s

windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md

@@ -37,45 +37,48 @@ Method|Return Type |Description
 # Properties
 Property |	Type	|	Description
 :---|:---|:---
-id | String | Alert ID
+id | String | Alert ID.
-severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
+incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. 
-status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+assignedTo | String | Owner of the alert.
+severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
+status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
+investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
+classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
+determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General' .
+detectionSource | string | Detection source.
+threatFamilyName | string | Threat family.
+title | string | Alert title.
 description | String | Description of the threat, identified by the alert.
 recommendedAction | String | Action recommended for handling the suspected threat.
 alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
-category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
-title | string | Alert title
-threatFamilyName | string | Threat family
-detectionSource | string | Detection source 
-assignedTo | String | Owner of the alert
-classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
-determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
-resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
 lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
 firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
+resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
 machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
 
 # JSON representation
 ```
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "id": "636688558380765161_2136280442",
+    "id": "121688558380765161_2136280442",
-    "severity": "Informational",
+	"incidentId": 7696,
-    "status": "InProgress",
+	"assignedTo": "secop@contoso.com",
-    "description": "Some alert description 1",
+	"severity": "High",
-    "recommendedAction": "Some recommended action 1",
+	"status": "New",
-    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+	"classification": "TruePositive",
-    "category": "General",
+	"determination": "Malware",
-    "title": "Some alert title 1",
+	"investigationState": "Running",
-    "threatFamilyName": null,
+	"category": "MalwareDownload",
-    "detectionSource": "WindowsDefenderAtp",
+	"detectionSource": "WindowsDefenderAv",
-    "classification": "TruePositive",
+	"threatFamilyName": "Mikatz",
-    "determination": null,
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-    "assignedTo": "best secop ever",
+	"description": "Some description"
-    "resolvedTime": null,
+	"recommendedAction": "Some recommended action"
-    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-    "actorName": null,
+	"lastEventTime": "2018-11-26T16:18:01.809871Z",
-    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+	"resolvedTime": null,
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
 }
 ```

windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md

@@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
 ## HTTP request
 ```
-POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
 ```
 
 ## Request headers
@@ -77,7 +77,7 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
 Content-Length: application/json
 
 {

windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md

@@ -21,7 +21,9 @@ ms.date: 12/08/2017
 [!include[Prerelease information](prerelease.md)]
 
 
-Retrieves top recent alerts.
+- Retrieves a collection of Alerts.
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
 
 
 ## Permissions