diff --git a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9ae13f3020 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,68 @@ +--- +title: Block file API +description: Use this API to create calls related to blocking files from being executed in the organization. +keywords: apis, graph api, supported apis, block file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Block file +Prevent a file from being executed in the organization using Windows Defender. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/files/{sha1}/block +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/7327b54fd718525cbca07dacde913b5ac3c85673/block +Content-type: application/json +{ + "Comment": "Block file due to alert 32123" +} + +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +``` diff --git a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..cf4545b1cf --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -0,0 +1,87 @@ +--- +title: Collect investigation package API +description: Use this API to create calls related to the collecting an investigation package from a machine. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Collect investigation package +Collect investigation package from a machine. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/collectInvestigationPackage +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | Text | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage +Content-type: application/json +{ + "Comment": "Collect forensics due to alert 1234" +} +Response +Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "CollectInvestigationPackage", + "status": "InProgress", + "error": "Unknown" +} +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "CollectInvestigationPackage", + "status": "InProgress", + "error": "Unknown" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bdc4be053b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -0,0 +1,83 @@ +--- +title: Isolate machine API +description: Use this API to create calls related isolating a machine. +keywords: apis, graph api, supported apis, isolate machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Isolate machine +Isolates a machine from accessing external network. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/isolate +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +IsolationType | IsolationType | Full or selective isolation + +**IsolationType** controls the type of isolation to perform and can be one of the following: +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate +Content-type: application/json +{ + "Comment": "Isolate machine due to alert 1234", + “IsolationType”: “Full” +} + +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "Isolate", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c876bcf8f0 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Request sample API +description: Use this API to create calls related to requesting a sample from a machine. +keywords: apis, graph api, supported apis, request sample +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Request sample +Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/requestSample +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +SHA1 | String | SHA1 of the file to upload to the secure storage. **Required**. + +## Response +If successful, this method returns 201, Created response code and *FileMachineAction* object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 32123", + “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” +} +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "RequestSample", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..6b9299e944 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -0,0 +1,76 @@ +--- +title: Restrict app execution API +description: Use this API to create calls related to restricting an application from executing. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Restrict app execution +Restrict execution of set of predefined applications. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/restrictCodeExecution +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution +Content-type: application/json +{ + "Comment": "Restrict code execution due to alert 1234" +} + +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "RestrictExecution", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..110a43b208 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -0,0 +1,85 @@ +--- +title: Run antivirus scan API +description: Use this API to create calls related to running an antivirus scan on a machine. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Run antivirus scan +Initiate Windows Defender Antivirus scan on the machine. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/runAntiVirusScan +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +ScanType| ScanType | Defines the type of the Scan. **Required**. + +**ScanType** controls the type of isolation to perform and can be one of the following: + +- **Quick** – Perform quick scan on the machine +- **Full** – Perform full scan on the machine + + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan +Content-type: application/json +{ + "Comment": "Check machine for viruses due to alert 3212", + “ScanType”: “Full” +} +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "RunAntiVirusScan", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..96789ddeb9 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Stop and quarantine file API +description: Use this API to create calls related to stopping and quarantining a file. +keywords: apis, graph api, supported apis, stop, quarantine, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Stop and quarantine file +Stop execution of a file on a machine and ensure it’s not executed again on that machine. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/stopAndQuarantineFile +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +SHA1 | String | SHA1 of the file to stop and quarantine on the machine. **Required**. + +## Response +If successful, this method returns 201, Created response code and _FileMachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 32123", + “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” +} +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "StopAndQuarantineFile", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0b5317d48a --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,67 @@ +--- +title: Unblock file API +description: Use this API to create calls related to allowing a file to be executed in the organization +keywords: apis, graph api, supported apis, unblock file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Unblock file +Allow a file to be executed in the organization, using Windows Defender. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/files/{sha1}/unblock +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock +Content-type: application/json +{ + "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", +} +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +``` diff --git a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5fbb90a186 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Unisolate machine API +description: Use this API to create calls related to removing a machine from isolation. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Unisolate machine +Remove machine from isolation. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/unisolate +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate +Content-type: application/json +{ + "Comment": "Unisolate machine since it was clean and validated" +} + +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "Unisolate", + "status": "InProgress", + "error": "Unknown" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..e9777ece2f --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Remove code execution restriction API +description: Use this API to create calls related to removing a restriction from applications from executing. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Remove code execution restriction +Remove code execution restriction. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/unrestrictCodeExecution +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Unrestrict code execution since machine was cleaned and validated" +} + +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "UnrestrictExecution", + "status": "InProgress", + "error": "Unknown" +} + +```