microsoft / advanced-threat-analytics Goto Github PK

When I look up a user via the UI I can export data as far back as MongoDB contains. When I use the cmdlet I get fewer (can't determine the relationship/limit yet) records from the AccessedResourceAccountIdToTimeMapping property.

Any idea why this is?

Is this API documented anywhere? I have a use case (find all recent new activities/usages for a named user) that the cmdlets won't cover.

The REST API seems pretty easy to access but I can't find a list of methods.

Getting the following error:

Get-ATAStatus : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Get-ATAStatus
    + CategoryInfo             : InvalidArgument: (:) [Get-ATAStatus], ParameterBindingException
    + FullyQualifiedErrorId : AmbiguousParameterSet,Get-ATAStatus

This works / returns results as expected
Get-ATAMonitoringAlert | where-object {$_.status -like "Open"} | select Titlekey, id, severity

This returns no results:
Get-AtasuspiciousActivity | where-object {$_.status -like "Open" } | select TitleKey, id, severity

however
Get-AtasuspiciousActivity returns the data that should have came with the above open filter.

As discovered by @mattifestation

Fix: https://twitter.com/mattifestation/status/906252862727921665
Get-Content .\Advanced-Threat-Analytics.psm1 | Out-File -Encoding ascii .\fixed.psm1

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

I have set the $ATACenter variable using the cmdlet but my queries always return this. Any tips?

Get-ATASuspiciousActivity : Unable to connect to remote server. Your ATACenter url is set to localhost. Run
Set-ATACenterURL '' if this is incorrect.