Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

.openpublishing.publish.config.json

@@ -524,6 +524,10 @@
     "master": [
       "Publish",
       "Pdf"
+    ],
+    "atp-api-danm": [
+      "Publish",
+      "Pdf"
     ]
   },
   "need_generate_pdf_url_template": true,

windows/deployment/windows-autopilot/user-driven-hybrid.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 11/07/2018
+ms.date: 11/12/2018
 ---
 
 
@@ -23,7 +23,6 @@ Windows Autopilot requires that devices be Azure Active Directory joined. If you
 
 To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
 
-- Users must be able to join devices to Azure Active Directory.
 - A Windows Autopilot profile for user-driven mode must be created and 
     - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile.
 - If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group.
@@ -32,6 +31,8 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
 - The Intune Connector for Active Directory must be installed.
     - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. 
 
+**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
+
 ## Step by step instructions
 
 See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).

windows/security/threat-protection/TOC.md

@@ -23,6 +23,7 @@
 ###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
 
 
+
 ##### Alerts queue
 ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
 ###### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
@@ -81,76 +82,10 @@
 ###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md)
 
  
+
 #### [Management and APIs](windows-defender-atp/management-apis.md)
 ##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md)
-######Actor
-####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
-####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-######Alerts
-####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-######Domain
-####### [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-######File
-####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
-####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
-####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
-####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
-
-######IP
-####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-######Machines
-####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
-####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
-####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-######Machines Security States
-####### [Get MachineSecurityStates collection](windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-######Machine Groups
-####### [Get MachineGroups collection](windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-
-######User
-####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
-####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-
-######Windows updates (KB) info
-####### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-######Common Vulnerabilities and Exposures (CVE) to KB map
-####### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
- 
 ##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
 
 #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
@@ -290,6 +225,152 @@
 ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
    
+##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md)
+###### Create your app
+####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md)
+####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md)
+###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md)
+####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md)
+
+####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md)
+######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+####### Domain
+######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md)
+######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+####### IP
+######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
+######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+
+####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
+######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
+######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+
+####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+
+###### How to use APIs - Samples
+####### Advanced Hunting API
+######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md)
+######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md)
+######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md)
+######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md)
+####### Multiple APIs
+######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md)
+####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md)
+
+##### [Use the Windows Defender ATP exposed APIs (deprecated)](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+###### [Supported Windows Defender ATP APIs (deprecated)](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
+#######Actor (deprecated)
+######## [Get actor information (deprecated)](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+######## [Get actor related alerts (deprecated)](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+#######Alerts (deprecated)
+######## [Get alerts (deprecated)](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get alert information by ID (deprecated)](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get alert related actor information (deprecated)](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related domain information (deprecated)](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related file information (deprecated)](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related IP information (deprecated)](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+######## [Get alert related machine information (deprecated)](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#######Domain (deprecated)
+########  [Get domain related alerts (deprecated)](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get domain related machines (deprecated)](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get domain statistics (deprecated)](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is domain seen in organization (deprecated)](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+#######File(deprecated)
+######## [Block file (deprecated)](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+######## [Get file information (deprecated)](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+######## [Get file related alerts (deprecated)](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get file related machines (deprecated)](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get file statistics (deprecated)](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+######## [Get FileActions collection (deprecated)](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Unblock file (deprecated)](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
+
+#######IP (deprecated)
+######## [Get IP related alerts (deprecated)](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get IP related machines (deprecated)](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+######## [Get IP statistics (deprecated)](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+######## [Is IP seen in organization (deprecated)](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+#######Machines (deprecated)
+######## [Collect investigation package (deprecated)](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+######## [Find machine information by IP (deprecated)](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineAction object (deprecated)](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get FileMachineActions collection (deprecated)](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machine by ID (deprecated)](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+######## [Get machine log on users (deprecated)](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+######## [Get machine related alerts (deprecated)](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get MachineAction object (deprecated)](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+######## [Get MachineActions collection (deprecated)](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+######## [Get package SAS URI (deprecated)](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+######## [Isolate machine (deprecated)](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Release machine from isolation (deprecated)](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+######## [Remove app restriction (deprecated)](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Request sample (deprecated)](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+######## [Restrict app execution (deprecated)](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+######## [Run antivirus scan (deprecated)](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+######## [Stop and quarantine file (deprecated)](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+#######User (deprecated)
+######## [Get alert related user information (deprecated)](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+######## [Get user information (deprecated)](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+######## [Get user related alerts (deprecated)](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+######## [Get user related machines (deprecated)](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+#####Windows updates (KB) info
+###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
+#####Common Vulnerabilities and Exposures (CVE) to KB map
+###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
+ 
+
+
+
+
+
+
+
+
 ##### API for custom alerts
 ###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
 ###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -16,7 +16,6 @@
 #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 
 
-
 #### [Incidents queue](incidents-queue.md)
 ##### [View and organize the Incidents queue](view-incidents-queue.md)
 ##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
@@ -84,74 +83,7 @@
 
 ### [Management and APIs](management-apis.md)
 #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP APIs](apis-intro.md)
-#####Actor
-###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
-###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
-#####Alerts
-###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
-
-#####Domain
-###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
-
-#####File
-###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
-###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
-###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
-###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
-
-#####IP
-###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
-###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
-#####Machines
-###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
-###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
-###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
-###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
-###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
-###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
-###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
-###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
-#####Machines Security States
-###### [Get MachineSecurityStates collection](get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md)
-#####Machine Groups
-###### [Get MachineGroups collection](get-machinegroups-collection-windows-defender-advanced-threat-protection.md)
-#####User
-###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
-###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
-#####Windows updates (KB) info
-###### [Get KbInfo collection](get-kbinfo-collection-windows-defender-advanced-threat-protection.md)
-#####Common Vulnerabilities and Exposures (CVE) to KB map
-###### [Get CVE-KB map](get-cvekbmap-collection-windows-defender-advanced-threat-protection.md)
-
- 
 #### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
 
 
@@ -288,6 +220,160 @@
 ##### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
 ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
 ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+  
+
+#### [Use the Windows Defender ATP exposed APIs](use-apis.md)
+##### Create your app
+###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md)
+###### [Get access without a user](exposed-apis-create-app-webapp.md)
+##### [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+###### [Advanced Hunting](run-advanced-query-api.md)
+
+###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md)
+####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)
+####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md)
+####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md)
+
+###### Domain
+####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [File](files-windows-defender-advanced-threat-protection-new.md)
+####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md)
+
+###### IP
+####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md)
+####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
+####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
+####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md)
+####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
+
+###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
+####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
+####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
+####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md)
+####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
+####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
+####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+
+
+###### [User](user-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)
+####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md)
+
+##### How to use APIs - Samples
+###### Advanced Hunting API
+####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md)
+####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
+####### [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md)
+###### Multiple APIs
+####### [PowerShell](exposed-apis-full-sample-powershell.md)
+###### [Using OData Queries](exposed-apis-odata-samples.md)
+
+#### [Use the Windows Defender ATP exposed APIs (deprecated)](exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs (deprecated)](supported-apis-windows-defender-advanced-threat-protection.md)
+######Actor (deprecated)
+####### [Get actor information (deprecated)](get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts (deprecated)](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+######Alerts (deprecated)
+####### [Get alerts (deprecated)](get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID (deprecated)](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information (deprecated)](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information (deprecated)](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information (deprecated)](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information (deprecated)](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information (deprecated)](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+######Domain (deprecated)
+#######  [Get domain related alerts (deprecated)](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines (deprecated)](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics (deprecated)](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization (deprecated)](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+######File(deprecated)
+####### [Block file (deprecated)](block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information (deprecated)](get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts (deprecated)](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines (deprecated)](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics (deprecated)](get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection (deprecated)](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file (deprecated)](unblock-file-windows-defender-advanced-threat-protection.md)
+
+######IP (deprecated)
+####### [Get IP related alerts (deprecated)](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines (deprecated)](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics (deprecated)](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization (deprecated)](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+######Machines (deprecated)
+####### [Collect investigation package (deprecated)](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP (deprecated)](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object (deprecated)](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection (deprecated)](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID (deprecated)](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users (deprecated)](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts (deprecated)](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object (deprecated)](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection (deprecated)](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI (deprecated)](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine (deprecated)](isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation (deprecated)](unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction (deprecated)](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample (deprecated)](request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution (deprecated)](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan (deprecated)](run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file (deprecated)](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+######User (deprecated)
+####### [Get alert related user information (deprecated)](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information (deprecated)](get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts (deprecated)](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines (deprecated)](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 #### API for custom alerts
 ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,110 @@
+---
+title: Add or Remove Machine Tags API
+description: Use this API to Add or Remove machine tags.
+keywords: apis, graph api, supported apis, tags, machine tags
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Add or Remove Machine Tags API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- Adds or remove tag to a specific machine.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/tags
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Value |	String |	The tag name. **Required**.
+Action	| Enum |	Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
+
+
+## Response
+If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of a request that adds machine tag.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
+Content-type: application/json
+{
+  "Value" : "Test Tag",
+  "Action": "Add"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
+    "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+    "computerDnsName": "mymachine55.contoso.com",
+    "firstSeen": "2018-07-31T14:20:55.8223496Z",
+    "lastSeen": "2018-09-27T08:44:05.6228836Z",
+    "osPlatform": "Windows10",
+    "osVersion": null,
+    "lastIpAddress": "10.248.240.38",
+    "lastExternalIpAddress": "167.220.2.166",
+    "agentVersion": "10.3720.16299.98",
+    "osBuild": 16299,
+    "healthStatus": "Active",
+    "isAadJoined": true,
+    "machineTags": [
+        "Test Tag"
+    ],
+    "rbacGroupId": 75,
+    "riskScore": "Medium",
+    "aadDeviceId": null
+}
+
+```
+
+To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,81 @@
+---
+title: Get alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Alert resource type
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Represents an alert entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object.
+[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection.
+[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
+[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert.
+[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection |  List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert.
+[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
+
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+id | String | Alert ID
+severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
+status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+description | String | Description of the threat, identified by the alert.
+recommendedAction | String | Action recommended for handling the suspected threat.
+alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+title | string | Alert title
+threatFamilyName | string | Threat family
+detectionSource | string | Detection source 
+assignedTo | String | Owner of the alert
+classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
+determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
+resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
+lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
+firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
+machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
+
+# JSON representation
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "id": "636688558380765161_2136280442",
+    "severity": "Informational",
+    "status": "InProgress",
+    "description": "Some alert description 1",
+    "recommendedAction": "Some recommended action 1",
+    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+    "category": "General",
+    "title": "Some alert title 1",
+    "threatFamilyName": null,
+    "detectionSource": "WindowsDefenderAtp",
+    "classification": "TruePositive",
+    "determination": null,
+    "assignedTo": "best secop ever",
+    "resolvedTime": null,
+    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+    "actorName": null,
+    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+}
+```

windows/security/threat-protection/windows-defender-atp/apis-intro.md

@@ -0,0 +1,57 @@
+---
+title: Windows Defender Advanced Threat Protection API overview  
+description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Windows Defender ATP API overview
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+
+As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up.
+
+## Delegated permissions, application permissions, and effective permissions
+
+Windows Defender ATP has two types of permissions: delegated permissions and application permissions.
+
+- **Delegated permissions** <br> 
+    Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
+- **Application permissions** <br>
+    Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator.
+
+Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP.
+
+- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles).
+
+	For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine.
+
+- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization.
+
+
+## Related topics
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Block file API
+# Block file API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Prevent a file from being executed in the organization using Windows Defender Antivirus.

windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,98 @@
+---
+title: Collect investigation package API
+description: Use this API to create calls related to the collecting an investigation package from a machine.
+keywords: apis, graph api, supported apis, collect investigation package
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Collect investigation package API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Collect investigation package from a machine.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.CollectForensics |	'Collect forensics'
+Delegated (work or school account) |	Machine.CollectForensics |	'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
+Content-type: application/json
+{
+  "Comment": "Collect forensics due to alert 1234"
+}
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "c9042f9b-8483-4526-87b5-35e4c2532223",
+    "type": "CollectInvestigationPackage",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": " Collect forensics due to alert 1234",
+    "status": "InProgress",
+    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+    "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
+	"relatedFileInfo": null
+}
+
+```

windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Collect investigation package API
+# Collect investigation package API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Collect investigation package from a machine.
 

windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,93 @@
+---
+title: Create alert from event API
+description: Creates an alert using event details
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Create alert from event API 
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | String | application/json. **Required**.
+
+## Request body
+In the request body, supply the following values (all are required):
+
+Property | Type | Description
+:---|:---|:---
+machineId | String | Id of the machine on which the event was identified. **Required**.
+severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
+title | String | Title for the alert. **Required**.
+description | String | Description of the alert. **Required**.
+recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert.
+eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**.
+reportId | String | The reportId, as obtained from the advanced query. **Required**.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+
+
+## Response
+If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+Content-Length: application/json
+
+{
+  "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+  "severity": "Low",
+  "title": "test alert",
+  "description": "redalert",
+  "recommendedAction": "white alert",
+  "eventTime": "2018-08-03T16:45:21.7115183Z",
+  "reportId": "20776",
+  "category": "None"
+} 
+```

windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md

@@ -187,7 +187,6 @@ The API currently supports the following IOC types:
 - Sha1
 - Sha256
 - Md5
-- FileName
 - IpAddress
 - DomainName 
 

windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,77 @@
+---
+title: Delete Ti Indicator.
+description: Deletes Ti Indicator entity by ID.
+keywords: apis, public api, supported apis, delete, ti indicator, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Delete TI Indicator API
+
+[!include[Prerelease information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a TI Indicator entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+Delete https://api.securitycenter.windows.com/api/tiindicators/{id}
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If TI Indicator exist and deleted successfully - 204 OK without content.
+If TI Indicator with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 204 NO CONTENT
+
+```

windows/security/threat-protection/windows-defender-atp/deprecate.md

@@ -0,0 +1,7 @@
+---
+ms.date: 10/17/2018
+---
+>[!WARNING]
+
+
+> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md).

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md

@@ -0,0 +1,175 @@
+---
+title: Use Windows Defender Advanced Threat Protection APIs  
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Use Windows Defender ATP APIs
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
+
+If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md).
+
+If you are not sure which access you need, read the [Introduction page](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+>[!NOTE]
+> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission.
+> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). 
+
+>[!TIP]
+> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. 
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/nativeapp-create.png)
+
+    - **Name:** -Your app name-
+    - **Application type:** Native
+    - **Redirect URI:** `https://127.0.0.1`
+
+
+4.	Click **Settings** > **Required permissions** > **Add**.
+
+    ![Image of new app in Azure](images/nativeapp-add-permission.png)
+
+5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+	
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**.
+	
+	>[!IMPORTANT]
+    >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example.
+
+    ![Image of select permissions](images/nativeapp-select-permissions.png)
+
+	For instance,
+
+    - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+    - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+       To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
+
+
+7. Click **Done**
+
+    ![Image of add permissions completion](images/nativeapp-add-permissions-end.png)
+
+8. Click **Grant permissions**
+
+	In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+	If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+9. Write down your application ID.
+    
+	![Image of app ID](images/nativeapp-get-appid.png)
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+The  code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+	```
+	using Microsoft.IdentityModel.Clients.ActiveDirectory;
+	```
+
+- Copy/Paste the below code in your application (pay attention to the comments in the code)
+
+	```
+	const string authority = "https://login.windows.net";
+	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+
+	string username = "SecurityAdmin123@microsoft.com"; // Paste your username here
+	string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! 
+
+	UserPasswordCredential userCreds = new UserPasswordCredential(username, password);
+
+	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}");
+	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult();
+	string token = authenticationResult.AccessToken;
+	```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'scp' claim with the desired app permissions
+- In the screenshot below you can see a decoded token acquired from the app in the tutorial:
+
+![Image of token validation](images/nativeapp-decoded-token.png)
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#** 
+	```
+	var httpClient = new HttpClient();
+
+	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+	// Do something useful with the response
+	```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md

@@ -0,0 +1,220 @@
+---
+title: Create an app to access Windows Defender ATP without a user
+description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
+keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/03/2018
+---
+
+# Create an app to access Windows Defender ATP without a user
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
+
+[!include[Prerelease information](prerelease.md)]
+
+This page describes how to create an application to get programmatical access to Windows Defender ATP without a user.
+
+If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
+
+If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md).
+
+Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
+
+In general, you’ll need to take the following steps to use the APIs:
+- Create an app
+- Get an access token
+- Use the token to access Windows Defender ATP API
+
+This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission.
+
+## Create an app
+
+1.	Log on to [Azure](https://portal.azure.com).
+
+2.	Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. 
+
+    ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
+
+3.	In the Create window, enter the following information then click **Create**.
+
+    ![Image of Create application window](images/webapp-create.png)
+
+    - **Name:** WdatpEcosystemPartner
+    - **Application type:** Web app / API
+    - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.)
+
+
+4.	Click **Settings** > **Required permissions** > **Add**.
+
+    ![Image of new app in Azure](images/webapp-add-permission.png)
+
+5.	Click **Select an API** > **WindowsDefenderATP**, then click **Select**.
+	
+	**Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+
+    ![Image of API access and API selection](images/webapp-add-permission-2.png)
+
+6. Click **Select permissions** > **Run advanced queries** > **Select**.
+	
+	**Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example!
+
+    ![Image of select permissions](images/webapp-select-permission.png)
+
+	For instance,
+
+	- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
+	- To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission
+
+	To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+
+7. Click **Done**
+
+    ![Image of add permissions completion](images/webapp-add-permission-end.png)
+
+8. Click **Grant permissions**
+
+	In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button.
+
+	If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect.
+
+	![Image of Grant permissions](images/webapp-grant-permissions.png)
+
+9. Click **Keys** and type a key name and click **Save**.
+
+	**Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave!
+
+    ![Image of create app key](images/webapp-create-key.png)
+
+10. Write down your application ID.
+    
+	![Image of app ID](images/webapp-get-appid.png)
+
+11. Set your application to be multi-tenanted
+	
+	This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
+
+	This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)​
+
+	Click **Properties** > **Yes** > **Save**.
+
+	![Image of multi tenant](images/webapp-edit-multitenant.png)
+
+
+## Application consent
+You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
+
+You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
+
+Consent link is of the form: 
+
+```
+https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​
+```
+
+where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID
+
+
+## Get an access token
+
+For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+
+### Using C#
+
+>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+
+- Create a new Console Application
+- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
+- Add the below using
+
+	```
+	using Microsoft.IdentityModel.Clients.ActiveDirectory;
+	```
+
+- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+
+	```
+	string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
+	string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
+	string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! 
+
+	const string authority = "https://login.windows.net";
+	const string wdatpResourceId = "https://api.securitycenter.windows.com";
+
+	AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
+	ClientCredential clientCredential = new ClientCredential(appId, appSecret);
+	AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
+	string token = authenticationResult.AccessToken;
+	```
+
+### Using PowerShell 
+
+Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token)
+
+### Using Python
+
+Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
+
+### Using Curl
+
+> [!NOTE]
+> The below procedure supposed Curl for Windows is already installed on your computer
+
+- Open a command window
+- ​Set CLIENT_ID to your Azure application ID
+- Set CLIENT_SECRET to your Azure application secret
+- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
+- Run the below command:
+
+```
+curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​
+```
+
+You will get an answer of the form:
+
+```
+{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
+```
+
+## Validate the token
+
+Sanity check to make sure you got a correct token:
+- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
+- Validate you get a 'roles' claim with the desired permissions
+- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles:
+
+![Image of token validation](images/webapp-decoded-token.png)
+
+## Use the token to access Windows Defender ATP API
+
+- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
+- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+
+- Example of sending a request to get a list of alerts **using C#** 
+	```
+	var httpClient = new HttpClient();
+
+	var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
+
+	request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+
+	var response = await httpClient.SendAsync(request).ConfigureAwait(false);
+
+	// Do something useful with the response
+	```
+
+## Related topics
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Supported Windows Defender ATP APIs](exposed-apis-list.md)
+- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md

@@ -0,0 +1,118 @@
+---
+title: Advanced Hunting API
+description: Use this API to run advanced queries
+keywords: apis, supported apis, advanced hunting, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# Windows Defender ATP APIs using PowerShell
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Full scenario using multiple APIs from Windows Defender ATP.
+
+In this section we share PowerShell samples to 
+ - Retrieve a token 
+ - Use token to retrieve the latest alerts in Windows Defender ATP
+ - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
+
+>**Prerequisite**: You first need to [create an app](apis-intro.md).
+
+## Preparation Instructions
+
+- Open a PowerShell window.
+- If your policy does not allow you to run the PowerShell commands, you can run the below command:
+```
+Set-ExecutionPolicy -ExecutionPolicy Bypass
+```
+
+>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
+
+## Get token
+
+- Run the below
+
+> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
+> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP)
+> - $appSecret: Secret of your AAD app
+> - $suspiciousUrl: The URL
+
+
+```
+$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
+$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
+$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
+$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here
+
+$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice'
+$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
+$authBody = [Ordered] @{
+	resource = "$resourceAppIdUri"
+	client_id = "$appId"
+	client_secret = "$appSecret"
+	grant_type = 'client_credentials'
+}
+$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
+$aadToken = $authResponse.access_token
+
+
+#Get latest alert
+$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10"
+$headers = @{ 
+	'Content-Type' = 'application/json'
+	Accept = 'application/json'
+	Authorization = "Bearer $aadToken" 
+}
+$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop
+$alerts =  ($alertResponse | ConvertFrom-Json).value
+
+$machinesToInvestigate = New-Object System.Collections.ArrayList
+
+Foreach($alert in $alerts)
+{
+	#echo $alert.id	$alert.machineId	$alert.severity	$alert.status
+
+	$isSevereAlert = $alert.severity -in 'Medium', 'High'
+	$isOpenAlert = $alert.status -in 'InProgress', 'New'
+	if($isOpenAlert -and $isSevereAlert)
+	{
+		if (-not $machinesToInvestigate.Contains($alert.machineId))
+		{
+			$machinesToInvestigate.Add($alert.machineId) > $null
+		}
+	}
+}
+
+$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","')
+
+$query = "NetworkCommunicationEvents
+| where MachineId in ($commaSeparatedMachines)
+| where RemoteUrl  == `"$suspiciousUrl`"
+| summarize ConnectionsCount = count() by MachineId"
+
+$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run"
+
+$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query }
+$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop
+$response =  ($queryResponse | ConvertFrom-Json).Results
+$response
+
+```
+
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)
+- [Advanced Hunting API](run-advanced-query-api.md)
+- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
+- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md

@@ -0,0 +1,58 @@
+---
+title: Supported Windows Defender Advanced Threat Protection query APIs  
+description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. 
+keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 30/07/2018
+---
+
+# Supported Windows Defender ATP query APIs 
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) 
+
+## End Point URI and Versioning
+
+### End Point URI:
+
+> The service base URI is: https://api.securitycenter.windows.com
+
+> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts
+
+### Versioning:
+
+> The API supports versioning.
+
+> The current version is **V1.0**.
+
+> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts
+
+> If you don't specify any version ( without /v1.0/ ) you will get to the latest version.
+
+
+Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
+
+## In this section
+Topic | Description
+:---|:---
+Advanced Hunting | Run queries from API.
+Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
+Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
+File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
+IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
+Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
+User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md

@@ -0,0 +1,188 @@
+---
+title: OData queries with Windows Defender ATP
+description: OData queries with Windows Defender ATP
+keywords: apis, supported apis, odata, query
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 09/24/2018
+---
+
+# OData queries with Windows Defender ATP
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+> If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/)
+
+> ** Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.**
+> ** [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.**
+
+### Example 1
+
+**Get all the machines with 'High' 'RiskScore'**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "e3a77eeddb83d581238792387b1239b01286b2f",
+            "computerDnsName": "examples.dev.corp.microsoft.com",
+            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "lastSeen": "2018-11-12T10:27:08.708723Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "123.123.10.33",
+            "lastExternalIpAddress": "124.124.160.172",
+            "agentVersion": "10.6300.18279.1001",
+            "osBuild": 18279,
+            "healthStatus": "ImpairedCommunication",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 5,
+            "rbacGroupName": "North",
+            "riskScore": "High",
+            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 2
+
+**Get top 100 machines with 'HealthStatus' not equals to 'Active'**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1113333ddb83d581238792387b1239b01286b2f",
+            "computerDnsName": "examples.dev.corp.microsoft.com",
+            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "lastSeen": "2018-11-12T10:27:08.708723Z",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.0.0",
+            "lastIpAddress": "123.123.10.33",
+            "lastExternalIpAddress": "124.124.160.172",
+            "agentVersion": "10.6300.18279.1001",
+            "osBuild": 18279,
+            "healthStatus": "ImpairedCommunication",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 5,
+            "rbacGroupName": "North",
+            "riskScore": "Medium",
+            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 3
+
+**Get all the machines that last seen after 2018-10-20**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "83113465ffceca4a731234e5dcde3357e026e873",
+            "computerDnsName": "examples-vm10",
+            "firstSeen": "2018-11-12T16:07:50.1706168Z",
+            "lastSeen": "2018-11-12T16:07:50.1706168Z",
+            "osPlatform": "WindowsServer2019",
+            "osVersion": null,
+            "lastIpAddress": "10.123.72.35",
+            "lastExternalIpAddress": "123.220.2.3",
+            "agentVersion": "10.6300.18281.1000",
+            "osBuild": 18281,
+            "healthStatus": "Active",
+            "isAadJoined": false,
+            "machineTags": [],
+            "rbacGroupId": 4,
+            "rbacGroupName": "East",
+            "riskScore": "None",
+            "aadDeviceId": null
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 4
+
+**Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP**
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+    "value": [
+        {
+            "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
+            "type": "RunAntiVirusScan",
+            "requestor": "Analyst@examples.onmicrosoft.com",
+            "requestorComment": "1533",
+            "status": "Succeeded",
+            "machineId": "123321c10e44a82877af76b1d0161a17843f688a",
+            "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
+            "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
+            "relatedFileInfo": null
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+## Related topic
+- [Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md

@@ -14,7 +14,7 @@ ms.localizationpriority: medium
 ms.date: 10/23/2017
 ---
 
-# Use the Windows Defender ATP exposed APIs 
+# Use the Windows Defender ATP exposed APIs (deprecated)
 
 **Applies to:**
 

windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,49 @@
+---
+title: File resource type
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# File resource type
+
+[!include[Prerelease information](prerelease.md)]
+
+Represent a file entity in WDATP.
+
+# Methods
+Method|Return Type |Description
+:---|:---|:---
+[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file 
+[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file.
+[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert.
+[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file.
+
+
+# Properties
+Property |	Type	|	Description
+:---|:---|:---
+sha1 | String | Sha1 hash of the file content
+sha256 | String | Sha256 hash of the file content
+md5 | String | md5 hash of the file content
+globalPrevalence | Integer | File prevalence accross organization
+globalFirstObserved | DateTimeOffset | First time the file was observed.
+globalLastObserved | DateTimeOffset | Last time the file was observed.
+size | Integer | Size of the file.
+fileType | String | Type of the file. 
+isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.)
+filePublisher | String | File publisher.
+fileProductName | String | Product name.
+signer | String | File signer.
+issuer | String | File issuer.
+signerHash | String | Hash of the signing certificate.
+isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent.
+

windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,88 @@
+---
+title: Find machine information by internal IP API
+description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP.
+keywords: ip, apis, graph api, supported apis, find machine, machine information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 07/25/2018
+---
+
+# Find machine information by internal IP API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+Find a machine by internal IP.
+
+>[!NOTE]
+>The timestamp must be within the last 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+
+## HTTP request
+```
+GET /api/machines/find(timestamp={time},key={IP})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK.
+If no machine found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. 
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
+    "value": [
+        {
+            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
+            "computerDnsName": "",
+            "firstSeen": "2017-07-06T01:25:04.9480498Z",
+            "osPlatform": "Windows10",
+…
+}
+```

windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 07/25/2018
 ---
 
-# Find machine information by internal IP API
+# Find machine information by internal IP API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 Find a machine entity around a specific timestamp by internal IP.
 

windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,105 @@
+---
+title: Find machines by internal IP API
+description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
+keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Find machines by internal IP API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
+- The given timestamp must be in the past 30 days.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp})
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines were found - 200 OK with list of the machines in the response body.
+If no machine found  - 404 Not Found.
+If the timestamp is not in the past 30 days - 400 Bad Request.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z)
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+            "computerDnsName": "mymachine33.contoso.com",
+            "firstSeen": "2018-07-31T14:20:55.8223496Z",
+            "lastSeen": null,
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "lastIpAddress": "10.248.240.38",
+            "lastExternalIpAddress": "167.220.2.166",
+            "agentVersion": "10.3720.16299.98",
+            "osBuild": 16299,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 75,
+            "riskScore": "Medium",
+            "aadDeviceId": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md

@@ -15,12 +15,13 @@ ms.date: 12/08/2017
 ---
 
 
-# Get actor information API
+# Get actor information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves an actor information report. 

windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get actor related alerts API
+# Get actor related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all alerts related to a given actor.

windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,98 @@
+---
+title: Get alert information by ID API
+description: Retrieves an alert by its ID.
+keywords: apis, graph api, supported apis, get, alert, information, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert information by ID API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves an alert by its ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "id": "636688558380765161_2136280442",
+    "severity": "Informational",
+    "status": "InProgress",
+    "description": "Some alert description 1",
+    "recommendedAction": "Some recommended action 1",
+    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+    "category": "General",
+    "title": "Some alert title 1",
+    "threatFamilyName": null,
+    "detectionSource": "WindowsDefenderAtp",
+    "classification": "TruePositive",
+    "determination": null,
+    "assignedTo": "best secop ever",
+    "resolvedTime": null,
+    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+    "actorName": null,
+    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert information by ID API
+# Get alert information by ID API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves an alert by its ID.

windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related actor information API
+# Get alert related actor information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves the actor information related to the specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,87 @@
+---
+title: Get alert related domains information 
+description: Retrieves all domains related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related domain
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related domain information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves all domains related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	URL.Read.All |	'Read URLs'
+Delegated (work or school account) | URL.Read.All |	'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/domains
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and domain exist - 200 OK.
+If alert not found or domain not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains",
+    "value": [
+        {
+            "host": "www.example.com"
+        }
+    ]
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,16 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related domain information API
+# Get alert related domain information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Deprecated information](deprecate.md)]
+
+
 
 Retrieves all domains related to a specific alert.
 

windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,100 @@
+---
+title: Get alert related files information 
+description: Retrieves all files related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related files
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related files information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves all files related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read file profiles'
+Delegated (work or school account) | File.Read.All |	'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/files
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and files exist - 200 OK.
+If alert not found or files not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
+    "value": [
+        {
+            "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
+            "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
+            "md5": "82849dc81d94056224445ea73dc6153a",
+            "globalPrevalence": 33,
+            "globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
+            "globalLastObserved": "2018-08-06T16:07:12.9414137Z",
+            "windowsDefenderAVThreatName": null,
+            "size": 801112,
+            "fileType": "PortableExecutable",
+            "isPeFile": true,
+            "filePublisher": null,
+            "fileProductName": null,
+            "signer": "Microsoft Windows",
+            "issuer": "Microsoft Development PCA 2014",
+            "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
+            "isValidCertificate": true
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related files information API
+# Get alert related files information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all files related to a specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,89 @@
+---
+title: Get alert related IPs information 
+description: Retrieves all IPs related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related ip
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related IP information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves all IPs related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ip.Read.All |	'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/ips
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and an IP exist - 200 OK. If alert not found or IPs not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips",    
+	"value": [
+				{
+					"id": "104.80.104.128"
+				},
+				{
+					"id": "23.203.232.228	
+				}
+	]
+}
+ 
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related IP information API
+# Get alert related IP information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all IPs related to a specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,99 @@
+---
+title: Get alert related machine information 
+description: Retrieves all machines related to a specific alert.
+keywords: apis, graph api, supported apis, get alert information, alert information, related machine
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related machine information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves machine that is related to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine information'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/machine
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and machine exist - 200 OK.
+If alert not found or machine not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
+    "id": "ff0c3800ed8d66738a514971cd6867166809369f",
+    "computerDnsName": "amazingmachine.contoso.com",
+    "firstSeen": "2017-12-10T07:47:34.4269783Z",
+	"lastSeen": "2017-12-10T07:47:34.4269783Z",
+    "osPlatform": "Windows10",
+    "osVersion": "10.0.0.0",
+    "systemProductName": null,
+    "lastIpAddress": "172.17.0.0",
+    "lastExternalIpAddress": "167.220.0.0",
+    "agentVersion": "10.5830.17732.1001",
+    "osBuild": 17732,
+    "healthStatus": "Active",
+    "isAadJoined": true,
+    "machineTags": [],
+    "rbacGroupId": 75,
+    "riskScore": "Low",
+    "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related machine information API
+# Get alert related machine information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves all machines related to a specific alert.

windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,91 @@
+---
+title: Get alert related user information 
+description: Retrieves the user associated to a specific alert.
+keywords: apis, graph api, supported apis, get, alert, information, related, user
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get alert related user information API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves the user associated to a specific alert.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	User.Read.All |	'Read user profiles'
+Delegated (work or school account) | User.Read.All | 'Read user profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts/{id}/user
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and alert and a user exists - 200 OK with user in the body.
+If alert not found or user not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
+    "id": "contoso\\user1",
+    "firstSeen": "2018-08-02T00:00:00Z",
+    "lastSeen": "2018-08-04T00:00:00Z",
+    "mostPrevalentMachineId": null,
+    "leastPrevalentMachineId": null,
+    "logonTypes": "Network",
+    "logOnMachinesCount": 3,
+    "isDomainAdmin": false,
+    "isOnlyNetworkUser": null
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alert related user information API
+# Get alert related user information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves the user associated to a specific alert.
 

windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,130 @@
+---
+title: List alerts API
+description: Retrieves top recent alerts.
+keywords: apis, graph api, supported apis, get, alerts, recent
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves top recent alerts.
+
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/alerts
+```
+
+## Optional query parameters
+Method supports $skip and $top query parameters.
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. If no recent alerts found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
+
+
+```
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 1",
+            "recommendedAction": "Some recommended action 1",
+            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 1",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+        },
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 2",
+            "recommendedAction": "Some recommended action 2",
+            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 2",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+        }
+	]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get alerts API
+# Get alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves top recent alerts.

windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,129 @@
+---
+title: Get domain related alerts API
+description: Retrieves a collection of alerts related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+
+
+
+Retrieves a collection of alerts related to a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/alerts
+```
+
+## Request headers
+
+Header | Value 
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain or alert does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 1",
+            "recommendedAction": "Some recommended action 1",
+            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 1",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+        },
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 2",
+            "recommendedAction": "Some recommended action 2",
+            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 2",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+        }
+	]
+}
+```
+

windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,15 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain related alerts API
+# Get domain related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Deprecated information](deprecate.md)]
+
 
 Retrieves a collection of alerts related to a given domain address.
 

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,122 @@
+---
+title: Get domain related machines API
+description: Retrieves a collection of machines related to a given domain address.
+keywords: apis, graph api, supported apis, get, domain, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of machines that have communicated to or from a given domain address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain or machines do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
+            "computerDnsName": "testMachine1",
+            "firstSeen": "2018-07-30T20:12:00.3708661Z",
+			"lastSeen": "2018-07-30T20:12:00.3708661Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "10.209.67.177",
+            "lastExternalIpAddress": "167.220.1.210",
+            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 18208,
+            "healthStatus": "Inactive",
+            "isAadJoined": false,
+            "machineTags": [],
+            "rbacGroupId": 75,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        },
+        {
+            "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
+            "computerDnsName": "testMachine2",
+            "firstSeen": "2018-07-30T19:50:47.3618349Z",
+			"lastSeen": "2018-07-30T19:50:47.3618349Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "10.209.70.231",
+            "lastExternalIpAddress": "167.220.0.28",
+            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 18208,
+            "healthStatus": "Inactive",
+            "isAadJoined": false,
+            "machineTags": [],
+            "rbacGroupId": 75,
+            "riskScore": "None",
+            "aadDeviceId": null
+        }    
+	]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain related machines API
+# Get domain related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a collection of machines related to a given domain address.

windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,84 @@
+---
+title: Get domain statistics API
+description: Retrieves the prevalence for the given domain.
+keywords: apis, graph api, supported apis, get, domain, domain related machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get domain statistics API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves the prevalence for the given domain.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	URL.Read.All |	'Read URLs'
+Delegated (work or school account) | URL.Read.All |	'Read URLs'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/domains/{domain}/stats
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and domain exists - 200 OK, with statistics object in the response body.
+If domain does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/domains/example.com/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
+	"host": "example.com",
+    "orgPrevalence": "4070",
+    "orgFirstSeen": "2017-07-30T13:23:48Z",
+    "orgLastSeen": "2017-08-29T13:09:05Z"
+}
+```

windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get domain statistics API
+# Get domain statistics API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves the prevalence for the given domain.

windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,98 @@
+---
+title: Get file information API
+description: Retrieves a file by identifier Sha1, Sha256, or MD5.
+keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file information API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves a file by identifier Sha1, Sha256, or MD5.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read all file profiles'
+Delegated (work or school account) | File.Read.All |	'Read all file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+GET /api/files/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If file does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
+    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+    "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
+    "md5": "7f05a371d2beffb3784fd2199f81d730",
+    "globalPrevalence": 7329,
+    "globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
+    "globalLastObserved": "2018-08-07T23:35:11.1361328Z",
+    "windowsDefenderAVThreatName": null,
+    "size": 391680,
+    "fileType": "PortableExecutable",
+    "isPeFile": true,
+    "filePublisher": null,
+    "fileProductName": null,
+    "signer": null,
+    "issuer": null,
+    "signerHash": null,
+    "isValidCertificate": null
+}
+```

windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file information API
+# Get file information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a file by identifier Sha1, Sha256, or MD5.

windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,107 @@
+---
+title: Get file related alerts API
+description: Retrieves a collection of alerts related to a given file hash.
+keywords: apis, graph api, supported apis, get, file, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves a collection of alerts related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
+If file or alerts do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636692391408655573_2010598859",
+            "severity": "Low",
+            "status": "New",
+            "description": "test alert",
+            "recommendedAction": "do this and that",
+            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+            "category": "None",
+            "title": "test alert",
+            "threatFamilyName": null,
+            "detectionSource": "CustomerTI",
+            "classification": null,
+            "determination": null,
+            "assignedTo": null,
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+            "actorName": null,
+            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file related alerts API
+# Get file related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given file hash.
 

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,123 @@
+---
+title: Get file related machines API
+description: Retrieves a collection of machines related to a given file hash.
+keywords: apis, graph api, supported apis, get, machines, hash
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file related machines API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of machines related to a given file hash.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body.
+If file or machines do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file related machines API
+# Get file related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of machines related to a given file hash.
 

windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,93 @@
+---
+title: Get file statistics API
+description: Retrieves the prevalence for the given file.
+keywords: apis, graph api, supported apis, get, file, statistics
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get file statistics API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+
+
+
+Retrieves the prevalence for the given file.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	File.Read.All |	'Read file profiles'
+Delegated (work or school account) | File.Read.All | 'Read file profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/files/{id}/stats
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and file exists - 200 OK with statistical data in the body.
+If file do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
+    "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
+    "orgPrevalence": "3",
+    "orgFirstSeen": "2018-07-15T06:13:59Z",
+    "orgLastSeen": "2018-08-03T16:45:21Z",
+    "topFileNames": [
+        "chrome_1.exe",
+		"chrome_2.exe"
+    ]
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get file statistics API
+# Get file statistics API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves the prevalence for the given file.
 

windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileActions collection API
+# Get FileActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries.
 

windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileMachineAction object API
+# Get FileMachineAction object API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Gets file and machine actions.
 

windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get FileMachineActions collection API
+# Get FileMachineActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries.
 

windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,106 @@
+---
+title: Get IP related alerts API
+description: Retrieves a collection of alerts related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP related alerts API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of alerts related to a given IP address.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body.
+If IP and alerts do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636692391408655573_2010598859",
+            "severity": "Low",
+            "status": "New",
+            "description": "test alert",
+            "recommendedAction": "do this and that",
+            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+            "category": "None",
+            "title": "test alert",
+            "threatFamilyName": null,
+            "detectionSource": "CustomerTI",
+            "classification": null,
+            "determination": null,
+            "assignedTo": null,
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+            "actorName": null,
+            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get IP related alerts API
+# Get IP related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given IP address.
 

windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,123 @@
+---
+title: Get IP related machines API
+description: Retrieves a collection of machines related to a given IP address.
+keywords: apis, graph api, supported apis, get, ip, related, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+Retrieves a collection of machines that communicated with or from a particular IP.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and IP and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body.
+If IP or machines do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md

@@ -37,8 +37,7 @@ Content type | application/json
 Empty
 
 ## Response
-If successful and IP and machines exists - 200 OK.
+If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found.
-If IP or machines do not exist - 404 Not Found.
 
 
 ## Example

windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,85 @@
+---
+title: Get IP statistics API
+description: Retrieves the prevalence for the given IP.
+keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get IP statistics API
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+
+
+Retrieves the prevalence for the given IP.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ip.Read.All |	'Read IP address profiles'
+Delegated (work or school account) | Ip.Read.All |	'Read IP address profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/ips/{ip}/stats
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
+    "ipAddress": "10.209.67.177",
+    "orgPrevalence": "63515",
+    "orgFirstSeen": "2017-07-30T13:36:06Z",
+    "orgLastSeen": "2017-08-29T13:32:59Z"
+}
+```

windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,102 @@
+---
+title: Get machine by ID API
+description: Retrieves a machine entity by ID.
+keywords: apis, graph api, supported apis, get, machines, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine by ID API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a machine entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+
+## HTTP request
+```
+GET /api/machines/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If machine with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "computerDnsName": "mymachine1.contoso.com",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
+    "osPlatform": "Windows10",
+    "osVersion": null,
+    "systemProductName": null,
+    "lastIpAddress": "172.17.230.209",
+    "lastExternalIpAddress": "167.220.196.71",
+    "agentVersion": "10.5830.18209.1001",
+    "osBuild": 18209,
+    "healthStatus": "Active",
+    "isAadJoined": true,
+    "machineTags": [],
+    "rbacGroupId": 140,
+    "riskScore": "Low",
+    "aadDeviceId": null
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machine by ID API
+# Get machine by ID API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a machine entity by ID.
 

windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,105 @@
+---
+title: Get machine log on users API
+description: Retrieves a collection of logged on users.
+keywords: apis, graph api, supported apis, get, machine, log on, users
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine log on users API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a collection of logged on users.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	User.Read.All |	'Read user profiles'
+Delegated (work or school account) | User.Read.All | 'Read user profiles'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/{id}/logonusers
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine and user exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body
+If no machine found or no users found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
+    "value": [
+        {
+            "id": "contoso\\user1",
+            "firstSeen": "2018-08-02T00:00:00Z",
+            "lastSeen": "2018-08-04T00:00:00Z",
+            "mostPrevalentMachineId": null,
+            "leastPrevalentMachineId": null,
+            "logonTypes": "Network",
+            "logOnMachinesCount": 3,
+            "isDomainAdmin": false,
+            "isOnlyNetworkUser": null
+        },
+        {
+            "id": "contoso\\user2",
+            "firstSeen": "2018-08-02T00:00:00Z",
+            "lastSeen": "2018-08-05T00:00:00Z",
+            "mostPrevalentMachineId": null,
+            "leastPrevalentMachineId": null,
+            "logonTypes": "Network",
+            "logOnMachinesCount": 3,
+            "isDomainAdmin": false,
+            "isOnlyNetworkUser": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machine log on users API
+# Get machine log on users API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a collection of logged on users.

windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,105 @@
+---
+title: Get machine related alerts API
+description: Retrieves a collection of alerts related to a given machine ID.
+keywords: apis, graph api, supported apis, get, machines, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machine related alerts  API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a collection of alerts related to a given machine ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/machines/{id}/alerts
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If no machine or no alerts found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636692391408655573_2010598859",
+            "severity": "Low",
+            "status": "New",
+            "description": "test alert",
+            "recommendedAction": "do this and that",
+            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+            "category": "None",
+            "title": "test alert",
+            "threatFamilyName": null,
+            "detectionSource": "CustomerTI",
+            "classification": null,
+            "determination": null,
+            "assignedTo": null,
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+            "actorName": null,
+            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machine related alerts  API
+# Get machine related alerts  API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given machine ID.
 

windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,90 @@
+---
+title: Get MachineAction object API
+description: Use this API to create calls related to get machineaction object
+keywords: apis, graph api, supported apis, machineaction object
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get machineAction API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Get action performed on a machine.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions/{id}
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+    "type": "RunAntiVirusScan",
+    "requestor": "Analyst@contoso.com",
+    "requestorComment": "Check machine for viruses due to alert 3212",
+    "status": "Succeeded",
+    "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+    "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+	"relatedFileInfo": null
+}
+
+
+```

windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get MachineAction object API
+# Get MachineAction object API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Get actions done on a machine.
 

windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,169 @@
+---
+title: List machineActions API
+description: Use this API to create calls related to get machineactions collection
+keywords: apis, graph api, supported apis, machineaction collection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List MachineActions API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+ Gets collection of actions done on machines. 
+ Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities.
+
+
+## Example 1
+
+**Request**
+
+Here is an example of the request on an organization that has three MachineActions.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+    "value": [
+        {
+            "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
+            "type": "CollectInvestigationPackage",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "test",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
+			"relatedFileInfo": null
+        },
+        {
+            "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+            "type": "RunAntiVirusScan",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "Check machine for viruses due to alert 3212",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+			"relatedFileInfo": null
+        },
+        {
+            "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
+            "type": "StopAndQuarantineFile",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "test",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
+			"relatedFileInfo": {
+                "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
+                "fileIdentifierType": "Sha1"
+			}
+        }
+    ]
+}
+```
+
+## Example 2
+
+**Request**
+
+Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
+    "value": [
+        {
+            "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
+            "type": "CollectInvestigationPackage",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "test",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
+			"relatedFileInfo": null
+        },
+        {
+            "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
+            "type": "RunAntiVirusScan",
+            "requestor": "Analyst@contoso.com",
+            "requestorComment": "Check machine for viruses due to alert 3212",
+            "status": "Succeeded",
+            "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
+            "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
+            "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
+			"relatedFileInfo": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get MachineActions collection API
+# Get MachineActions collection API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
  Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries.
 

windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,124 @@
+---
+title: List machines API
+description: Retrieves a collection of recently seen machines.
+keywords: apis, graph api, supported apis, get, machines
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List machines API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
+
+## Permissions
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machines
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md

@@ -14,12 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get machines API
+# Get machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
+[!include[Deprecated information](deprecate.md)]
 
 
 Retrieves a collection of recently seen machines.

windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,84 @@
+---
+title: Get package SAS URI API
+description: Use this API to get a URI that allows downloading an investigation package.
+keywords: apis, graph api, supported apis, get package, sas, uri
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get package SAS URI API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.CollectForensics |	'Collect forensics'
+Delegated (work or school account) | Machine.CollectForensics |	'Collect forensics'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
+
+```
+
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
+    "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
+}
+
+
+```

windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get package SAS URI API
+# Get package SAS URI API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Get a URI that allows downloading of an investigation package.
 

windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,92 @@
+---
+title: Get Ti Indicator by ID API
+description: Retrieves Ti Indicator entity by ID.
+keywords: apis, public api, supported apis, get, ti indicator, entity, id
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get TI Indicator by ID API
+
+[!include[Prerelease information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Retrieves a TI Indicator entity by ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/tiindicators/{id}
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body.
+If TI Indicator with the specified id was not found - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity",
+    "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+    "indicatorType": "FileSha1",
+    "title": "test",
+    "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+    "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c",
+    "expirationTime": "2020-12-12T00:00:00Z",
+    "action": "AlertAndBlock",
+    "severity": "Informational",
+    "description": "test",
+    "recommendedActions": "TEST"
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,109 @@
+---
+title: List TiIndicators API
+description: Use this API to create calls related to get TiIndicators collection
+keywords: apis, public api, supported apis, TiIndicators collection
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# List TiIndicators API
+
+[!include[Prerelease information](prerelease.md)]
+
+>[!Note]
+> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information)
+
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+ Gets collection of TI Indicators.
+ Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Ti.ReadWrite |	'Read and write TI Indicators'
+
+
+## HTTP request
+```
+GET https://api.securitycenter.windows.com/api/tiindicators
+```
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities.
+
+>[!Note]
+> The response will only include TI Indicators that submitted by the calling Application. 
+
+
+## Example
+
+**Request**
+
+Here is an example of a request that gets all TI Indicators
+
+```
+GET https://api.securitycenter.windows.com/api/tiindicators
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 Ok
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators",
+    "value": [
+        {
+            "indicator": "12.13.14.15",
+            "indicatorType": "IpAddress",
+            "title": "test",
+            "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
+            "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+            "expirationTime": "2020-12-12T00:00:00Z",
+            "action": "AlertAndBlock",
+            "severity": "Informational",
+            "description": "test",
+            "recommendedActions": "test"
+        },
+        {
+            "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
+            "indicatorType": "FileSha1",
+            "title": "test",
+            "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
+            "createdBy": "45097602-1234-5678-1234-9f453233e62c",
+            "expirationTime": "2020-12-12T00:00:00Z",
+            "action": "AlertAndBlock",
+            "severity": "Informational",
+            "description": "test",
+            "recommendedActions": "TEST"
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,85 @@
+---
+title: Get user information API
+description: Retrieve a User entity by key such as user name or domain.
+keywords: apis, graph api, supported apis, get, user, user information
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user information API
+
+[!include[Prerelease information](prerelease.md)]
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieve a User entity by key (user name or domain\user).
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	User.Read.All |	'Read all user profiles'
+
+## HTTP request
+```
+GET /api/users/{id}/
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1@contoso.com
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
+    "id": "user1@contoso.com",
+    "firstSeen": "2018-08-02T00:00:00Z",
+    "lastSeen": "2018-08-04T00:00:00Z",
+    "mostPrevalentMachineId": null,
+    "leastPrevalentMachineId": null,
+    "logonTypes": "Network",
+    "logOnMachinesCount": 3,
+    "isDomainAdmin": false,
+    "isOnlyNetworkUser": null
+}
+```

windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get user information API
+# Get user information API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieve a User entity by key (user name or domain\user).
 

windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,125 @@
+---
+title: Get user related alerts API
+description: Retrieves a collection of alerts related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, related, alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user related alerts API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of alerts related to a given user ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Alert.Read.All |	'Read all alerts'
+Application |	Alert.ReadWrite.All |	'Read and write all alerts'
+Delegated (work or school account) | Alert.Read | 'Read alerts'
+Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/users/{id}/alerts
+```
+
+**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/alerts**
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and user and alert exists - 200 OK. If user or alerts does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1/alerts
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 1",
+            "recommendedAction": "Some recommended action 1",
+            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 1",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+        },
+        {
+            "id": "636688558380765161_2136280442",
+            "severity": "Informational",
+            "status": "InProgress",
+            "description": "Some alert description 2",
+            "recommendedAction": "Some recommended action 2",
+            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+            "category": "General",
+            "title": "Some alert title 2",
+            "threatFamilyName": null,
+            "detectionSource": "WindowsDefenderAtp",
+            "classification": "TruePositive",
+            "determination": null,
+            "assignedTo": "best secop ever",
+            "resolvedTime": null,
+            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+            "actorName": null,
+            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+        }
+	]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get user related alerts API
+# Get user related alerts API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of alerts related to a given user ID.
 

windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,124 @@
+---
+title: Get user related machines API
+description: Retrieves a collection of machines related to a given user ID.
+keywords: apis, graph api, supported apis, get, user, user related alerts
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Get user related machines API
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+Retrieves a collection of machines related to a given user ID.
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.Read.All |	'Read all machine profiles'
+Application |	Machine.ReadWrite.All |	'Read and write all machine information'
+Delegated (work or school account) | Machine.Read | 'Read machine information'
+Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+GET /api/users/{id}/machines
+```
+
+**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/machines**
+
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+
+
+## Request body
+Empty
+
+## Response
+If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user or machines does not exist - 404 Not Found.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+GET https://api.securitycenter.windows.com/api/users/user1/machines
+```
+
+**Response**
+
+Here is an example of the response.
+
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{    
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+    "value": [
+        {
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+            "computerDnsName": "mymachine1.contoso.com",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "172.17.230.209",
+            "lastExternalIpAddress": "167.220.196.71",
+            "agentVersion": "10.5830.18209.1001",
+            "osBuild": 18209,
+            "healthStatus": "Active",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        },
+        {
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
+            "computerDnsName": "mymachine2.contoso.com",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
+            "osPlatform": "Windows10",
+            "osVersion": null,
+            "systemProductName": null,
+            "lastIpAddress": "192.168.12.225",
+            "lastExternalIpAddress": "79.183.65.82",
+            "agentVersion": "10.5820.17724.1000",
+            "osBuild": 17724,
+            "healthStatus": "Inactive",
+            "isAadJoined": true,
+            "machineTags": [],
+            "rbacGroupId": 140,
+            "riskScore": "Low",
+            "aadDeviceId": null
+        }
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md

@@ -14,13 +14,13 @@ ms.localizationpriority: medium
 ms.date: 12/08/2017
 ---
 
-# Get user related machines API
+# Get user related machines API (deprecated)
 
 **Applies to:**
 
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
-
+[!include[Deprecated information](deprecate.md)]
 
 Retrieves a collection of machines related to a given user ID.