Merge branch 'master' into MDBranch20H1BluetoothPolicy

windows/security/includes/improve-request-performance.md

@@ -18,6 +18,6 @@ ms.topic: article
 
 >[!NOTE]
 >For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.windows.com
+> - api-us.securitycenter.microsoft.com
-> - api-eu.securitycenter.windows.com
+> - api-eu.securitycenter.microsoft.com
-> - api-uk.securitycenter.windows.com
+> - api-uk.securitycenter.microsoft.com

windows/security/threat-protection/TOC.md

@@ -373,7 +373,7 @@
 ###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
 
 #### [Microsoft Defender ATP API]()
-##### [Get started with Microsoft Defender ATP APIs]()
+##### [Get started]()
 ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
 ###### [Hello World](microsoft-defender-atp/api-hello-world.md)

windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md

@@ -24,8 +24,9 @@ ms.topic: article
 
 
 ## API description
-Creates new [Alert](alerts.md).
+Creates new [Alert](alerts.md) on top of **Event**.
-<br>Microsoft Defender ATP Event is a required parameter for the alert creation.
+<br>**Microsoft Defender ATP Event** is required for the alert creation.
+<br>You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
 <br>You can use an event found in Advanced Hunting API or Portal.
 <br>If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
 <br>An automatic investigation starts automatically on alerts created via the API.
@@ -68,13 +69,13 @@ In the request body, supply the following values (all are required):
 
 Property | Type | Description
 :---|:---|:---
+eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
+reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
 machineId | String | Id of the machine on which the event was identified. **Required**.
 severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
 title | String | Title for the alert. **Required**.
 description | String | Description of the alert. **Required**.
 recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
-eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
-reportId | String | The reportId, as obtained from the advanced query. **Required**.
 category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.
 
 ## Response
@@ -91,16 +92,16 @@ Here is an example of the request.
 
 ```
 POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
-Content-Length: application/json
+```
-
+```json
 {
-  "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+	"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-  "severity": "Low",
+	"severity": "Low",
-  "title": "test alert",
+	"title": "example",
-  "description": "test alert",
+	"description": "example alert",
-  "recommendedAction": "test alert",
+	"recommendedAction": "nothing",
-  "eventTime": "2018-08-03T16:45:21.7115183Z",
+	"eventTime": "2018-08-03T16:45:21.7115183Z",
-  "reportId": "20776",
+	"reportId": "20776",
-  "category": "None"
+	"category": "Exploit"
 }
 ```

windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md

@@ -50,7 +50,7 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s
 
 ## Review attack surface reduction events in Windows Event Viewer
 
-To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
+To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
 
  Event ID | Description
 -|-

windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md

@@ -34,7 +34,6 @@ In general, you’ll need to take the following steps to use the APIs:
 - Use the token to access Microsoft Defender ATP API.
 
 The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
-<br>**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**
 
 ## Create the multi-tenant app
 

windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md

@@ -73,7 +73,7 @@ Here is an example of the response.
             "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
             "computerDnsName": "niw_pc",
             "osPlatform": "Windows10",
-            "rbacGroupId": 2154
+            "rbacGroupName": "GroupTwo"
         }
 		...
     ]

windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt

@@ -336,7 +336,7 @@
 ##### [Understand Microsoft Defender ATP APIs](use-apis.md)
 ##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)
 
-##### [Get started with Microsoft Defender ATP APIs]()
+##### [Get started]()
 ###### [Introduction](apis-intro.md)
 ###### [Hello World](api-hello-world.md)
 ###### [Get access with application context](exposed-apis-create-app-webapp.md)

windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md

@@ -71,21 +71,18 @@ Request
 
 Here is an example of the request.
 
->[!NOTE]
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
->For better performance, you can use server closer to your geo location:
+
-> - api-us.securitycenter.windows.com
-> - api-eu.securitycenter.windows.com
-> - api-uk.securitycenter.windows.com
 
 ```
 POST https://api.securitycenter.windows.com/api/advancedqueries/run
 Content-type: application/json
 {
-	"Query":"ProcessCreationEvents  
+	"Query":"DeviceProcessEvents  
-| where InitiatingProcessFileName =~ \"powershell.exe\"
+    | where InitiatingProcessFileName =~ 'powershell.exe'
-| where ProcessCommandLine contains \"appdata\"
+    | where ProcessCommandLine contains 'appdata'
-| project EventTime, FileName, InitiatingProcessFileName 
+    | project Timestamp, FileName, InitiatingProcessFileName, DeviceId
-| limit 2"
+    | limit 2"
 }
 ```
 
@@ -96,32 +93,40 @@ Here is an example of the response.
 >[!NOTE]
 >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
 
-```
+```json
-HTTP/1.1 200 OK
-Content-Type: application/json​
 {
-	"Schema": [{
+	"Schema": [
-		"Name": "EventTime",
+		{
-		"Type": "DateTime"
+			"Name": "Timestamp",
-	},
+			"Type": "DateTime"
-	{
+		},
-		"Name": "FileName",
+		{
-		"Type": "String"
+			"Name": "FileName",
-	},
+			"Type": "String"
-	{
+		},
-		"Name": "InitiatingProcessFileName",
+		{
-		"Type": "String"
+			"Name": "InitiatingProcessFileName",
-	}],
+			"Type": "String"
-	"Results": [{
+		},
-		"EventTime": "2018-07-09T07:16:26.8017265",
+		{
-		"FileName": "csc.exe",
+			"Name": "DeviceId",
-		"InitiatingProcessFileName": "powershell.exe"
+			"Type": "String"
-	},
+		}
-	{
+	],
-		"EventTime": "2018-07-08T19:00:02.7798905",
+	"Results": [
-		"FileName": "gpresult.exe",
+		{
-		"InitiatingProcessFileName": "powershell.exe"
+			"Timestamp": "2020-02-05T01:10:26.2648757Z",
-	}]
+			"FileName": "csc.exe",
+			"InitiatingProcessFileName": "powershell.exe",
+			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+		},
+		{
+			"Timestamp": "2020-02-05T01:10:26.5614772Z",
+			"FileName": "csc.exe",
+			"InitiatingProcessFileName": "powershell.exe",
+			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+		}
+	]
 }
 ```