Update run-advanced-query-api.md

anderagto-hub · web-flow · commit c2226391e64d · 2025-07-31T17:06:06.000-06:00
With the query format given as it was, one gets an error like the one below:

{
  "error": {
    "code": "InvalidRequestBody",
    "message": "Missing query.",
    "target": "|cd9f5106-4aa2341c0de87fd0.1.2."
  }
}

Correct request body is a one liner:
{
  "Query": "DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe'| where ProcessCommandLine contains 'appdata'| project Timestamp, FileName, InitiatingProcessFileName, DeviceId |limit 2"
}
diff --git a/defender-endpoint/api/run-advanced-query-api.md b/defender-endpoint/api/run-advanced-query-api.md
@@ -106,11 +106,7 @@ POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
 
 ```json
 {
-    "Query":"DeviceProcessEvents
-|where InitiatingProcessFileName =~ 'powershell.exe'
-|where ProcessCommandLine contains 'appdata'
-|project Timestamp, FileName, InitiatingProcessFileName, DeviceId
-|limit 2"
+    "Query":"DeviceProcessEvents |where InitiatingProcessFileName =~ 'powershell.exe' |where ProcessCommandLine contains 'appdata' |project Timestamp, FileName, InitiatingProcessFileName, DeviceId |limit 2"
 }
 ```
 

Original file line number	Diff line number	Diff line change
`@@ -106,11 +106,7 @@ POST https://api.securitycenter.microsoft.com/api/advancedqueries/run`
`106`	`106`
`107`	`107`	```json
`108`	`108`	`{`
`109`		`- "Query":"DeviceProcessEvents`
`110`		`-\|where InitiatingProcessFileName =~ 'powershell.exe'`
`111`		`-\|where ProcessCommandLine contains 'appdata'`
`112`		`-\|project Timestamp, FileName, InitiatingProcessFileName, DeviceId`
`113`		`-\|limit 2"`
	`109`	`+ "Query":"DeviceProcessEvents \|where InitiatingProcessFileName =~ 'powershell.exe' \|where ProcessCommandLine contains 'appdata' \|project Timestamp, FileName, InitiatingProcessFileName, DeviceId \|limit 2"`
`114`	`110`	`}`
`115`	`111`	```
`116`	`112`