From 085bb5da8c59e7f525c0eca1cfbc6626a8320d4f Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Mon, 26 Nov 2018 20:58:01 +0200 Subject: [PATCH] s --- ...defender-advanced-threat-protection-new.md | 61 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 4 +- 3 files changed, 37 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index b1cde1afaf..da80f7bb7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -37,45 +37,48 @@ Method|Return Type |Description # Properties Property | Type | Description :---|:---|:--- -id | String | Alert ID -severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'. -status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +id | String | Alert ID. +incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. +assignedTo | String | Owner of the alert. +severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. +status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. +investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . +classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' . +detectionSource | string | Detection source. +threatFamilyName | string | Threat family. +title | string | Alert title. description | String | Description of the threat, identified by the alert. recommendedAction | String | Action recommended for handling the suspected threat. alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. -category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. -title | string | Alert title -threatFamilyName | string | Threat family -detectionSource | string | Detection source -assignedTo | String | Owner of the alert -classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. -determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' -resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. # JSON representation ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 53054cc36b..88f5545da4 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/CreateAlertByReference +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference ``` ## Request headers @@ -77,7 +77,7 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/CreateAlertByReference +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference Content-Length: application/json { diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 02ebbe143c..de8091bda2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,9 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] -Retrieves top recent alerts. +- Retrieves a collection of Alerts. +- Supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". ## Permissions