deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

delete

Browse Source
This commit is contained in:
Ben Alfasi 2019-02-25 11:53:28 +02:00
parent 00563ce094
commit 1a0dd86e0e
47 changed files with 0 additions and 4290 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
View File

@ -1,97 +0,0 @@
---
title: Block file API
description: Use this API to blocking files from being running in the organization.
keywords: apis, graph api, supported apis, block file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Block file API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Prevent a file from being executed in the organization using Windows Defender Antivirus.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/files/{sha1}/block
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/block
Content-type: application/json
{
"Comment": "Block file due to alert 32123"
}
```
**Response**
Here is an example of the response.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z"
}
```

95
windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
View File

@ -1,95 +0,0 @@
---
title: Collect investigation package API
description: Use this API to create calls related to the collecting an investigation package from a machine.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Collect investigation package API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Collect investigation package from a machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/collectInvestigationPackage
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | Text | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
Content-type: application/json
{
"Comment": "Collect forensics due to alert 1234"
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "c9042f9b-8483-4526-87b5-35e4c2532223",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com ",
"requestorComment": " Collect forensics due to alert 1234",
"status": "InProgress",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:09:24.1785079Z",
"lastUpdateTimeUtc": "2017-12-04T12:09:24.1785079Z"
}
```

106
windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
View File

@ -1,106 +0,0 @@
---
title: Use the Windows Defender Advanced Threat Protection exposed APIs
description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/23/2017
---
# Use the Windows Defender ATP exposed APIs (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, youll need to take the following steps to use the APIs:
- Create an app
- Get an access token
- Run queries on the graph API
### Before you begin
Before using the APIs, youll need to create an app that youll use to authenticate against the graph. Youll need to create a native app to use for the adhoc queries.
## Create an app
1. Log on to [Azure](https://portal.azure.com).
2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
3. In the Create window, enter the following information then click **Create**.
![Image of Create application window](images/atp-azure-create.png)
- **Name:** WinATPGraph
- **Application type:** Native
- **Redirect URI:** `https://localhost`
4. Navigate and select the newly created application.
![Image of new app in Azure](images/atp-azure-atp-app.png)
5. Click **All settings** > **Required permissions** > **Add**.
![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
6. Click **Select an API** > **Microsoft Graph**, then click **Select**.
![Image of API access and API selection](images/atp-azure-api-access.png)
7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
![Image of select permissions](images/atp-azure-select-permissions.png)
You can now use the code snippets in the following sections to query the API using the created app ID.
## Get an access token
1. Get the Client ID from the application you created.
2. Use the **Client ID**. For example:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
```
## Query the graph
Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
```
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
// sample endpoint
string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
## Related topics
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)

88
windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md
View File

@ -1,88 +0,0 @@
---
title: Find machine information by internal IP API
description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP.
keywords: ip, apis, graph api, supported apis, find machine, machine information
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 07/25/2018
---
# Find machine information by internal IP API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Find a machine entity around a specific timestamp by internal IP.
>[!NOTE]
>The timestamp must be within the last 30 days.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/find(timestamp={time},key={IP})
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine exists - 200 OK.
If no machine found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61')
Content-type: application/json
```
**Response**
Here is an example of the response.
The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
"computerDnsName": "",
"firstSeen": "2017-07-06T01:25:04.9480498Z",
"osPlatform": "Windows10",
}
```

81
windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md
View File

@ -1,81 +0,0 @@
---
title: Get actor information API
description: Retrieves an actor information report.
keywords: apis, graph api, supported apis, get, actor, information
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get actor information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves an actor information report.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and actor exists - 200 OK.
If actor does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

90
windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,90 +0,0 @@
---
title: Get actor related alerts API
description: Retrieves all alerts related to a given actor.
keywords: apis, graph api, supported apis, get, actor, related, alerts
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get actor related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves all alerts related to a given actor.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If actor does not exist or no related alerts - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 3,
"value": [
{
"id": "636390437845006321_-1646055784",
"severity": "Medium",
"status": "Resolved",
"description": "Malware associated with ZINC has been detected.",
"recommendedAction": "1.\tContact your incident response team.",
"alertCreationTime": "2017-08-23T00:09:43.9057955Z",
"category": "Malware",
"title": "Malware associated with the activity group ZINC was discovered",
}
```

86
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md
View File

@ -1,86 +0,0 @@
---
title: Get alert information by ID API
description: Retrieves an alert by its ID.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alert information by ID API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves an alert by its ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If alert not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity",
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope.",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

82
windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md
View File

@ -1,82 +0,0 @@
---
title: Get alert related actor information API
description: Retrieves the actor information related to the specific alert.
keywords: apis, graph api, supported apis, get, alert, actor, information, related
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alert related actor information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves the actor information related to the specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/actor
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and actor exist - 200 OK.
If alert not found or actor not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

86
windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md
View File

@ -1,86 +0,0 @@
---
title: Get alert related domain information
description: Retrieves all domains related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alert related domain information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves all domains related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/domains
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and domain exist - 200 OK.
If alert not found or domain not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains",
"value": [
{
"host": "www.example.com"
}
]
}
```

86
windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md
View File

@ -1,86 +0,0 @@
---
title: Get alert related files information
description: Retrieves all files related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related files
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alert related files information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves all files related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/files
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and files exist - 200 OK.
If alert not found or files not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files",
"value": [
{
"sha1": "121c7060dada38275d7082a4b9dc62641b255c36",
"sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94",
"md5": "776c970dfd92397b3c7d74401c85cd40",
"globalPrevalence": null,
"globalFirstObserved": null,
}
```

86
windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md
View File

@ -1,86 +0,0 @@
---
title: Get alert related IP information
description: Retrieves all IPs related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related ip
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alert related IP information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves all IPs related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/ips
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and an IP exist - 200 OK.
If alert not found or IPs not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
```

81
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md
View File

@ -1,81 +0,0 @@
---
title: Get alert related machine information
description: Retrieves all machines related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related machine
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alert related machine information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves all machines related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/machine
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and machine exist - 200 OK.
If alert not found or machine not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "207575116e44741d2b22b6a81429b3ca4fd34608",
"computerDnsName": "machine1-corp.contoso.com",
"firstSeen": "2015-12-01T11:31:53.7016691Z",
}
```

83
windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md
View File

@ -1,83 +0,0 @@
---
title: Get alert related user information
description: Retrieves the user associated to a specific alert.
keywords: apis, graph api, supported apis, get, alert, information, related, user
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alert related user information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves the user associated to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/user
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and a user exists - 200 OK.
If alert not found or user not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountSid": null,
"accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4",
}
```

89
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,89 +0,0 @@
---
title: Get alerts API
description: Retrieves top recent alerts.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves top recent alerts.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alerts exists - 200 OK.
If no recent alerts found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000",
"value": [
{
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

88
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,88 +0,0 @@
---
title: Get domain related alerts API
description: Retrieves a collection of alerts related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, alerts
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get domain related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and alert exists - 200 OK.
If domain or alert does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

85
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md
View File

@ -1,85 +0,0 @@
---
title: Get domain related machines API
description: Retrieves a collection of machines related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, machines
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get domain related machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of machines related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and machine exists - 200 OK.
If domain or machines do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

82
windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md
View File

@ -1,82 +0,0 @@
---
title: Get domain statistics API
description: Retrieves the prevalence for the given domain.
keywords: apis, graph api, supported apis, get, domain, domain related machines
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get domain statistics API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves the prevalence for the given domain.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
```

83
windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md
View File

@ -1,83 +0,0 @@
---
title: Get file information API
description: Retrieves a file by identifier Sha1, Sha256, or MD5.
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get file information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a file by identifier Sha1, Sha256, or MD5.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a",
"md5": "d387a06cd4bf5fcc1b50c3882f41a44e",
"globalPrevalence": 40790196,
}
```

86
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,86 +0,0 @@
---
title: Get file related alerts API
description: Retrieves a collection of alerts related to a given file hash.
keywords: apis, graph api, supported apis, get, file, hash
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get file related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and alert exists - 200 OK.
If file or alerts do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

84
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md
View File

@ -1,84 +0,0 @@
---
title: Get file related machines API
description: Retrieves a collection of machines related to a given file hash.
keywords: apis, graph api, supported apis, get, machines, hash
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get file related machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of machines related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and machines exists - 200 OK.
If file or machines do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

85
windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md
View File

@ -1,85 +0,0 @@
---
title: Get file statistics API
description: Retrieves the prevalence for the given file.
keywords: apis, graph api, supported apis, get, file, statistics
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get file statistics API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves the prevalence for the given file.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"orgPrevalence": "106398",
"orgFirstSeen": "2017-07-30T13:29:50Z",
"orgLastSeen": "2017-08-29T13:29:31Z",
"topFileNames": [
"chrome.exe",
"old_chrome.exe"
]
}
```

120
windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md
View File

@ -1,120 +0,0 @@
---
title: Get FileActions collection API
description: Use this API to create calls related to get fileactions collection
keywords: apis, graph api, supported apis, get, file, information, fileactions collection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get FileActions collection API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/fileactions
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a collection of FileAction objects.
>[!NOTE]
>Although Block and Unblock actions are under FileAction category, this API only returns the Block actions on files that are currently blocked. For example, a file that is blocked and then unblocked will not be seen on this API.
## Example
**Request**
Here is an example of the request on an organization that has three FileActions.
```
GET https://graph.microsoft.com/testwdatppreview/fileactions
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileActions",
"value": [
{
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z"
},
{
"fileIdentifier": "df708f0107c7cc75ba2e5aaadc88b8bcfa01071d",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T11:16:19.9209438Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "1316",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T11:16:19.9209438Z"
},
{
"fileIdentifier": "f5bc0981641c8a1fb3ef03e4bf574d8adf7134cf",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T10:57:02.2430564Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test 1256 2017.11.05",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T10:57:02.2430564Z"
}
]
}
```

92
windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
View File

@ -1,92 +0,0 @@
---
title: Get FileMachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, filemachineaction object
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get FileMachineAction object API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Gets file and machine actions.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/filemachineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *FileMachineAction* object.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions/3dc88ce3-dd0c-40f7-93fc-8bd14317aab6
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "3dc88ce3-dd0c-40f7-93fc-8bd14317aab6",
"sha1": "8908b4441a2cd7285fe9c82917f69041cd467cf7",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": "1104",
"status": "Succeeded",
"fileId": "8908b4441a2cd7285fe9c82917f69041cd467cf7",
"machineId": "61a2d326d2190d048950406b54af23416118094a",
"creationDateTimeUtc": "2017-09-06T08:04:06.1994034Z",
"lastUpdateDateTimeUtc": "2017-09-06T08:05:46.9200942Z",
"fileInstances": [
{
"filePath": "C:\\tools\\PE\\7f06a650-040b-4774-bb39-5264ea9e93fa.exe",
"status": "Succeeded"
}
]
}
```

179
windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md
View File

@ -1,179 +0,0 @@
---
title: Get FileMachineActions collection API
description: Use this API to create calls related to get filemachineactions collection
keywords: apis, graph api, supported apis, filemachineactions collection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get FileMachineActions collection API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/filemachineactions
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a collection of FileMachineAction objects since the Retention policy time of the organization.
## Example 1
**Request**
Here is an example of the request on an organization that has three FileMachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileActions",
"value": [
{
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z"
},
{
"fileIdentifier": "df708f0107c7cc75ba2e5aaadc88b8bcfa01071d",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T11:16:19.9209438Z",
"requestor": "Analyst@contoso.com ",
"requestorComment": "1316",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T11:16:19.9209438Z"
},
{
"fileIdentifier": "f5bc0981641c8a1fb3ef03e4bf574d8adf7134cf",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T10:57:02.2430564Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test 1256 2017.11.05",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T10:57:02.2430564Z"
}
]
}
```
##Example 2
**Request**
Here is an example of a request that filters the FileMachineActions by machine ID and shows the latest two FileMachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
```
**Response**
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions",
"value": [
{
"id": "6f1d364c-680c-499a-b30c-dd9265ad4c9d",
"sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"fileId": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T13:13:26.2106524Z",
"lastUpdateDateTimeUtc": "2017-12-04T13:15:07.1639963Z",
"fileInstances": [
{
"filePath": "C:\\Users\\ testUser \\Downloads\\elma.exe",
"status": "Succeeded"
},
{
"filePath": "C:\\Users\\ testUser \\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\elma (2).exe.xc9q785.partial",
"status": "Succeeded"
},
]
},
{
"id": "c083f601-012f-4955-b4cc-fab50fb69d79",
"sha1": "8d25682b3a82af25b42dc90291c35ff3293daa68",
"type": "RequestSample",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"fileId": "8d25682b3a82af25b42dc90291c35ff3293daa68",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T13:39:24.9399004Z",
"lastUpdateDateTimeUtc": "2017-12-04T13:40:01.1094743Z",
"fileInstances": [
{
"filePath": "C:\\Windows\\System32\\conhost.exe",
"status": "Succeeded"
}
]
}
]
}
```

86
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,86 +0,0 @@
---
title: Get IP related alerts API
description: Retrieves a collection of alerts related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, alerts
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get IP related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and alert exists - 200 OK.
If IP and alerts do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

76
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md
View File

@ -1,76 +0,0 @@
---
title: Get IP related machines API
description: Retrieves a collection of machines related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, machines
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get IP related machines API
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

84
windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md
View File

@ -1,84 +0,0 @@
---
title: Get machine by ID API
description: Retrieves a machine entity by ID.
keywords: apis, graph api, supported apis, get, machines, entity, id
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get machine by ID API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a machine entity by ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine exists - 200 OK.
If no machine found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

84
windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md
View File

@ -1,84 +0,0 @@
---
title: Get machine log on users API
description: Retrieves a collection of logged on users.
keywords: apis, graph api, supported apis, get, machine, log on, users
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get machine log on users API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of logged on users.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/logonusers
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and user exist - 200 OK.
If no machine found or no users found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users",
"value": [
{
"id": "m",
"accountSid": null,
"accountName": "",
"accountDomainName": "northamerica",
}
```

85
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,85 +0,0 @@
---
title: Get machine related alerts API
description: Retrieves a collection of alerts related to a given machine ID.
keywords: apis, graph api, supported apis, get, machines, related, alerts
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get machine related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given machine ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and alert exists - 200 OK.
If no machine or no alerts found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 1,
"value": [
{
"id": "636396066728379047_-395412459",
"severity": "Medium",
"status": "New",
"description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.",
}
```

85
windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
View File

@ -1,85 +0,0 @@
---
title: Get MachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get MachineAction object API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Get actions done on a machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/machineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *MachineAction* object.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z"
}
```

159
windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md
View File

@ -1,159 +0,0 @@
---
title: Get MachineActions collection API
description: Use this API to create calls related to get machineactions collection
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get MachineActions collection API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/machineactions
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a collection of MachineAction objects since the Retention policy time of the organization.
## Example 1
**Request**
Here is an example of the request on an organization that has three MachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z"
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z"
},
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "UnrestrictCodeExecution",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2017-12-04T12:16:14.2899973Z"
}
]
}
```
## Example 2
**Request**
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z"
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z"
}
]
}
```

89
windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md
View File

@ -1,89 +0,0 @@
---
title: Get machines API
description: Retrieves a collection of recently seen machines.
keywords: apis, graph api, supported apis, get, machines
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of recently seen machines.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machines exists - 200 OK.
If no recent machines - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000",
"value": [
{
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

80
windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
View File

@ -1,80 +0,0 @@
---
title: Get package SAS URI API
description: Use this API to get a URI that allows downloading an investigation package.
keywords: apis, graph api, supported apis, get package, sas, uri
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get package SAS URI API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Get a URI that allows downloading of an investigation package.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/machineactions/{id}/getPackageUri
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
```

82
windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md
View File

@ -1,82 +0,0 @@
---
title: Get user information API
description: Retrieve a User entity by key such as user name or domain.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get user information API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieve a User entity by key (user name or domain\user).
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "",
"accountSid": null,
"accountName": "",
"accountDomainName": "",
}
```

86
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,86 +0,0 @@
---
title: Get user related alerts API
description: Retrieves a collection of alerts related to a given user ID.
keywords: apis, graph api, supported apis, get, user, related, alerts
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/15/2018
---
# Get user related alerts API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of alerts related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and alert exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

84
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md
View File

@ -1,84 +0,0 @@
---
title: Get user related machines API
description: Retrieves a collection of machines related to a given user ID.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Get user related machines API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Retrieves a collection of machines related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and machine exists - 200 OK.
If user or machine does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

76
windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
View File

@ -1,76 +0,0 @@
---
title: Is domain seen in org API
description: Use this API to create calls related to checking whether a domain was seen in the organization.
keywords: apis, graph api, supported apis, domain, domain seen
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
---
# Is domain seen in org (deprecated)
Answers whether a domain was seen in the organization.
[!include[Deprecated information](deprecate.md)]
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains/$entity",
"host": "example.com"
}
```

78
windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md
View File

@ -1,78 +0,0 @@
---
title: Is IP seen in org API
description: Answers whether an IP was seen in the organization.
keywords: apis, graph api, supported apis, is, ip, seen, org, organization
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Is IP seen in org (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Answers whether an IP was seen in the organization.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP exists - 200 OK.
If IP do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips/$entity",
"id": "192.168.1.1"
}
```

101
windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
View File

@ -1,101 +0,0 @@
---
title: Isolate machine API
description: Use this API to create calls related isolating a machine.
keywords: apis, graph api, supported apis, isolate machine
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Isolate machine API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Isolates a machine from accessing external network.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/isolate
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
IsolationType | IsolationType | Full or selective isolation
**IsolationType** controls the type of isolation to perform and can be one of the following:
- Full Full isolation
- Selective Restrict only limited set of applications from accessing the network
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "b89eb834-4578-496c-8be0-03f004061435",
"type": "Isolate",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Isolate machine due to alert 1234",
"status": "InProgress",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z",
"lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z"
}
```

104
windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
View File

@ -1,104 +0,0 @@
---
title: Request sample API
description: Use this API to create calls related to requesting a sample from a machine.
keywords: apis, graph api, supported apis, request sample
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Request sample API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/requestSample
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to upload to the secure storage. **Required**.
## Response
If successful, this method returns 201, Created response code and *FileMachineAction* object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/requestSample
Content-type: application/json
{
"Comment": "Request Sample on machine due to alert 32123",
"Sha1": "8d25682b3a82af25b42dc90291c35ff3293daa68"
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "c083f601-012f-4955-b4cc-fab50fb69d79",
"sha1": "8d25682b3a82af25b42dc90291c35ff3293daa68",
"type": "RequestSample",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"status": "InProgress",
"fileId": "8d25682b3a82af25b42dc90291c35ff3293daa68",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T13:39:24.9399004Z",
"lastUpdateDateTimeUtc": "2017-12-04T13:39:24.9399004Z",
"fileInstances": [
{
"filePath": "C:\\Windows\\System32\\conhost.exe",
"status": "InProgress"
}
]
}
```

93
windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
View File

@ -1,93 +0,0 @@
---
title: Restrict app execution API
description: Use this API to create calls related to restricting an application from executing.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Restrict app execution API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Restrict execution of set of predefined applications.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/restrictCodeExecution
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution
Content-type: application/json
{
"Comment": "Restrict code execution due to alert 1234"
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "78d408d1-384c-4c19-8b57-ba39e378011a",
"type": "RestrictCodeExecution",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Restrict code execution due to alert 1234",
"status": "InProgress",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2017-12-04T12:15:04.3825985Z"
}
```

102
windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
View File

@ -1,102 +0,0 @@
---
title: Run antivirus scan API
description: Use this API to create calls related to running an antivirus scan on a machine.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Run antivirus scan API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Initiate Windows Defender Antivirus scan on the machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/runAntiVirusScan
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
ScanType| ScanType | Defines the type of the Scan. **Required**.
**ScanType** controls the type of scan to perform and can be one of the following:
- **Quick** Perform quick scan on the machine
- **Full** Perform full scan on the machine
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan
Content-type: application/json
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "InProgress",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2017-12-04T12:18:27.1293487Z"
}
```

107
windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
View File

@ -1,107 +0,0 @@
---
title: Stop and quarantine file API
description: Use this API to create calls related to stopping and quarantining a file.
keywords: apis, graph api, supported apis, stop, quarantine, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Stop and quarantine file API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Stop execution of a file on a machine and ensure its not executed again on that machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/stopAndQuarantineFile
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**.
## Response
If successful, this method returns 201, Created response code and _FileMachineAction_ object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/stopAndQuarantineFile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 32123",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "6f1d364c-680c-499a-b30c-dd9265ad4c9d",
"sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": " Stop and quarantine file on machine due to alert 32123",
"status": "InProgress",
"fileId": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T13:13:26.2106524Z",
"lastUpdateDateTimeUtc": "2017-12-04T13:13:58.8098277Z",
"fileInstances": [
{
"filePath": "C:\\Users\\ testUser \\Downloads\\elma.exe",
"status": "InProgress"
},
{
"filePath": "C:\\Users\\testUser\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\elma (2).exe.xc9q785.partial",
"status": "InProgress"
},
]
}
```

44
windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
View File

@ -1,44 +0,0 @@
---
title: Supported Windows Defender Advanced Threat Protection query APIs
description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/03/2018
---
# Supported Windows Defender ATP query APIs (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
## In this section
Topic | Description
:---|:---
Actor | Run API calls such as get actor information and get actor related alerts.
Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information.
Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization.
File | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
KbInfo | Run API call that gets list of Windows KB's information
CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's
MachineSecurityStates | Run API call that gets list of machines with their security properties and versions
MachineGroups | Run API call that gets list of machine group definitions

94
windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
View File

@ -1,94 +0,0 @@
---
title: Unblock file API
description: Use this API to create calls related to allowing a file to be executed in the organization
keywords: apis, graph api, supported apis, unblock file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Unblock file API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Allow a file to be executed in the organization, using Windows Defender Antivirus.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/files/{sha1}/unblock
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock
Content-type: application/json
{
"Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm",
}
```
**Response**
Here is an example of the response.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673",
"fileIdentifierType": "Sha1",
"actionType": "UnBlock",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z"
}
```

95
windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
View File

@ -1,95 +0,0 @@
---
title: Release machine from isolation API
description: Use this API to create calls related to release a machine from isolation.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Release machine from isolation API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Undo isolation of a machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/unisolate
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate
Content-type: application/json
{
"Comment": "Unisolate machine since it was clean and validated"
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "09a0f91e-a2eb-409d-af33-5577fe9bd558",
"type": "Unisolate",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Unisolate machine since it was clean and validated ",
"status": "InProgress",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:13:15.0104931Z",
"lastUpdateTimeUtc": "2017-12-04T12:13:15.0104931Z"
}
```

96
windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
View File

@ -1,96 +0,0 @@
---
title: Remove app restriction API
description: Use this API to create calls related to removing a restriction from applications from executing.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/08/2017
---
# Remove app restriction API (deprecated)
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Deprecated information](deprecate.md)]
Unrestrict execution of set of predefined applications.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/unrestrictCodeExecution
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution
Content-type: application/json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
```
**Response**
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "UnrestrictCodeExecution",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Unrestrict code execution since machine was cleaned and validated ",
"status": "InProgress",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2017-12-04T12:15:40.6052029Z"
}
```