Merge branch 'master' into MDBranch20H1BluetoothPolicy

2025-05-12 21:37:22 +00:00 · 2020-02-11 09:02:27 -08:00 · 2020-02-11 09:02:27 -08:00 · 00f43f3b6e
commit 00f43f3b6e
parent 13ca808915 f89204269f
8 changed files with 62 additions and 57 deletions
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@ -18,6 +18,6 @@ ms.topic: article

 >[!NOTE]
 >For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.windows.com
-> - api-eu.securitycenter.windows.com
-> - api-uk.securitycenter.windows.com
+> - api-us.securitycenter.microsoft.com
+> - api-eu.securitycenter.microsoft.com
+> - api-uk.securitycenter.microsoft.com
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -373,7 +373,7 @@
 ###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)

 #### [Microsoft Defender ATP API]()
-##### [Get started with Microsoft Defender ATP APIs]()
+##### [Get started]()
 ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
 ###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
 ###### [Hello World](microsoft-defender-atp/api-hello-world.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@ -24,8 +24,9 @@ ms.topic: article


 ## API description
-Creates new [Alert](alerts.md).
-<br>Microsoft Defender ATP Event is a required parameter for the alert creation.
+Creates new [Alert](alerts.md) on top of **Event**.
+<br>**Microsoft Defender ATP Event** is required for the alert creation.
+<br>You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
 <br>You can use an event found in Advanced Hunting API or Portal.
 <br>If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
 <br>An automatic investigation starts automatically on alerts created via the API.
@ -68,13 +69,13 @@ In the request body, supply the following values (all are required):

 Property | Type | Description
 :---|:---|:---
+eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
+reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
 machineId | String | Id of the machine on which the event was identified. **Required**.
 severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
 title | String | Title for the alert. **Required**.
 description | String | Description of the alert. **Required**.
 recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
-eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
-reportId | String | The reportId, as obtained from the advanced query. **Required**.
 category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.

 ## Response
@ -91,16 +92,16 @@ Here is an example of the request.

 ```
 POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
-Content-Length: application/json
-
+```
+```json
 {
 	"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
 	"severity": "Low",
-  "title": "test alert",
-  "description": "test alert",
-  "recommendedAction": "test alert",
+	"title": "example",
+	"description": "example alert",
+	"recommendedAction": "nothing",
 	"eventTime": "2018-08-03T16:45:21.7115183Z",
 	"reportId": "20776",
-  "category": "None"
+	"category": "Exploit"
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
@ -50,7 +50,7 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s

 ## Review attack surface reduction events in Windows Event Viewer

-To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
+To review apps that would have been blocked, open Event Viewer and filter for Event ID 1121 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.

 Event ID | Description
 -|-
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
@ -34,7 +34,6 @@ In general, you’ll need to take the following steps to use the APIs:
 - Use the token to access Microsoft Defender ATP API.

 The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
-<br>**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**

 ## Create the multi-tenant app

--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@ -73,7 +73,7 @@ Here is an example of the response.
            "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
            "computerDnsName": "niw_pc",
            "osPlatform": "Windows10",
-            "rbacGroupId": 2154
+            "rbacGroupName": "GroupTwo"
        }
 		...
    ]
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@ -336,7 +336,7 @@
 ##### [Understand Microsoft Defender ATP APIs](use-apis.md)
 ##### [Microsoft Defender ATP API license and terms](api-terms-of-use.md)

-##### [Get started with Microsoft Defender ATP APIs]()
+##### [Get started]()
 ###### [Introduction](apis-intro.md)
 ###### [Hello World](api-hello-world.md)
 ###### [Get access with application context](exposed-apis-create-app-webapp.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@ -71,21 +71,18 @@ Request

 Here is an example of the request.

->[!NOTE]
->For better performance, you can use server closer to your geo location:
-> - api-us.securitycenter.windows.com
-> - api-eu.securitycenter.windows.com
-> - api-uk.securitycenter.windows.com
+[!include[Improve request performance](../../includes/improve-request-performance.md)]
+

 ```
 POST https://api.securitycenter.windows.com/api/advancedqueries/run
 Content-type: application/json
 {
-	"Query":"ProcessCreationEvents  
-| where InitiatingProcessFileName =~ \"powershell.exe\"
-| where ProcessCommandLine contains \"appdata\"
-| project EventTime, FileName, InitiatingProcessFileName 
-| limit 2"
+	"Query":"DeviceProcessEvents  
+    | where InitiatingProcessFileName =~ 'powershell.exe'
+    | where ProcessCommandLine contains 'appdata'
+    | project Timestamp, FileName, InitiatingProcessFileName, DeviceId
+    | limit 2"
 }
 ```

@ -96,12 +93,11 @@ Here is an example of the response.
 >[!NOTE]
 >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.

-```
-HTTP/1.1 200 OK
-Content-Type: application/json
+```json
 {
-	"Schema": [{
-		"Name": "EventTime",
+	"Schema": [
+		{
+			"Name": "Timestamp",
 			"Type": "DateTime"
 		},
 		{
@ -111,17 +107,26 @@ Content-Type: application/json
 		{
 			"Name": "InitiatingProcessFileName",
 			"Type": "String"
-	}],
-	"Results": [{
-		"EventTime": "2018-07-09T07:16:26.8017265",
-		"FileName": "csc.exe",
-		"InitiatingProcessFileName": "powershell.exe"
 		},
 		{
-		"EventTime": "2018-07-08T19:00:02.7798905",
-		"FileName": "gpresult.exe",
-		"InitiatingProcessFileName": "powershell.exe"
-	}]
+			"Name": "DeviceId",
+			"Type": "String"
+		}
+	],
+	"Results": [
+		{
+			"Timestamp": "2020-02-05T01:10:26.2648757Z",
+			"FileName": "csc.exe",
+			"InitiatingProcessFileName": "powershell.exe",
+			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+		},
+		{
+			"Timestamp": "2020-02-05T01:10:26.5614772Z",
+			"FileName": "csc.exe",
+			"InitiatingProcessFileName": "powershell.exe",
+			"DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
+		}
+	]
 }
 ```