Merge branch 'master' into mdm-gp-storage-policies

devices/hololens/hololens-encryption.md

@@ -19,11 +19,11 @@ You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/
 
 ## Enable device encryption using MDM
 
-You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.)
+You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.
 
 [See instructions for enabling device encryption using Microsoft Intune.](https://docs.microsoft.com/intune/compliance-policy-create-windows#windows-holographic-for-business)
 
-For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryptionn, use the following configuration:
+For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryption, use the following configuration:
 
 - **Name**: a name of your choice
 - **Description**: optional
@@ -35,7 +35,7 @@ For other MDM tools, see your MDM provider's documentation for instructions. If
 
 Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device. 
 
-### Create a provisioning package that upgrades the Windows Holographic edition
+### Create a provisioning package that upgrades the Windows Holographic edition and enables encryption
 
 1.	[Create a provisioning package for HoloLens.](hololens-provisioning.md)
 

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -86,6 +86,7 @@ If you enable this policy setting, Windows is allowed to install or update any d
 
 If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
 
+
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable.  For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 10/12/2018
+ms.date: 11/28/2018
 ---
 
 # How Windows Information Protection protects files with a sensitivity label 
@@ -27,13 +27,15 @@ Microsoft information protection technologies work together as an integrated sol
 
 Microsoft information protection technologies include:
 
-- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use.
+- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. 
 
 - [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps.
 
-- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
+- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
 
-  ![Sensitivity labels](images/sensitivity-labels.png)
+End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
+
+![Sensitivity labels](images/sensitivity-labels.png)
 
 ## Default WIP behaviors for a sensitivity label
 

windows/security/threat-protection/TOC.md

@@ -265,7 +265,7 @@
 ######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
 ####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
-######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
 ######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
 ######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
 ######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@@ -274,8 +274,8 @@
 
 
 ####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
-######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
-######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
 ######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
 ######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
 ######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
@@ -284,6 +284,7 @@
 ######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
 ######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
 
 ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

windows/security/threat-protection/security-compliance-toolkit-10.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.author: sagaudre
 author: brianlic-msft
-ms.date: 06/25/2018
+ms.date: 11/26/2018
 ---
 
 # Microsoft Security Compliance Toolkit 1.0
@@ -22,6 +22,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 
 -   Windows 10 security baselines
+    -   Windows 10 Version 1809 (October 2018 Update)
     -   Windows 10 Version 1803 (April 2018 Update)
     -   Windows 10 Version 1709 (Fall Creators Update)
     -   Windows 10 Version 1703 (Creators Update)
@@ -30,6 +31,7 @@ The Security Compliance Toolkit consists of:
     -   Windows 10 Version 1507
 
 -   Windows Server security baselines
+    -   Windows Server 2019
     -   Windows Server 2016
     -   Windows Server 2012 R2
 

windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: jsuther1974
-ms.date: 05/03/2018
+ms.date: 11/28/2018
 ---
 
 # Windows Defender Application Control 
@@ -17,6 +17,7 @@ ms.date: 05/03/2018
 
 -   Windows 10
 -   Windows Server 2016
+-   Windows Server 2019 
 
 With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. 
 In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. 
@@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
 
 ## WDAC System Requirements
 
-WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016. 
+WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. 
 They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. 
-Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016. 
+Group Policy or Intune can be used to distribute WDAC policies. 
 
 ## New and changed functionality
 

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -262,7 +262,7 @@
 ####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
 ###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
-####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
+####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@@ -270,8 +270,8 @@
 ####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
 
 ###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
-####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
+####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
-####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
+####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
 ####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
 ####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
 ####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
@@ -280,7 +280,7 @@
 ####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
 ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
-
+####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
 
 ###### [User](user-windows-defender-advanced-threat-protection-new.md)
 ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md

@@ -15,10 +15,12 @@ ms.date: 12/08/2017
 
 # Add or Remove Machine Tags API
 
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
 [!include[Prerelease information](prerelease.md)]
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 - Adds or remove tag to a specific machine.
 
 ## Permissions
@@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
 Content-type: application/json
 {
-  "Value" : "Test Tag",
+  "Value" : "test Tag 2",
   "Action": "Add"
 }
 
@@ -85,26 +87,25 @@ HTTP/1.1 200 Ok
 Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
-    "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "computerDnsName": "mymachine55.contoso.com",
+    "computerDnsName": "mymachine1.contoso.com",
-    "firstSeen": "2018-07-31T14:20:55.8223496Z",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
-    "lastSeen": "2018-09-27T08:44:05.6228836Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
     "osPlatform": "Windows10",
-    "osVersion": null,
+    "osVersion": "10.0.0.0",
-    "lastIpAddress": "10.248.240.38",
+    "lastIpAddress": "172.17.230.209",
-    "lastExternalIpAddress": "167.220.2.166",
+    "lastExternalIpAddress": "167.220.196.71",
-    "agentVersion": "10.3720.16299.98",
+    "agentVersion": "10.5830.18209.1001",
-    "osBuild": 16299,
+    "osBuild": 18209,
     "healthStatus": "Active",
-    "isAadJoined": true,
+    "rbacGroupId": 140,
-    "machineTags": [
+	"rbacGroupName": "The-A-Team",
-        "Test Tag"
+    "riskScore": "Low",
-    ],
+	"isAadJoined": true,
-    "rbacGroupId": 75,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-    "riskScore": "Medium",
+	"machineTags": [ "test tag 1", "test tag 2" ]
-    "aadDeviceId": null
 }
 
 ```
 
-To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
+- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md

@@ -17,7 +17,7 @@ ms.date: 12/08/2017
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-[!include[Prerelease information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
 
 Represents an alert entity in WDATP.
 
@@ -37,45 +37,48 @@ Method|Return Type |Description
 # Properties
 Property |	Type	|	Description
 :---|:---|:---
-id | String | Alert ID
+id | String | Alert ID.
-severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
+incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. 
-status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+assignedTo | String | Owner of the alert.
+severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
+status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
+investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
+classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
+determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General' .
+detectionSource | string | Detection source.
+threatFamilyName | string | Threat family.
+title | string | Alert title.
 description | String | Description of the threat, identified by the alert.
 recommendedAction | String | Action recommended for handling the suspected threat.
 alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
-category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
-title | string | Alert title
+firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
-threatFamilyName | string | Threat family
-detectionSource | string | Detection source 
-assignedTo | String | Owner of the alert
-classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
-determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
 resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
-firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
 machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
 
 # JSON representation
-```json
+```
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "id": "636688558380765161_2136280442",
+    "id": "121688558380765161_2136280442",
-    "severity": "Informational",
+	"incidentId": 7696,
-    "status": "InProgress",
+	"assignedTo": "secop@contoso.com",
-    "description": "Some alert description 1",
+	"severity": "High",
-    "recommendedAction": "Some recommended action 1",
+	"status": "New",
-    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+	"classification": "TruePositive",
-    "category": "General",
+	"determination": "Malware",
-    "title": "Some alert title 1",
+	"investigationState": "Running",
-    "threatFamilyName": null,
+	"category": "MalwareDownload",
-    "detectionSource": "WindowsDefenderAtp",
+	"detectionSource": "WindowsDefenderAv",
-    "classification": "TruePositive",
+	"threatFamilyName": "Mikatz",
-    "determination": null,
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-    "assignedTo": "best secop ever",
+	"description": "Some description"
-    "resolvedTime": null,
+	"recommendedAction": "Some recommended action"
-    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-    "actorName": null,
+	"lastEventTime": "2018-11-26T16:18:01.809871Z",
-    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+	"resolvedTime": null,
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
 }
 ```

windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md

@@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
 ## HTTP request
 ```
-POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
 ```
 
 ## Request headers
@@ -77,7 +77,7 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
 Content-Length: application/json
 
 {

windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md

@@ -21,12 +21,17 @@ ms.date: 11/15/2018
 
 - If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
 
--  Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. 
+- Not all properties are filterable.
--  [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. 
+
+### Properties that supports $filter:
+
+- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
+- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
+- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
 
 ### Example 1
 
-**Get all the machines with the tag 'ExampleTag'**
+- Get all the machines with the tag 'ExampleTag'
 
 ```
 HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@@ -41,25 +46,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples.dev.corp.Contoso.com",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-03-07T11:19:11.7234147Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-15T11:23:38.3196947Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
-            "lastIpAddress": "123.17.255.241",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "123.220.196.180",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6400.18282.1001",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18282,
+            "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
+            "rbacGroupId": 140,
-            "machineTags": [
+			"rbacGroupName": "The-A-Team",
-                "ExampleTag"
+            "riskScore": "High",
-            ],
+			"isAadJoined": true,
-            "rbacGroupId": 5,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "rbacGroupName": "Developers",
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
-            "riskScore": "North",
-            "aadDeviceId": null
         },
 		.
 		.
@@ -70,6 +73,50 @@ Content-type: application/json
 
 ### Example 2
 
+- Get all the alerts that created after 2018-10-20 00:00:00
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "121688558380765161_2136280442",
+			"incidentId": 7696,
+			"assignedTo": "secop@contoso.com",
+			"severity": "High",
+			"status": "New",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 3
+
 - Get all the machines with 'High' 'RiskScore'
 
 ```
@@ -85,23 +132,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "e3a77eeddb83d581238792387b1239b01286b2f",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples.dev.corp.Contoso.com",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-12T10:27:08.708723Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
-            "lastIpAddress": "123.123.10.33",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "124.124.160.172",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6300.18279.1001",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18279,
+            "osBuild": 18209,
-            "healthStatus": "ImpairedCommunication",
+            "healthStatus": "Active",
-            "isAadJoined": true,
+            "rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 5,
-            "rbacGroupName": "Developers",
             "riskScore": "High",
-            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
 		.
 		.
@@ -110,7 +157,7 @@ Content-type: application/json
 }
 ```
 
-### Example 3
+### Example 4
 
 - Get top 100 machines with 'HealthStatus' not equals to 'Active'
 
@@ -127,23 +174,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "1113333ddb83d581238792387b1239b01286b2f",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples.dev.corp.Contoso.com",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-12T10:27:08.708723Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
-            "lastIpAddress": "123.123.10.33",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "124.124.160.172",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6300.18279.1001",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18279,
+            "osBuild": 18209,
-            "healthStatus": "ImpairedCommunication",
+            "healthStatus": "Active",
-            "isAadJoined": true,
+            "rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 5,
+            "riskScore": "High",
-            "rbacGroupName": "Developers",
+			"isAadJoined": true,
-            "riskScore": "Medium",
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
 		.
 		.
@@ -152,12 +199,12 @@ Content-type: application/json
 }
 ```
 
-### Example 4
+### Example 5
 
 - Get all the machines that last seen after 2018-10-20
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
 ```
 
 **Response:**
@@ -169,23 +216,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "83113465ffceca4a731234e5dcde3357e026e873",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples-vm10",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-11-12T16:07:50.1706168Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-12T16:07:50.1706168Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "WindowsServer2019",
+            "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "lastIpAddress": "10.123.72.35",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "123.220.2.3",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6300.18281.1000",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18281,
+            "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": false,
+            "rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 5,
+            "riskScore": "High",
-            "rbacGroupName": "Developers",
+			"isAadJoined": true,
-            "riskScore": "None",
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "aadDeviceId": null
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
 		.
 		.
@@ -194,7 +241,7 @@ Content-type: application/json
 }
 ```
 
-### Example 5
+### Example 6
 
 - Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP
 

windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -15,11 +15,12 @@ ms.date: 12/08/2017
 
 # Find machines by internal IP API
 
-[!include[Prerelease information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
 - Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
 - The given timestamp must be in the past 30 days.
 
@@ -83,22 +84,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine33.contoso.com",
+			"computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-07-31T14:20:55.8223496Z",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": null,
+			"lastSeen": "2018-09-22T08:55:03.7791856Z",
-            "osPlatform": "Windows10",
+			"osPlatform": "Windows10",
-            "osVersion": null,
+			"osVersion": "10.0.0.0",
-            "lastIpAddress": "10.248.240.38",
+			"lastIpAddress": "10.248.240.38",
-            "lastExternalIpAddress": "167.220.2.166",
+			"lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.3720.16299.98",
+			"agentVersion": "10.5830.18209.1001",
-            "osBuild": 16299,
+			"osBuild": 18209,
-            "healthStatus": "Active",
+			"healthStatus": "Active",
-            "isAadJoined": true,
+			"rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 75,
+			"riskScore": "Low",
-            "riskScore": "Medium",
+			"isAadJoined": true,
-            "aadDeviceId": null
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md

@@ -64,7 +64,7 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
 ```
 
 **Response**
@@ -75,24 +75,25 @@ Here is an example of the response.
 ```
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "id": "636688558380765161_2136280442",
+    "id": "441688558380765161_2136280442",
-    "severity": "Informational",
+	"incidentId": 8633,
-    "status": "InProgress",
+	"assignedTo": "secop@contoso.com",
-    "description": "Some alert description 1",
+	"severity": "Low",
-    "recommendedAction": "Some recommended action 1",
+	"status": "InProgress",
-    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+	"classification": "TruePositive",
-    "category": "General",
+	"determination": "Malware",
-    "title": "Some alert title 1",
+	"investigationState": "Running",
-    "threatFamilyName": null,
+	"category": "MalwareDownload",
-    "detectionSource": "WindowsDefenderAtp",
+	"detectionSource": "WindowsDefenderAv",
-    "classification": "TruePositive",
+	"threatFamilyName": "Mikatz",
-    "determination": null,
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-    "assignedTo": "best secop ever",
+	"description": "Some description"
-    "resolvedTime": null,
+	"recommendedAction": "Some recommended action"
-    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+	"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+	"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-    "actorName": null,
+	"lastEventTime": "2018-11-25T16:18:01.809871Z",
-    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+	"resolvedTime": null,
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
 }
 
 ```

windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md

@@ -14,12 +14,13 @@ ms.date: 12/08/2017
 ---
 
 # Get alert related machine information API
+
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
 
-Retrieves machine that is related to a specific alert.
+- Retrieves machine that is related to a specific alert.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -77,22 +78,22 @@ HTTP/1.1 200 OK
 Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
-    "id": "ff0c3800ed8d66738a514971cd6867166809369f",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "computerDnsName": "amazingmachine.contoso.com",
+    "computerDnsName": "mymachine1.contoso.com",
-    "firstSeen": "2017-12-10T07:47:34.4269783Z",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
-	"lastSeen": "2017-12-10T07:47:34.4269783Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
     "osPlatform": "Windows10",
     "osVersion": "10.0.0.0",
-    "systemProductName": null,
+    "lastIpAddress": "172.17.230.209",
-    "lastIpAddress": "172.17.0.0",
+    "lastExternalIpAddress": "167.220.196.71",
-    "lastExternalIpAddress": "167.220.0.0",
+    "agentVersion": "10.5830.18209.1001",
-    "agentVersion": "10.5830.17732.1001",
+    "osBuild": 18209,
-    "osBuild": 17732,
     "healthStatus": "Active",
-    "isAadJoined": true,
+    "rbacGroupId": 140,
-    "machineTags": [],
+	"rbacGroupName": "The-A-Team",
-    "rbacGroupId": 75,
     "riskScore": "Low",
-    "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
 }
 ```

windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md

@@ -21,8 +21,10 @@ ms.date: 12/08/2017
 [!include[Prerelease information](prerelease.md)]
 
 
-Retrieves top recent alerts.
+- Retrieves a collection of Alerts.
-
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -81,50 +83,55 @@ Here is an example of the response.
 >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
 
 
-```
+```json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636688558380765161_2136280442",
+            "id": "121688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 7696,
-            "status": "InProgress",
+			"assignedTo": "secop@contoso.com",
-            "description": "Some alert description 1",
+			"severity": "High",
-            "recommendedAction": "Some recommended action 1",
+			"status": "New",
-            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+			"classification": "TruePositive",
-            "category": "General",
+			"determination": "Malware",
-            "title": "Some alert title 1",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAtp",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": "TruePositive",
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": "best secop ever",
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         },
         {
-            "id": "636688558380765161_2136280442",
+            "id": "441688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 8633,
-            "status": "InProgress",
+			"assignedTo": "secop@contoso.com",
-            "description": "Some alert description 2",
+			"severity": "Low",
-            "recommendedAction": "Some recommended action 2",
+			"status": "InProgress",
-            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+			"classification": "TruePositive",
-            "category": "General",
+			"determination": "Malware",
-            "title": "Some alert title 2",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAtp",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": "TruePositive",
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": "best secop ever",
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         }
 	]
 }
 ```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -84,44 +84,46 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "636688558380765161_2136280442",
+            "id": "441688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 8633,
-            "status": "InProgress",
+			"assignedTo": "secop@contoso.com",
-            "description": "Some alert description 1",
+			"severity": "Low",
-            "recommendedAction": "Some recommended action 1",
+			"status": "InProgress",
-            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+			"classification": "TruePositive",
-            "category": "General",
+			"determination": "Malware",
-            "title": "Some alert title 1",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAtp",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": "TruePositive",
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": "best secop ever",
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         },
         {
-            "id": "636688558380765161_2136280442",
+            "id": "121688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 4123,
-            "status": "InProgress",
+			"assignedTo": "secop@contoso.com",
-            "description": "Some alert description 2",
+			"severity": "Low",
-            "recommendedAction": "Some recommended action 2",
+			"status": "InProgress",
-            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+			"classification": "TruePositive",
-            "category": "General",
+			"determination": "Malware",
-            "title": "Some alert title 2",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAtp",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": "TruePositive",
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": "best secop ever",
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-24T16:18:01.809871Z",
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         }
 	]
 }

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -80,42 +80,42 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "testMachine1",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-07-30T20:12:00.3708661Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-07-30T20:12:00.3708661Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
+            "lastIpAddress": "172.17.230.209",
-            "lastIpAddress": "10.209.67.177",
+            "lastExternalIpAddress": "167.220.196.71",
-            "lastExternalIpAddress": "167.220.1.210",
+            "agentVersion": "10.5830.18209.1001",
-            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 18209,
-            "osBuild": 18208,
+            "healthStatus": "Active",
-            "healthStatus": "Inactive",
+            "rbacGroupId": 140,
-            "isAadJoined": false,
+			"rbacGroupName": "The-A-Team",
-            "machineTags": [],
-            "rbacGroupId": 75,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
-            "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
-            "computerDnsName": "testMachine2",
+            "computerDnsName": "mymachine2.contoso.com",
-            "firstSeen": "2018-07-30T19:50:47.3618349Z",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lastSeen": "2018-07-30T19:50:47.3618349Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
+            "lastIpAddress": "192.168.12.225",
-            "lastIpAddress": "10.209.70.231",
+            "lastExternalIpAddress": "79.183.65.82",
-            "lastExternalIpAddress": "167.220.0.28",
+            "agentVersion": "10.5820.17724.1000",
-            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 17724,
-            "osBuild": 18208,
             "healthStatus": "Inactive",
-            "isAadJoined": false,
+			"rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 75,
+            "riskScore": "Low",
-            "riskScore": "None",
+			"isAadJoined": false,
-            "aadDeviceId": null
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
 	]
 }

windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -82,24 +82,25 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636692391408655573_2010598859",
+            "id": "121688558380765161_2136280442",
-            "severity": "Low",
+			"incidentId": 7696,
-            "status": "New",
+			"assignedTo": "secop@contoso.com",
-            "description": "test alert",
+			"severity": "High",
-            "recommendedAction": "do this and that",
+			"status": "New",
-            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+			"classification": "TruePositive",
-            "category": "None",
+			"determination": "Malware",
-            "title": "test alert",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "CustomerTI",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": null,
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": null,
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
-            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -14,13 +14,14 @@ ms.date: 12/08/2017
 ---
 
 # Get file related machines API
+
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
 
-Retrieves a collection of machines related to a given file hash.
+- Retrieves a collection of machines related to a given file hash.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -83,39 +84,37 @@ Content-type: application/json
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
             "computerDnsName": "mymachine1.contoso.com",
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
             "computerDnsName": "mymachine2.contoso.com",
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
+			"rbacGroupId": 140,
-            "machineTags": [],
-            "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -81,24 +81,25 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636692391408655573_2010598859",
+            "id": "441688558380765161_2136280442",
-            "severity": "Low",
+			"incidentId": 8633,
-            "status": "New",
+			"assignedTo": "secop@contoso.com",
-            "description": "test alert",
+			"severity": "Low",
-            "recommendedAction": "do this and that",
+			"status": "InProgress",
-            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+			"classification": "TruePositive",
-            "category": "None",
+			"determination": "Malware",
-            "title": "test alert",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "CustomerTI",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": null,
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": null,
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -85,18 +85,18 @@ Content-type: application/json
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
 			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"rbacGroupName": "The-A-Team",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@@ -104,18 +104,18 @@ Content-type: application/json
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
 			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
+			"rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md

@@ -15,12 +15,13 @@ ms.date: 12/08/2017
 
 # Get machine by ID API
 
-[!include[Prerelease information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Retrieves a machine entity by ID.
+
+[!include[Prerelease information](prerelease.md)]
+
+- Retrieves a machine entity by ID.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -85,18 +86,18 @@ Content-type: application/json
     "firstSeen": "2018-08-02T14:55:03.7791856Z",
 	"lastSeen": "2018-08-02T14:55:03.7791856Z",
     "osPlatform": "Windows10",
-    "osVersion": null,
+    "osVersion": "10.0.0.0",
-    "systemProductName": null,
     "lastIpAddress": "172.17.230.209",
     "lastExternalIpAddress": "167.220.196.71",
     "agentVersion": "10.5830.18209.1001",
     "osBuild": 18209,
     "healthStatus": "Active",
-    "isAadJoined": true,
-    "machineTags": [],
     "rbacGroupId": 140,
+	"rbacGroupName": "The-A-Team",
     "riskScore": "Low",
-    "aadDeviceId": null
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
 }
 
 ```

windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -81,24 +81,25 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636692391408655573_2010598859",
+            "id": "441688558380765161_2136280442",
-            "severity": "Low",
+			"incidentId": 8633,
-            "status": "New",
+			"assignedTo": "secop@contoso.com",
-            "description": "test alert",
+			"severity": "Low",
-            "recommendedAction": "do this and that",
+			"status": "InProgress",
-            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+			"classification": "TruePositive",
-            "category": "None",
+			"determination": "Malware",
-            "title": "test alert",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "CustomerTI",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": null,
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": null,
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md

@@ -14,12 +14,14 @@ ms.date: 12/08/2017
 ---
 
 # Get machineAction API
+
 **Applies to:**
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
 
-Get action performed on a machine.
+- Get action performed on a machine.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md

@@ -15,14 +15,16 @@ ms.date: 12/08/2017
 
 # List MachineActions API
 
-[!include[Prerelease information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
- Gets collection of actions done on machines. 
+[!include[Prerelease information](prerelease.md)]
- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
+- Gets collection of actions done on machines. 
+- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -167,3 +169,6 @@ Content-type: application/json
     ]
 }
 ```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md

@@ -15,15 +15,16 @@ ms.date: 12/08/2017
 
 # List machines API
 
-[!include[Prerelease information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+[!include[Prerelease information](prerelease.md)]
-Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
-The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
+- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 
@@ -87,18 +88,18 @@ Content-type: application/json
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
 			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@@ -106,19 +107,22 @@ Content-type: application/json
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
 			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
+			"rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }
 ```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -81,44 +81,46 @@ Content-type: application/json
 	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636688558380765161_2136280442",
+            "id": "441688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 8633,
-            "status": "InProgress",
+			"assignedTo": "secop@contoso.com",
-            "description": "Some alert description 1",
+			"severity": "Low",
-            "recommendedAction": "Some recommended action 1",
+			"status": "InProgress",
-            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
+			"classification": "TruePositive",
-            "category": "General",
+			"determination": "Malware",
-            "title": "Some alert title 1",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAtp",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": "TruePositive",
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": "best secop ever",
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         },
         {
-            "id": "636688558380765161_2136280442",
+            "id": "121688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 4123,
-            "status": "InProgress",
+			"assignedTo": "secop@contoso.com",
-            "description": "Some alert description 2",
+			"severity": "Low",
-            "recommendedAction": "Some recommended action 2",
+			"status": "InProgress",
-            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
+			"classification": "TruePositive",
-            "category": "General",
+			"determination": "Malware",
-            "title": "Some alert title 2",
+			"investigationState": "Running",
-            "threatFamilyName": null,
+			"category": "MalwareDownload",
-            "detectionSource": "WindowsDefenderAtp",
+			"detectionSource": "WindowsDefenderAv",
-            "classification": "TruePositive",
+			"threatFamilyName": "Mikatz",
-            "determination": null,
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "assignedTo": "best secop ever",
+			"description": "Some description"
-            "resolvedTime": null,
+			"recommendedAction": "Some recommended action"
-            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
-            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
+			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
-            "actorName": null,
+			"lastEventTime": "2018-11-24T16:18:01.809871Z",
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
         }
 	]
 }

windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -14,6 +14,7 @@ ms.date: 12/08/2017
 ---
 
 # Get user related machines API
+
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
@@ -87,18 +88,18 @@ Content-type: application/json
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
 			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@@ -106,18 +107,18 @@ Content-type: application/json
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
 			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
+			"rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md

@@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win
 lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
 osPlatform | String | OS platform.
 osVersion | String | OS Version.
-lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
-lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
+lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
 agentVersion | String | Version of WDATP agent.
-osBuild | Int | OS build number.
+osBuild | Nullable long | OS build number.
 healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
-isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
+rbacGroupId | Int | RBAC Group ID.
+rbacGroupName | String | RBAC Group Name.
+riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
+aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
 machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
-rbacGroupId | Int | Group ID.
-riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).

windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 10/19/2018
+ms.date: 11/26/2018
 ---
 
 
@@ -20,6 +20,10 @@ ms.date: 10/19/2018
 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
 
 
+[!include[Prerelease information](prerelease.md)]
+
+>![TIP]
+>Go to **Advanced features** in the **Settings** page to turn on the preview features.
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) 
 

windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md

@@ -58,5 +58,9 @@ Onboard supported versions of Windows machines so that they can send sensor data
   - Windows 8.1 Pro 
 
  
+- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
+Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. 
+
+
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)  
 

windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,105 @@
+---
+title: Stop and quarantine file API
+description: Use this API to stop and quarantine file.
+keywords: apis, graph api, supported apis, stop and quarantine file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Stop and quarantine file API
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+- Stop execution of a file on a machine and delete it.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.StopAndQuarantine |	'Stop And Quarantine'
+Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+Sha1 |	String	 | Sha1 of the file to stop and quarantine on the machine. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile 
+Content-type: application/json
+{
+  "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
+  "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "141408d1-384c-4c19-8b57-ba39e378011a",
+    "type": "StopAndQuarantineFile",
+    "requestor": "Analyst@contoso.com ",
+    "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+	"relatedFileInfo": {
+        "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
+        "fileIdentifierType": "Sha1"
+	}
+}
+
+```
+

windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md

@@ -72,10 +72,10 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
 Content-Type: application/json
 {
-	"assignedTo": "Our designated secop"
+	"assignedTo": "secop2@contoso.com"
 }
 ```
 
@@ -86,23 +86,24 @@ Here is an example of the response.
 ```
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
-    "id": "636688558380765161_2136280442",
+    "id": "121688558380765161_2136280442",
-    "severity": "Medium",
+	"incidentId": 7696,
-    "status": "InProgress",
+	"assignedTo": "secop2@contoso.com",
-    "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.",
+	"severity": "High",
-    "recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",
+	"status": "New",
-    "alertCreationTime": "2018-08-07T10:18:04.2665329Z",
+	"classification": "TruePositive",
-    "category": "Installation",
+	"determination": "Malware",
-    "title": "Possible sensor tampering in memory",
+	"investigationState": "Running",
-    "threatFamilyName": null,
+	"category": "MalwareDownload",
-    "detectionSource": "WindowsDefenderAtp",
+	"detectionSource": "WindowsDefenderAv",
-    "classification": null,
+	"threatFamilyName": "Mikatz",
-    "determination": null,
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-    "assignedTo": "Our designated secop",
+	"description": "Some description"
-    "resolvedTime": null,
+	"recommendedAction": "Some recommended action"
-    "lastEventTime": "2018-08-07T10:14:35.470671Z",
+	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
-    "firstEventTime": "2018-08-07T10:14:35.470671Z",
+	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
-    "actorName": null,
+	"lastEventTime": "2018-11-26T16:18:01.809871Z",
-    "machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857"
+	"resolvedTime": null,
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
 }
 ```

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 11/19/2018
+ms.date: 11/27/2018
 ---
 
 # Reduce attack surfaces with attack surface reduction rules 
@@ -64,9 +64,6 @@ This rule blocks the following file types from being run or launched from an ema
 - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
 - Script archive files
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block all Office applications from creating child processes
 
 Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
@@ -88,18 +85,12 @@ Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to
 
 This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block JavaScript or VBScript From launching downloaded executable content
 
 JavaScript and VBScript scripts can be used by malware to launch other malicious apps. 
 
 This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
-
 ### Rule: Block execution of potentially obfuscated scripts
 
 Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. 
@@ -132,9 +123,6 @@ This rule provides an extra layer of protection against ransomware. Executable f
  
 Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
 
->[!IMPORTANT]
->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
- 
  >[!NOTE]
  >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.
 

windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md

@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 10/17/2018
+ms.date: 11/27/2018
 ---
 
 # Customize attack surface reduction rules
@@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 
 ## Exclude files and folders
 
-You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
+You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
 
 This could potentially allow unsafe files to run and infect your devices.
 
@@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi
 
 Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
-Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
+Exclusions apply to all attack surface reduction rules.
 
->[!IMPORTANT] 
+Rule description | GUID 
->Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). 
-
-
-Rule description | Rule honors exclusions | GUID 
 -|:-:|-
-Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
+Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
+Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
+Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
+Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
+Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
+Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
+Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25
+Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35
+Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
+Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
+Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
+Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.