blog-inner-main-contents  \"><div class=\"container\">\n<div class=\"bs-row row justify-content-between  bs-row---default\">\n<div class=\" bs-column col-sm-12 col-md-1   bs-column-fa02c15a19a9c2952663733986e45d4eef708638 bs-column---default     \"><div class=\"heateor_sss_sharing_container heateor_sss_horizontal_sharing\" data-heateor-ss-offset=\"0\" data-heateor-sss-href='https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/'><div class=\"heateor_sss_sharing_ul\"><a aria-label=\"Email\" class=\"heateor_sss_email\" href=\"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/\" onclick=\"event.preventDefault();window.open('mailto:?subject=' + decodeURIComponent('Microsoft%20Defender%20Advanced%20Threat%20Protection%20Queries').replace('&', '%26') + '&body=https%3A%2F%2Fswimlane.com%2Fko%2Fblog%2Fmicrosoft-defender-advanced-threat-protection-queries%2F', '_blank')\" title=\"Email\" rel=\"noopener\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg\" style=\"background-color:#649a3f;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"-.75 -.5 36 36\"><path d=\"M 5.5 11 h 23 v 1 l -11 6 l -11 -6 v -1 m 0 2 l 11 6 l 11 -6 v 11 h -22 v -11\" stroke-width=\"1\" fill=\"#fff\"><\/path><\/svg><\/span><\/a><a aria-label=\"Twitter\" class=\"heateor_sss_button_twitter\" href=\"https:\/\/twitter.com\/intent\/tweet?text=Microsoft%20Defender%20Advanced%20Threat%20Protection%20Queries&url=https%3A%2F%2Fswimlane.com%2Fko%2Fblog%2Fmicrosoft-defender-advanced-threat-protection-queries%2F\" title=\"Twitter\" rel=\"nofollow noopener\" target=\"_blank\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg heateor_sss_s__default heateor_sss_s_twitter\" style=\"background-color:#55acee;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"-4 -4 39 39\"><path d=\"M28 8.557a9.913 9.913 0 0 1-2.828.775 4.93 4.93 0 0 0 2.166-2.725 9.738 9.738 0 0 1-3.13 1.194 4.92 4.92 0 0 0-3.593-1.55 4.924 4.924 0 0 0-4.794 6.049c-4.09-.21-7.72-2.17-10.15-5.15a4.942 4.942 0 0 0-.665 2.477c0 1.71.87 3.214 2.19 4.1a4.968 4.968 0 0 1-2.23-.616v.06c0 2.39 1.7 4.38 3.952 4.83-.414.115-.85.174-1.297.174-.318 0-.626-.03-.928-.086a4.935 4.935 0 0 0 4.6 3.42 9.893 9.893 0 0 1-6.114 2.107c-.398 0-.79-.023-1.175-.068a13.953 13.953 0 0 0 7.55 2.213c9.056 0 14.01-7.507 14.01-14.013 0-.213-.005-.426-.015-.637.96-.695 1.795-1.56 2.455-2.55z\" fill=\"#fff\"><\/path><\/svg><\/span><\/a><a aria-label=\"Facebook\" class=\"heateor_sss_facebook\" href=\"https:\/\/www.facebook.com\/sharer\/sharer.php?u=https%3A%2F%2Fswimlane.com%2Fko%2Fblog%2Fmicrosoft-defender-advanced-threat-protection-queries%2F\" title=\"Facebook\" rel=\"nofollow noopener\" target=\"_blank\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg\" style=\"background-color:#0765FE;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"0 0 32 32\"><path fill=\"#fff\" d=\"M28 16c0-6.627-5.373-12-12-12S4 9.373 4 16c0 5.628 3.875 10.35 9.101 11.647v-7.98h-2.474V16H13.1v-1.58c0-4.085 1.849-5.978 5.859-5.978.76 0 2.072.15 2.608.298v3.325c-.283-.03-.775-.045-1.386-.045-1.967 0-2.728.745-2.728 2.683V16h3.92l-.673 3.667h-3.247v8.245C23.395 27.195 28 22.135 28 16Z\"><\/path><\/svg><\/span><\/a><a aria-label=\"Linkedin\" class=\"heateor_sss_button_linkedin\" href=\"https:\/\/www.linkedin.com\/sharing\/share-offsite\/?url=https%3A%2F%2Fswimlane.com%2Fko%2Fblog%2Fmicrosoft-defender-advanced-threat-protection-queries%2F\" title=\"Linkedin\" rel=\"nofollow noopener\" target=\"_blank\" style=\"font-size:32px!important;box-shadow:none;display:inline-block;vertical-align:middle\"><span class=\"heateor_sss_svg heateor_sss_s__default heateor_sss_s_linkedin\" style=\"background-color:#0077b5;width:35px;height:35px;border-radius:999px;display:inline-block;opacity:1;float:left;font-size:32px;box-shadow:none;display:inline-block;font-size:16px;padding:0 4px;vertical-align:middle;background-repeat:repeat;overflow:hidden;padding:0;cursor:pointer;box-sizing:content-box\"><svg style=\"display:block;border-radius:999px;\" focusable=\"false\" aria-hidden=\"true\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"100%\" height=\"100%\" viewBox=\"0 0 32 32\"><path d=\"M6.227 12.61h4.19v13.48h-4.19V12.61zm2.095-6.7a2.43 2.43 0 0 1 0 4.86c-1.344 0-2.428-1.09-2.428-2.43s1.084-2.43 2.428-2.43m4.72 6.7h4.02v1.84h.058c.56-1.058 1.927-2.176 3.965-2.176 4.238 0 5.02 2.792 5.02 6.42v7.395h-4.183v-6.56c0-1.564-.03-3.574-2.178-3.574-2.18 0-2.514 1.7-2.514 3.46v6.668h-4.187V12.61z\" fill=\"#fff\"><\/path><\/svg><\/span><\/a><\/div><div class=\"heateorSssClear\"><\/div><\/div>\n<\/div>\n\n\n\n<div class=\" bs-column col-sm-12  col-lg-8 col-md-11   bs-column-0d83d6d9863f92131cc95492d42e5b50c72f00bb bs-column---default bs-column--contents     \">\n<h2>\u00a0<\/h2>\n<p>Recently, I <a href=\"https:\/\/twitter.com\/MSAdministrator\/status\/1145778141127991302?s=20\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">shared on Twitter<\/a> how you could run a query to detect if a user has clicked on a link within their Outlook using Microsoft Defender Advanced Threat Protection (MDATP). If you are not familiar, MDATP is available within your Microsoft 365 E5 license and is an enhancement to the traditional Windows Defender you might be used to.<\/p>\n<h3>What is Microsoft Defender Advanced Threat Protection?<\/h3>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/microsoft-defender-advanced-threat-protection\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">Microsoft<\/a> says that \u201cMicrosoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.\u201d MDATP offers quite a few endpoints that you can leverage in both incident response and threat hunting.<\/p>\n<p>The official <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/exposed-apis-list\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">documentation<\/a> has several API endpoints that you can use to get, create, and update Alerts &amp; Indicators. Additionally, here is a small list of some of the information you can retrieve, or actions you can perform, with the Microsoft Defender advanced threat protection APIs:<\/p>\n<ul>\n<li>Get all alerts related to a domain, file, IP, machine, or user.<\/li>\n<li>Retrieve information about who is logged on to a certain machine.<\/li>\n<li>Determine if a domain or IP has been seen in your organization.<\/li>\n<\/ul>\n<p>These are just a few of the interesting APIs available, but to me, the most compelling\u2014and the one we&#8217;re going to talk about\u2014is <strong>advanced hunting<\/strong>.<\/p>\n<h3>Interacting with Microsoft Defender Advanced Threat Protection<\/h3>\n<p>I wrote a new bundle for Swimlane that wraps the entire Microsoft Defender ATP API endpoints, but for our non-customers, I would like to share with you how you can interact with the Microsoft Defender ATP API\u2019s using both <a href=\"https:\/\/github.com\/swimlane\/blog-resources\/blob\/master\/01-USING-MDATP-EXAMPLES\/Invoke-MDATPQuery.ps1\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">PowerShell Core<\/a> and <a href=\"https:\/\/github.com\/swimlane\/blog-resources\/blob\/master\/01-USING-MDATP-EXAMPLES\/mdaptquery.py\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">Python<\/a>.<\/p>\n<p>In order to interact with the Microsoft Defender advanced threat protection APIs, you must have the following:<\/p>\n<ul>\n<li>Microsoft 365 E5 License or access to MDATP.<\/li>\n<li>At least one endpoint must have MDATP installed and running.<\/li>\n<li>The ability to create a new application in Azure Active Directory.<\/li>\n<\/ul>\n<p>First, let\u2019s create a new application in Azure Active Directory. You can create a new application in Azure AD under the Azure Active Directory section and then navigating to <em>App registrations<\/em>. Click the <em>New Registration<\/em> button, and give your application a name. Then click <em>Register<\/em>.<\/p>\n<figure style=\"margin: 0px 0px 16px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 16px; line-height: inherit;\"><img decoding=\"async\" src=\"https:\/\/swimlane.com\/assets\/uploads\/images\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection_1.png\" data-image=\"auzmdcvue1m2\" \/><\/figure>\n<p>Copy and save your <em>Client Id<\/em> and <em>Tenant Id<\/em> in a safe place (we will need this information shortly). Next, select the <em>API Permissions<\/em> section and click <em>Add a permission<\/em>. You should have a new blade on the left hand side.<\/p>\n<p>When this new blade is open, select the<em> APIs my organizations uses<\/em> tab. You may need to filter in the search bar, but you should see <em>WindowsDefenderATP <\/em>listed as an option. If you do not, please make sure you have access to this API before proceeding.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/swimlane.com\/assets\/uploads\/images\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection_2.png\" data-image=\"vvrwhrwho1wa\" \/><\/figure>\n<p>Select the <em>WindowsDefenderATP <\/em>API and then select <em>Application Permissions<\/em>. Once you have selected the <em>Application Permissions,<\/em> you will be presented with a list of permissions. For this example I am selecting all so that I have access to all the endpoints available, but please use your discretion.<\/p>\n<p>Once you have selected the desired permissions, click <em>Add Permissions<\/em> at the bottom and then on the main screen you will want to make sure that you select the <em>Grand Admin consent to.<\/em><\/p>\n<figure style=\"margin: 0px 0px 16px; padding: 0px; border: 0px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-variant-numeric: inherit; font-variant-east-asian: inherit; font-weight: 400; font-stretch: inherit; font-size: 16px; line-height: inherit;\"><img decoding=\"async\" src=\"https:\/\/swimlane.com\/assets\/uploads\/images\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection_3.png\" data-image=\"hpfgxk5uh1pq\" \/><\/figure>\n<p>Next, go to the <em>Certificates &amp; Secrets<\/em> section and create a <em>New Client Secret<\/em>. Once this is created, please save this with the other secrets we saved earlier.<\/p>\n<p>Now that we have our secrets, we can use the two different files I have created that demonstrate how to use the MDATP APIs to retrieve a <em>Token<\/em> for future authentication as well as interact with the MDATP API directly.<\/p>\n<h3>PowerShell Core<\/h3>\n<p>I have provided a <a href=\"https:\/\/github.com\/swimlane\/blog-resources\/blob\/master\/01-USING-MDATP-EXAMPLES\/Invoke-MDATPQuery.ps1\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">ps1<\/a> file that you can use as a reference. This file contains two PowerShell functions and at the bottom we are calling these functions as needed:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/swimlane\/blog-resources\/blob\/master\/01-USING-MDATP-EXAMPLES\/Invoke-MDATPQuery.ps1#L2\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">Get-MDATPToken<\/a>: Performs an OAuth2 authentication and retrieves a Token that we will use in all subsequent calls to the MDATP API endpoints.<\/li>\n<li><a href=\"https:\/\/github.com\/swimlane\/blog-resources\/blob\/master\/01-USING-MDATP-EXAMPLES\/Invoke-MDATPQuery.ps1#L43\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">Invoke-MDATPQuery<\/a>: Invokes an <strong>advanced hunting<\/strong> query to the MDATP <em>advancedqueries\/run<\/em> endpoint.<\/li>\n<\/ul>\n<p>By using these two functions, we can run queries on our endpoints that have MDATP installed.<\/p>\n<p>First, let\u2019s get our Token:<\/p>\n<pre> $Token = Get-MDATPToken -ClientId 'OUR_CLIENT_ID' -ClientSecret 'CLIENT_SECRET'\n-TenantId 'TENANT_ID'\n<\/pre>\n<p>Next, we can define a simple query:<\/p>\n<pre> $query = @\"\n\"RegistryEvents | limit 10\"\n\"@<\/pre>\n<p>Or more advanced queries like this query to check if a user clicked on a link from their Outlook. Luckily, <a href=\"https:\/\/github.com\/microsoft\/WindowsDefenderATP-Hunting-Queries\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">Microsoft<\/a> has provided an AMAZING resource of <a href=\"https:\/\/github.com\/microsoft\/WindowsDefenderATP-Hunting-Queries\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">example queries<\/a> for you to use.<\/p>\n<pre>$query = @\"\nlet minTimeRange = ago(7d);\nlet outlookLinks =\n MiscEvents\n | where EventTime &gt; minTimeRange and ActionType == \"BrowserLaunchedToOpenUrl\" and\nisnotempty(RemoteUrl)\n | where\n InitiatingProcessFileName =~ \"outlook.exe\"\n or InitiatingProcessFileName =~ \"runtimebroker.exe\"\n | project EventTime, MachineId, ComputerName, RemoteUrl, InitiatingProcessFileName,\nParsedUrl=parse_url(RemoteUrl)\n | extend WasOutlookSafeLink=(tostring(ParsedUrl.Host) endswith\n\"safelinks.protection.outlook.com\")\n | project EventTime, MachineId, ComputerName, WasOutlookSafeLink,\nInitiatingProcessFileName,\n OpenedLink=iff(WasOutlookSafeLink, url_decode(tostring(ParsedUrl[\"Query\nParameters\"][\"url\"])), RemoteUrl);\nlet alerts =\n AlertEvents\n | summarize (FirstDetectedActivity, Title)=argmin(EventTime, Title) by AlertId,\nMachineId\n | where FirstDetectedActivity &gt; minTimeRange;\nalerts | join kind=inner (outlookLinks) on MachineId | where FirstDetectedActivity -\nEventTime between (0min..3min)\n| summarize FirstDetectedActivity=min(FirstDetectedActivity),\nAlertTitles=makeset(Title) by OpenedLink, InitiatingProcessFileName,\nEventTime=bin(EventTime, 1tick), ComputerName, MachineId, WasOutlookSafeLink\n\"@\n<\/pre>\n<p>Now that we have our Token and Query, we can run our query using the <em>Invoke-MDATPQuery<\/em> function:<\/p>\n<pre> Invoke-MDATPTQuery -Token $Token -Query $query<\/pre>\n<p>That\u2019s it!<\/p>\n<h3>Python<\/h3>\n<p>Just like our PowerShell example, I have created two Python classes that will help with authentication and running advanced queries:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/swimlane\/blog-resources\/blob\/master\/01-USING-MDATP-EXAMPLES\/mdaptquery.py#L11\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">MDATPConnector<\/a>: Performs an OAuth2 authentication and retrieves a Token that we will use in all subsequent calls to the MDATP API endpoints.<\/li>\n<li><a href=\"https:\/\/github.com\/swimlane\/blog-resources\/blob\/master\/01-USING-MDATP-EXAMPLES\/mdaptquery.py#L56\" target=\"_blank\" rel=\"noopener\" data-redactor-span=\"true\">MDATPQuery<\/a>: Invokes an <strong>advanced hunting<\/strong> query to the MDATP <em>advancedqueries\/run<\/em> endpoint.<\/li>\n<\/ul>\n<p>First, create a MDATPConnector object by providing your secrets:<\/p>\n<pre>connector = MDATPConnector(\n __CLIENT_ID__,\n __CLIENT_SECRET__,\n __TENANT_ID__\n)\n<\/pre>\n<p>Next, for simplicity, let\u2019s just run this smaller query:<\/p>\n<pre>query = '''\n\"RegistryEvents | limit 10\"\n'''<\/pre>\n<p>Now, we need to pass in our MDATPConnector object and our query to the MDATPQuery class and then execute:<\/p>\n<pre>mdatp = MDATPQuery(\n connector,\n query\n)\nprint(mdatp.execute())\n<\/pre>\n<p>That\u2019s it!<\/p>\n<p>I hope you enjoyed learning about Microsoft Defender Advanced Threat Protection! Be on the lookout for our new bundle that covers <em>Advanced Queries<\/em> and all other endpoints available within the MDATP API.<\/p>\n\n\n\n<div class=\"bs-div bs-div-e2f4e8970b88c28e783d8d80dc554aa984b9f6fe bs-div---default bs-div--blog-inner-download-guide\"><style>.bs-div.bs-div-e2f4e8970b88c28e783d8d80dc554aa984b9f6fe {background-image: url(https:\/\/swimlane.com\/wp-content\/uploads\/2022\/10\/download-report.png); background-position: center center;\n    background-size: cover;} <\/style><div class=\"bs-div__inner d-flex flex-wrap justify-content-center  flex-md-row-reverse align-items-md-center justify-content-md-between flex-md-nowrap  \"><div class='media-elements bs-media-element---default enable'>    <div class='bs-common-image'>\n                            <figure class='figure justify-content-start d-flex'>\n                            <picture>\n                            \n                            <img src='https:\/\/swimlane.com\/wp-content\/uploads\/Turbine_playbook_Add-panel-filter_search-3-1.gif' class='img-fluid'   alt='Animated GIF showing Swimlane Turbine playbook interface with advanced panel filtering and automated logic search.' title='' data-gif= \"https:\/\/swimlane.com\/wp-content\/uploads\/Turbine_playbook_Add-panel-filter_search-3-1.gif\" \/>\n                            <\/picture>\n                                \n                            <\/figure>\n                        <\/div><\/div>\n\n\n<div class=\"bs-div bs-div-773aef0a3852274bc6b23f7985e05efd194e399e bs-div---default\"><div class=\"bs-div__inner     \">\n<h2 class=\"wp-block-heading has-white-color has-text-color\" id=\"h-request-a-demo\">Request a Demo<\/h2>\n\n\n\n<p class=\"has-white-color has-text-color\">Schedule a Swimlane Turbine live demonstration with our experts! Learn how our AI-enabled security automation platform can help you solve the most challenging problems across your entire security organization.<\/p>\n\n\n\n<span class=\"bs-pro-button bs-pro-button---default bs-pro-button--primary-with-arrow-small bs-pro-button-p-btn-668ef22f3eddc2d99c116f977ff8bfae3b293030\"><style>.bs-pro-button-p-btn-668ef22f3eddc2d99c116f977ff8bfae3b293030 .bs-pro-button__container {background-color: #abb8c3; color: #000000;}<\/style><a href=\"https:\/\/swimlane.com\/demo\/\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"bs-pro-button__container\">Request a Demo<\/a><\/span>\n<\/div><\/div>\n<\/div><\/div>\n<\/div>\n\n\n\n<div class=\" bs-column col-sm-12  col-md-12 col-lg-3   bs-column-0ad64702520e52820989c3b8a4a5574abd826112 bs-column---default     \">\n<div class=\"bs-div bs-div-f0851be86a4542da358c10ec17ccebffa17efe07 bs-div---default bs-div--tags\"><div class=\"bs-div__inner     \">\n<h2 class=\"wp-block-heading\" id=\"h-tags\">Tags<\/h2>\n\n\n<div class=\"post-tag-wrapper\">\n    <p><\/p><\/div>\n<\/div><\/div>\n\n\n\n<div class=\"bs-div bs-div-5e7267355d8caf36f5b5e0c86eef387b664b848d bs-div---default bs-div--related-posts\"><div class=\"bs-div__inner     \">\n<h2 class=\"wp-block-heading\" id=\"h-related-posts\">Related Posts<\/h2>\n\n\n\n<div class=\"bs-related-posts bs-related-posts-block---default\"><div class=\"bs-related-posts__container\"><div class=\"bs-related-posts__items\">\n<div class=\" bs-column col-sm-4   bs-column-b619eb984092e720779a969a873521d2ec1a85a5 bs-column---default     \">\t\t\t\t\t<div class=\"bs-post bs-post-69e4f43372664 bs-single-post---default enable\" >\n\t\t\t<a class=\"bs-post__trigger\" href='https:\/\/swimlane.com\/ko\/blog\/endpoint-protection\/' target='_self'>\t\t\t<div class=\"bs-post__inner\">\n\t\t\t\t<div class=\"bs-post__details\">    <div class=\"bs-post__date\">\n        <span>9\uc6d4 13, 2018<\/span>\n    <\/div>\n    <div class=\"bs-post__title\">\n        <h5>Endpoint protection: How to improve endpoint security with SOAR<\/h5>\n    <\/div>\n<div class=\"bs-post__learn-more\">\n    <span class='btn learn-more-text bs-post__learn-more-text'>Read More<\/span><\/div>\n<\/div>\t\t\t<\/div>\n\t\t\t<\/a>\t\t<\/div>\n\t<\/div>\n\n\n\n<div class=\" bs-column col-sm-4   bs-column-b619eb984092e720779a969a873521d2ec1a85a5 bs-column---default     \">\t\t\t\t\t<div class=\"bs-post bs-post-69e4f433737da bs-single-post---default enable\" >\n\t\t\t<a class=\"bs-post__trigger\" href='https:\/\/swimlane.com\/ko\/blog\/swimlane-and-microsoft-security\/' target='_self'>\t\t\t<div class=\"bs-post__inner\">\n\t\t\t\t<div class=\"bs-post__details\">    <div class=\"bs-post__date\">\n        <span>12\uc6d4 10, 2025<\/span>\n    <\/div>\n    <div class=\"bs-post__title\">\n        <h5>How Swimlane AI Automation Optimizes Microsoft Security Operations<\/h5>\n    <\/div>\n<div class=\"bs-post__learn-more\">\n    <span class='btn learn-more-text bs-post__learn-more-text'>Read More<\/span><\/div>\n<\/div>\t\t\t<\/div>\n\t\t\t<\/a>\t\t<\/div>\n\t<\/div>\n\n\n\n<div class=\" bs-column col-sm-4   bs-column-b619eb984092e720779a969a873521d2ec1a85a5 bs-column---default     \">\t\t\t\t\t<div class=\"bs-post bs-post-69e4f43374af0 bs-single-post---default enable\" >\n\t\t\t<a class=\"bs-post__trigger\" href='https:\/\/swimlane.com\/ko\/blog\/investigate-alerts-in-microsoft-azure\/' target='_self'>\t\t\t<div class=\"bs-post__inner\">\n\t\t\t\t<div class=\"bs-post__details\">    <div class=\"bs-post__date\">\n        <span>12\uc6d4 18, 2019<\/span>\n    <\/div>\n    <div class=\"bs-post__title\">\n        <h5>How to investigate alerts in Microsoft Azure with SOAR<\/h5>\n    <\/div>\n<div class=\"bs-post__learn-more\">\n    <span class='btn learn-more-text bs-post__learn-more-text'>Read More<\/span><\/div>\n<\/div>\t\t\t<\/div>\n\t\t\t<\/a>\t\t<\/div>\n\t<\/div>\n<\/div><\/div><\/div>\n<\/div><\/div>\n\n\n<\/div>\n<\/div>\n<\/div><\/section>\n\n\n\n<section class=\"bs-section bs-section-2a4a600ae9ab197b6a4ccafe05152bf1a2fde1d1 bs-section---default bs-section--newsletter bs-section--common-marketo-form bs-section--common-marketo-form-two-columns  \"><style>.bs-section.bs-section-2a4a600ae9ab197b6a4ccafe05152bf1a2fde1d1{ background-color: #000743;} <\/style><div class=\"container-fluid\">\n<div class=\"bs-row row   bs-row---default\">\n<div class=\" bs-column col-sm-0 col-md-0 col-lg-6   bs-column-df5e10bef85c15055718b4d93887855962017939 bs-column---default     \">\n<h2 class=\"wp-block-heading has-white-color has-text-color\" id=\"requestor\">Request a Live Demo<\/h2>\n<\/div>\n\n\n\n<div class=\" bs-column col-sm-0 col-md-0 col-lg-6   bs-column-df5e10bef85c15055718b4d93887855962017939 bs-column---default     \"><div class='media-elements bs-media-element---default enable'>    <div class='bs-common-image'>\n                            <figure class='figure justify-content-start d-flex'>\n                            <picture>\n                            \n                            <img src='https:\/\/swimlane.com\/wp-content\/uploads\/liitp.svg' class='img-fluid'   alt='' title=''  \/>\n                            <\/picture>\n                                \n                            <\/figure>\n                        <\/div><\/div>\n\n<script src=\"\/\/pages.swimlane.com\/js\/forms2\/js\/forms2.min.js\"><\/script>\n<form id=\"mktoForm_1017\"><\/form>\n<script>\n    var embeddedFormId = '05a6905d0187a23e165b2fd995e965fe15cb94f6';\n    var marketoBaseUrl = '\/\/pages.swimlane.com';\n    var munchkinId = '978-QCM-390';\n    var formId = '1017';\n    var responseType = 'redirect';\n    var responseMessage = 'Thank you!';\n    var redirectURL = '';\n    var downloadFileURL = '';\n    var linkOpenType = '_self';\n    var popupVideo = 'url';\n    var popupVideoURL = '';\n    var popupVideoUploadURL = '';\n    MktoForms2.loadForm(marketoBaseUrl, munchkinId, formId, function(form) {\n        form.onSuccess(function(values, followUpUrl) {\n            document.getElementById(\"int_mktoForm_\" + formId).innerHTML = responseMessage;\n                    });\n    });\n<\/script>\n<div class=\"form-submit-note\" id=\"int_mktoForm_1017\"><\/div>\n<!-- Incluing form response options -->\n\n\n\n<script>\n    (function() {\n        \/\/ Please include the email domains you would like to block in this list\n        var invalidDomains = [\"@gmail.\", \"@yahoo.\", \"@hotmail.\", \"@live.\", \"@icloud.\",\"@aol.\", \"@outlook.\", \"@proton.\", \"@mailinator.\"];\n\n\n        MktoForms2.whenReady(function(form) {\n            form.onValidate(function() {\n                var email = form.vals().Email;\n                if (email) {\n                    if (!isEmailGood(email)) {\n                        form.submitable(false);\n                        var emailElem = form.getFormElem().find(\"#Email\");\n                        form.showErrorMessage(\"Must be Business email.\", emailElem);\n                    } else {\n                        form.submitable(true);\n                    }\n                }\n            });\n        });\n\n        function isEmailGood(email) {\n            for (var i = 0; i < invalidDomains.length; i++) {\n                var domain = invalidDomains[i];\n                if (email.indexOf(domain) != -1) {\n                    return false;\n                }\n            }\n            return true;\n        }\n\n\n    })(); \n<\/script>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":22,"featured_media":9712,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","learn_more_link":[],"show_popup":false,"disable_iframe":false,"enable_lazy_loading":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","featured_page_list":[],"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"tags":[],"resource-type":[67],"resource-topic":[],"resource-industry":[],"blog-category":[70],"class_list":["post-9711","sw_resource","type-sw_resource","status-publish","has-post-thumbnail","hentry","resource-type-blogs","blog-category-secops"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.5 (Yoast SEO v27.1.1) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Microsoft Defender Advanced Threat Protection<\/title>\n<meta name=\"description\" content=\"I would like to share with you how you can interact with the MDATP API\u2019s using both PowerShell Core and Python.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/swimlane.com\/ko\/\ube14\ub85c\uadf8\/microsoft-defender-\uace0\uae09-\uc704\ud611-\ubc29\uc9c0-\ucffc\ub9ac\/\" \/>\n<meta property=\"og:locale\" content=\"ko_KR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft Defender Advanced Threat Protection Queries\" \/>\n<meta property=\"og:description\" content=\"I would like to share with you how you can interact with the MDATP API\u2019s using both PowerShell Core and Python.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/swimlane.com\/ko\/\ube14\ub85c\uadf8\/microsoft-defender-\uace0\uae09-\uc704\ud611-\ubc29\uc9c0-\ucffc\ub9ac\/\" \/>\n<meta property=\"og:site_name\" content=\"AI Security Automation\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-06T10:49:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection.png\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"538\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@swimlane\" \/>\n<meta name=\"twitter:label1\" content=\"\uc608\uc0c1 \ub418\ub294 \ud310\ub3c5 \uc2dc\uac04\" \/>\n\t<meta name=\"twitter:data1\" content=\"5\ubd84\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Microsoft Defender \uace0\uae09 \uc704\ud611 \ubc29\uc9c0","description":"PowerShell Core\uc640 Python\uc744 \uc0ac\uc6a9\ud558\uc5ec MDATP API\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\ub294 \ubc29\ubc95\uc744 \uacf5\uc720\ud558\uace0\uc790 \ud569\ub2c8\ub2e4.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/swimlane.com\/ko\/\ube14\ub85c\uadf8\/microsoft-defender-\uace0\uae09-\uc704\ud611-\ubc29\uc9c0-\ucffc\ub9ac\/","og_locale":"ko_KR","og_type":"article","og_title":"Microsoft Defender Advanced Threat Protection Queries","og_description":"I would like to share with you how you can interact with the MDATP API\u2019s using both PowerShell Core and Python.","og_url":"https:\/\/swimlane.com\/ko\/\ube14\ub85c\uadf8\/microsoft-defender-\uace0\uae09-\uc704\ud611-\ubc29\uc9c0-\ucffc\ub9ac\/","og_site_name":"AI Security Automation","article_modified_time":"2026-04-06T10:49:32+00:00","og_image":[{"width":800,"height":538,"url":"https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_site":"@swimlane","twitter_misc":{"\uc608\uc0c1 \ub418\ub294 \ud310\ub3c5 \uc2dc\uac04":"5\ubd84"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/","url":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/","name":"Microsoft Defender \uace0\uae09 \uc704\ud611 \ubc29\uc9c0","isPartOf":{"@id":"https:\/\/swimlane.com\/ko\/#website"},"primaryImageOfPage":{"@id":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/#primaryimage"},"image":{"@id":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/#primaryimage"},"thumbnailUrl":"https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection.png","datePublished":"2019-07-18T18:27:00+00:00","dateModified":"2026-04-06T10:49:32+00:00","description":"PowerShell Core\uc640 Python\uc744 \uc0ac\uc6a9\ud558\uc5ec MDATP API\uc640 \uc0c1\ud638 \uc791\uc6a9\ud558\ub294 \ubc29\ubc95\uc744 \uacf5\uc720\ud558\uace0\uc790 \ud569\ub2c8\ub2e4.","breadcrumb":{"@id":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/#breadcrumb"},"inLanguage":"ko-KR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/"]}]},{"@type":"ImageObject","inLanguage":"ko-KR","@id":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/#primaryimage","url":"https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection.png","contentUrl":"https:\/\/swimlane.com\/wp-content\/uploads\/Running-Queries-on-Microsoft-Defender-Advanced-Threat-Protection.png","width":800,"height":538,"caption":"Over-the-shoulder view of a developer looking at lines of code on a dark computer monitor."},{"@type":"BreadcrumbList","@id":"https:\/\/swimlane.com\/ko\/blog\/microsoft-defender-advanced-threat-protection-queries\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/swimlane.com\/"},{"@type":"ListItem","position":2,"name":"Microsoft Defender Advanced Threat Protection Queries"}]},{"@type":"WebSite","@id":"https:\/\/swimlane.com\/ko\/#website","url":"https:\/\/swimlane.com\/ko\/","name":"\ub85c\uc6b0\ucf54\ub4dc \ubcf4\uc548 \uc790\ub3d9\ud654 \ubc0f SOAR \ud50c\ub7ab\ud3fc | \uc2a4\uc714\ub808\uc778","description":"\ubaa8\ub4e0 \ubcf4\uc548 \uae30\ub2a5\uc744 \uc704\ud55c \uc5d0\uc774\uc804\ud2b8 \uae30\ubc18 AI \uc790\ub3d9\ud654","publisher":{"@id":"https:\/\/swimlane.com\/ko\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/swimlane.com\/ko\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"ko-KR"},{"@type":"Organization","@id":"https:\/\/swimlane.com\/ko\/#organization","name":"\ub85c\uc6b0\ucf54\ub4dc \ubcf4\uc548 \uc790\ub3d9\ud654 \ubc0f SOAR \ud50c\ub7ab\ud3fc | \uc2a4\uc714\ub808\uc778","url":"https:\/\/swimlane.com\/ko\/","logo":{"@type":"ImageObject","inLanguage":"ko-KR","@id":"https:\/\/swimlane.com\/ko\/#\/schema\/logo\/image\/","url":"https:\/\/swimlane.com\/wp-content\/uploads\/sw-inline-logo-color-white.svg","contentUrl":"https:\/\/swimlane.com\/wp-content\/uploads\/sw-inline-logo-color-white.svg","width":912,"height":190,"caption":"Low-Code Security Automation & SOAR Platform | Swimlane"},"image":{"@id":"https:\/\/swimlane.com\/ko\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/swimlane","https:\/\/www.linkedin.com\/company\/swimlane\/"]}]}},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/sw_resource\/9711","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/sw_resource"}],"about":[{"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/types\/sw_resource"}],"author":[{"embeddable":true,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/users\/22"}],"version-history":[{"count":1,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/sw_resource\/9711\/revisions"}],"predecessor-version":[{"id":55534,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/sw_resource\/9711\/revisions\/55534"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/media\/9712"}],"wp:attachment":[{"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/media?parent=9711"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/tags?post=9711"},{"taxonomy":"resource-type","embeddable":true,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/resource-type?post=9711"},{"taxonomy":"resource-topic","embeddable":true,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/resource-topic?post=9711"},{"taxonomy":"resource-industry","embeddable":true,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/resource-industry?post=9711"},{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/swimlane.com\/ko\/wp-json\/wp\/v2\/blog-category?post=9711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}