deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'atp-public-preview' of https://cpubwin.visualstudio.com/_git/it-client into atp-public-preview

Browse Source
This commit is contained in:
Joey Caparas 2017-08-28 11:10:40 -07:00
commit 2bfae6c154
16 changed files with 1109 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
windows/threat-protection/TOC.md
View File

@ -70,6 +70,21 @@
#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
##### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
##### [Isolate machine](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
##### [Unisolate machine](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
##### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
##### [Unrestrict code execution](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
##### [Run antivirus scan](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
##### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
##### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
##### [Block file](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
##### [Unblock file](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
##### [Get package SAS URI](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
##### [Get MachineAction object](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
##### [Get FileMachineAction object](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)

68
windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Block file API
description: Use this API to create calls related to blocking files from being executed in the organization.
keywords: apis, graph api, supported apis, block file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Block file
Prevent a file from being executed in the organization using Windows Defender.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/files/{sha1}/block
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/7327b54fd718525cbca07dacde913b5ac3c85673/block
Content-type: application/json
{
"Comment": "Block file due to alert 32123"
}
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
```

77
windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Collect investigation package API
description: Use this API to create calls related to the collecting an investigation package from a machine.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Collect investigation package
Collect investigation package from a machine.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/collectInvestigationPackage
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | Text | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
Content-type: application/json
{
"Comment": "Collect forensics due to alert 1234"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "CollectInvestigationPackage",
"status": "InProgress",
"error": "Unknown"
}
```

97
windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
View File

@ -94,102 +94,7 @@ HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
## Supported APIs
| Entity | Action | Description | Functions | Route |
|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------|
| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} |
| | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts |
| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts |
| | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} |
| | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines |
| | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files |
| | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor |
| | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains |
| | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips |
| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines |
| | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts |
| | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers |
| | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) |
| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines |
| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines |
| | Stats | Retrieves the prevalence for the given domain | | /domains/{id}/stats |
| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines |
| | Stats | Retrieves the prevalence for the given IP | | /ips/{id}/stats |
| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines |
| | Stats | Retrieves the prevalence for the given file | | /files/{id}/machines |
### Example queries
After creating the application, you can run the following queries.
Fetching the top 20 alerts with machine information:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
Response:
```
{
"@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts",
"@odata.count": 20,
"@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20",
"value": [
{
"id": "636341278149188342_1960231459",
"severity": "Medium",
"status": "New",
"description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.",
"recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.",
"alertCreationTime": "2017-06-27T02:36:53.7841015Z",
"category": "Installation",
"title": "Process hollowing detected",
"threatFamilyName": null,
"detectionSource": null,
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2017-06-29T10:11:54.2872094Z",
"firstEventTime": "2017-06-27T02:30:23.9320988Z",
"machine": {
"id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b",
"computerDnsName": null,
"firstSeen": "0001-01-01T00:00:00Z",
"isOnline": false,
"osPlatform": null,
"osVersion": null,
"systemProductName": null,
"lastIpAddress": null,
"lastExternalIpAddress": null,
"agentVersion": null,
"osBuild": null,
"healthStatus": "Active",
"isAadJoined": null
}
},
}….
```
## Related topics
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)

67
windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Get FileMachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, filemachineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Get MachineAction object
Get MachineAction object
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
GET /testwdatppreview/filemachineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *FileMachineAction* object.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions/7327b54fd718525cbca07dacde913b5ac3c85673
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "stopAndQuarantineFile",
"status": "Success",
"error": "Unknown"
}
```

67
windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Get MachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Get MachineAction object
Get MachineAction object
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
GET /testwdatppreview/machineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *MachineAction* object.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "UnrestrictExecution",
"status": "Success",
"error": "Unknown"
}
```

67
windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Get package SAS URI API
description: Use this API to get a URI that allows downloading an investigation package.
keywords: apis, graph api, supported apis, get package, sas, uri
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Get package SAS URI
Get a Uri that allows downloading an investigation package.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machineactions/{id}/getPackageUri
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testrespver1/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
```

83
windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Isolate machine API
description: Use this API to create calls related isolating a machine.
keywords: apis, graph api, supported apis, isolate machine
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Isolate machine
Isolates a machine from accessing external network.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/isolate
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
IsolationType | IsolationType | Full or selective isolation
**IsolationType** controls the type of isolation to perform and can be one of the following:
- Full Full isolation
- Selective Restrict only limited set of applications from accessing the network
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "Isolate",
"status": "InProgress",
"error": "Unknown"
}
```

78
windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Request sample API
description: Use this API to create calls related to requesting a sample from a machine.
keywords: apis, graph api, supported apis, request sample
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Request sample
Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/requestSample
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
SHA1 | String | SHA1 of the file to upload to the secure storage. **Required**.
## Response
If successful, this method returns 201, Created response code and *FileMachineAction* object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 32123",
“Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "RequestSample",
"status": "InProgress",
"error": "Unknown"
}
```

76
windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Restrict app execution API
description: Use this API to create calls related to restricting an application from executing.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Restrict app execution
Restrict execution of set of predefined applications.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/restrictCodeExecution
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution
Content-type: application/json
{
"Comment": "Restrict code execution due to alert 1234"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "RestrictExecution",
"status": "InProgress",
"error": "Unknown"
}
```

85
windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Run antivirus scan API
description: Use this API to create calls related to running an antivirus scan on a machine.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Run antivirus scan
Initiate Windows Defender Antivirus scan on the machine.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/runAntiVirusScan
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
ScanType| ScanType | Defines the type of the Scan. **Required**.
**ScanType** controls the type of isolation to perform and can be one of the following:
- **Quick** Perform quick scan on the machine
- **Full** Perform full scan on the machine
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan
Content-type: application/json
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "RunAntiVirusScan",
"status": "InProgress",
"error": "Unknown"
}
```

78
windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Stop and quarantine file API
description: Use this API to create calls related to stopping and quarantining a file.
keywords: apis, graph api, supported apis, stop, quarantine, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Stop and quarantine file
Stop execution of a file on a machine and ensure its not executed again on that machine.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/stopAndQuarantineFile
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
SHA1 | String | SHA1 of the file to stop and quarantine on the machine. **Required**.
## Response
If successful, this method returns 201, Created response code and _FileMachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 32123",
“Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "StopAndQuarantineFile",
"status": "InProgress",
"error": "Unknown"
}
```

125
windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,125 @@
---
title: Supported Windows Defender Advanced Threat Protection APIs
description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Supported Windows Defender ATP APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
| Entity | Action | Description | Functions | Route |
|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------|
| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} |
| | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts |
| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts |
| | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} |
| | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines |
| | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files |
| | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor |
| | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains |
| | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips |
| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines |
| | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts |
| | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers |
| | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) |
| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines |
| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines |
| | Stats | Retrieves the prevalence for the given domain | | /domains/{id}/stats |
| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines |
| | Stats | Retrieves the prevalence for the given IP | | /ips/{id}/stats |
| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines |
| | Stats | Retrieves the prevalence for the given file | | /files/{id}/machines |
### Example queries
After creating the application, you can run the following queries.
Fetching the top 20 alerts with machine information:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
Response:
```
{
"@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts",
"@odata.count": 20,
"@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20",
"value": [
{
"id": "636341278149188342_1960231459",
"severity": "Medium",
"status": "New",
"description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.",
"recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.",
"alertCreationTime": "2017-06-27T02:36:53.7841015Z",
"category": "Installation",
"title": "Process hollowing detected",
"threatFamilyName": null,
"detectionSource": null,
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2017-06-29T10:11:54.2872094Z",
"firstEventTime": "2017-06-27T02:30:23.9320988Z",
"machine": {
"id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b",
"computerDnsName": null,
"firstSeen": "0001-01-01T00:00:00Z",
"isOnline": false,
"osPlatform": null,
"osVersion": null,
"systemProductName": null,
"lastIpAddress": null,
"lastExternalIpAddress": null,
"agentVersion": null,
"osBuild": null,
"healthStatus": "Active",
"isAadJoined": null
}
},
}….
```
## Related topics
- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)

67
windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Unblock file API
description: Use this API to create calls related to allowing a file to be executed in the organization
keywords: apis, graph api, supported apis, unblock file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Unblock file
Allow a file to be executed in the organization, using Windows Defender.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/files/{sha1}/unblock
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock
Content-type: application/json
{
"Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm",
}
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
```

77
windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Unisolate machine API
description: Use this API to create calls related to removing a machine from isolation.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Unisolate machine
Remove machine from isolation.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/unisolate
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate
Content-type: application/json
{
"Comment": "Unisolate machine since it was clean and validated"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "Unisolate",
"status": "InProgress",
"error": "Unknown"
}
```

78
windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Unrestrict code execution API
description: Use this API to create calls related to removing a restriction from applications from executing.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Unrestrict code execution
Remove code execution restriction.
## Permissions
User needs to have “secop” permissions.
## HTTP request
```
POST /testwdatppreview/machines/{id}/unrestrictCodeExecution
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution
Content-type: application/json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "UnrestrictExecution",
"status": "InProgress",
"error": "Unknown"
}
```