deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into MDBranch20H1BluetoothPolicy

Browse Source
This commit is contained in:
ManikaDhiman 2020-02-11 09:02:27 -08:00
commit 00f43f3b6e
8 changed files with 62 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/includes/improve-request-performance.md
View File

@ -18,6 +18,6 @@ ms.topic: article
>[!NOTE]
>For better performance, you can use server closer to your geo location:
> - api-us.securitycenter.windows.com
> - api-eu.securitycenter.windows.com
> - api-uk.securitycenter.windows.com
> - api-us.securitycenter.microsoft.com
> - api-eu.securitycenter.microsoft.com
> - api-uk.securitycenter.microsoft.com

2
windows/security/threat-protection/TOC.md
View File

@ -373,7 +373,7 @@
###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
#### [Microsoft Defender ATP API]()
##### [Get started with Microsoft Defender ATP APIs]()
##### [Get started]()
###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
###### [Hello World](microsoft-defender-atp/api-hello-world.md)

21
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -24,8 +24,9 @@ ms.topic: article
## API description
Creates new [Alert](alerts.md).
<br>Microsoft Defender ATP Event is a required parameter for the alert creation.
Creates new [Alert](alerts.md) on top of **Event**.
<br>**Microsoft Defender ATP Event** is required for the alert creation.
<br>You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
<br>You can use an event found in Advanced Hunting API or Portal.
<br>If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
<br>An automatic investigation starts automatically on alerts created via the API.
@ -68,13 +69,13 @@ In the request body, supply the following values (all are required):
Property | Type | Description
:---|:---|:---
eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
machineId | String | Id of the machine on which the event was identified. **Required**.
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.
recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
reportId | String | The reportId, as obtained from the advanced query. **Required**.
category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.
## Response
@ -91,16 +92,16 @@ Here is an example of the request.
```
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json
```
```json
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "test alert",
"description": "test alert",
"recommendedAction": "test alert",
"title": "example",
"description": "example alert",
"recommendedAction": "nothing",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "None"
"category": "Exploit"
}
```

2
windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
View File

@ -50,7 +50,7 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s
## Review attack surface reduction events in Windows Event Viewer
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
Event ID | Description
-|-

1
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
View File

@ -34,7 +34,6 @@ In general, youll need to take the following steps to use the APIs:
- Use the token to access Microsoft Defender ATP API.
The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
<br>**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**
## Create the multi-tenant app

2
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
View File

@ -73,7 +73,7 @@ Here is an example of the response.
"id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
"computerDnsName": "niw_pc",
"osPlatform": "Windows10",
"rbacGroupId": 2154
"rbacGroupName": "GroupTwo"
}
...
]

2
windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
View File

@ -336,7 +336,7 @@
##### [Understand Microsoft Defender ATP APIs](use-apis.md)
##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)
##### [Get started with Microsoft Defender ATP APIs]()
##### [Get started]()
###### [Introduction](apis-intro.md)
###### [Hello World](api-hello-world.md)
###### [Get access with application context](exposed-apis-create-app-webapp.md)

51
windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
View File

@ -71,20 +71,17 @@ Request
Here is an example of the request.
>[!NOTE]
>For better performance, you can use server closer to your geo location:
> - api-us.securitycenter.windows.com
> - api-eu.securitycenter.windows.com
> - api-uk.securitycenter.windows.com
[!include[Improve request performance](../../includes/improve-request-performance.md)]
```
POST https://api.securitycenter.windows.com/api/advancedqueries/run
Content-type: application/json
{
"Query":"ProcessCreationEvents
| where InitiatingProcessFileName =~ \"powershell.exe\"
| where ProcessCommandLine contains \"appdata\"
| project EventTime, FileName, InitiatingProcessFileName
"Query":"DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
| where ProcessCommandLine contains 'appdata'
| project Timestamp, FileName, InitiatingProcessFileName, DeviceId
| limit 2"
}
```
@ -96,12 +93,11 @@ Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 200 OK
Content-Type: application/json
```json
{
"Schema": [{
"Name": "EventTime",
"Schema": [
{
"Name": "Timestamp",
"Type": "DateTime"
},
{
@ -111,17 +107,26 @@ Content-Type: application/json
{
"Name": "InitiatingProcessFileName",
"Type": "String"
}],
"Results": [{
"EventTime": "2018-07-09T07:16:26.8017265",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe"
},
{
"EventTime": "2018-07-08T19:00:02.7798905",
"FileName": "gpresult.exe",
"InitiatingProcessFileName": "powershell.exe"
}]
"Name": "DeviceId",
"Type": "String"
}
],
"Results": [
{
"Timestamp": "2020-02-05T01:10:26.2648757Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
},
{
"Timestamp": "2020-02-05T01:10:26.5614772Z",
"FileName": "csc.exe",
"InitiatingProcessFileName": "powershell.exe",
"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
}
]
}
```