From 1ad0a142bef13806296615fcc7f06efba4d679f0 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 5 Nov 2019 20:51:14 +0200 Subject: [PATCH] 3 --- windows/security/threat-protection/TOC.md | 2 +- .../threat-protection/microsoft-defender-atp/alerts.md | 9 ++++----- .../microsoft-defender-atp/get-alerts.md | 3 ++- .../threat-protection/microsoft-defender-atp/oldTOC.txt | 2 +- .../microsoft-defender-atp/run-advanced-query-api.md | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 099acd1d5f..859fcce644 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -370,7 +370,7 @@ ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md) ##### [APIs]() -###### [Supported Microsoft Defender ATP query APIs](microsoft-defender-atp/exposed-apis-list.md) +###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) ###### [Alert]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index dad2d2b35a..94978e31b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -22,8 +22,6 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Represents an alert entity in Microsoft Defender ATP. - # Methods Method |Return Type |Description :---|:---|:--- @@ -66,14 +64,15 @@ alertIPs | List of Alert IPs | **This list will be populated on $expand option, alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field. -# JSON representation: + +## JSON representation: - When querying for alert list the regular way (without expand option, e.g. https://api.securitycenter.windows.com/api/alerts) the expandable properties will not get populated (empty lists) - To expand expandable properties use $expand option (e.g. to expand all send https://api.securitycenter.windows.com/api/alerts?$expand=files,ips,domains). - When querying single alert all expandable properties will be expanded. - Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. -## Response example for getting single alert: +### Response example for getting single alert: ``` GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499 @@ -84,7 +83,7 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "id": "da637084217856368682_-292920499", "incidentId": 66860, "investigationId": 4416234, - "assignedTo": secop@contoso.com, + "assignedTo": "secop@contoso.com", "severity": "Low", "status": "New", "classification": "TruePositive", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index e59f997999..4db08b5045 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -96,7 +96,7 @@ Here is an example of the response. "id": "da637084217856368682_-292920499", "incidentId": 66860, "investigationId": 4416234, - "assignedTo": secop@contoso.com, + "assignedTo": "secop@contoso.com", "severity": "Low", "status": "New", "classification": "TruePositive", @@ -123,6 +123,7 @@ Here is an example of the response. "alertFiles": [], "alertDomains": [], "alertIps": [] + } ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index ffdde6dfa0..c4263e9958 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -343,7 +343,7 @@ ###### [Get access with user context](exposed-apis-create-app-nativeapp.md) ##### [APIs]() -###### [Supported Microsoft Defender ATP query APIs](exposed-apis-list.md) +###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) ###### [Advanced Hunting](run-advanced-query-api.md) ###### [Alert]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index f85d3c65c0..8dc833cda8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -24,8 +24,8 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Limitations -1. You can only run a query on data from the last 30 days -2. The results will include a maximum of 100,000 rows +1. You can only run a query on data from the last 30 days. +2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes.