From 0ae24befcf0bd7b70e3c0b1cda3699b61124f879 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 22:13:05 -0700 Subject: [PATCH 01/10] add api calls --- ...ows-defender-advanced-threat-protection.md | 68 +++++++++++++++ ...ows-defender-advanced-threat-protection.md | 87 +++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 83 ++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 78 +++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 76 ++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 85 ++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 78 +++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 67 ++++++++++++++ ...ows-defender-advanced-threat-protection.md | 77 ++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 78 +++++++++++++++++ 10 files changed, 777 insertions(+) create mode 100644 windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9ae13f3020 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,68 @@ +--- +title: Block file API +description: Use this API to create calls related to blocking files from being executed in the organization. +keywords: apis, graph api, supported apis, block file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Block file +Prevent a file from being executed in the organization using Windows Defender. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/files/{sha1}/block +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/7327b54fd718525cbca07dacde913b5ac3c85673/block +Content-type: application/json +{ + "Comment": "Block file due to alert 32123" +} + +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +``` diff --git a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..cf4545b1cf --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -0,0 +1,87 @@ +--- +title: Collect investigation package API +description: Use this API to create calls related to the collecting an investigation package from a machine. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Collect investigation package +Collect investigation package from a machine. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/collectInvestigationPackage +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | Text | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage +Content-type: application/json +{ + "Comment": "Collect forensics due to alert 1234" +} +Response +Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "CollectInvestigationPackage", + "status": "InProgress", + "error": "Unknown" +} +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "CollectInvestigationPackage", + "status": "InProgress", + "error": "Unknown" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bdc4be053b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -0,0 +1,83 @@ +--- +title: Isolate machine API +description: Use this API to create calls related isolating a machine. +keywords: apis, graph api, supported apis, isolate machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Isolate machine +Isolates a machine from accessing external network. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/isolate +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +IsolationType | IsolationType | Full or selective isolation + +**IsolationType** controls the type of isolation to perform and can be one of the following: +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate +Content-type: application/json +{ + "Comment": "Isolate machine due to alert 1234", + “IsolationType”: “Full” +} + +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "Isolate", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c876bcf8f0 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Request sample API +description: Use this API to create calls related to requesting a sample from a machine. +keywords: apis, graph api, supported apis, request sample +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Request sample +Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/requestSample +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +SHA1 | String | SHA1 of the file to upload to the secure storage. **Required**. + +## Response +If successful, this method returns 201, Created response code and *FileMachineAction* object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 32123", + “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” +} +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "RequestSample", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..6b9299e944 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -0,0 +1,76 @@ +--- +title: Restrict app execution API +description: Use this API to create calls related to restricting an application from executing. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Restrict app execution +Restrict execution of set of predefined applications. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/restrictCodeExecution +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution +Content-type: application/json +{ + "Comment": "Restrict code execution due to alert 1234" +} + +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "RestrictExecution", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..110a43b208 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -0,0 +1,85 @@ +--- +title: Run antivirus scan API +description: Use this API to create calls related to running an antivirus scan on a machine. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Run antivirus scan +Initiate Windows Defender Antivirus scan on the machine. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/runAntiVirusScan +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +ScanType| ScanType | Defines the type of the Scan. **Required**. + +**ScanType** controls the type of isolation to perform and can be one of the following: + +- **Quick** – Perform quick scan on the machine +- **Full** – Perform full scan on the machine + + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan +Content-type: application/json +{ + "Comment": "Check machine for viruses due to alert 3212", + “ScanType”: “Full” +} +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "RunAntiVirusScan", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..96789ddeb9 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Stop and quarantine file API +description: Use this API to create calls related to stopping and quarantining a file. +keywords: apis, graph api, supported apis, stop, quarantine, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Stop and quarantine file +Stop execution of a file on a machine and ensure it’s not executed again on that machine. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/stopAndQuarantineFile +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +SHA1 | String | SHA1 of the file to stop and quarantine on the machine. **Required**. + +## Response +If successful, this method returns 201, Created response code and _FileMachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 32123", + “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” +} +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "StopAndQuarantineFile", + "status": "InProgress", + "error": "Unknown" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0b5317d48a --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,67 @@ +--- +title: Unblock file API +description: Use this API to create calls related to allowing a file to be executed in the organization +keywords: apis, graph api, supported apis, unblock file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Unblock file +Allow a file to be executed in the organization, using Windows Defender. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/files/{sha1}/unblock +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock +Content-type: application/json +{ + "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", +} +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +``` diff --git a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5fbb90a186 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Unisolate machine API +description: Use this API to create calls related to removing a machine from isolation. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Unisolate machine +Remove machine from isolation. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/unisolate +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate +Content-type: application/json +{ + "Comment": "Unisolate machine since it was clean and validated" +} + +``` +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "Unisolate", + "status": "InProgress", + "error": "Unknown" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..e9777ece2f --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Remove code execution restriction API +description: Use this API to create calls related to removing a restriction from applications from executing. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Remove code execution restriction +Remove code execution restriction. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machines/{id}/unrestrictCodeExecution +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. Required. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Unrestrict code execution since machine was cleaned and validated" +} + +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "UnrestrictExecution", + "status": "InProgress", + "error": "Unknown" +} + +``` From 85d24ee85130fe9ee8ae438f909bbd7437cfccc6 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 22:24:24 -0700 Subject: [PATCH 02/10] add apis --- ...ows-defender-advanced-threat-protection.md | 67 +++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 67 +++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 67 +++++++++++++++++++ 3 files changed, 201 insertions(+) create mode 100644 windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..b5a267b9d1 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -0,0 +1,67 @@ +--- +title: Get FileMachineAction object API +description: Use this API to create calls related to get machineaction object +keywords: apis, graph api, supported apis, filemachineaction object +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get MachineAction object +Get MachineAction object + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +GET /testwdatppreview/filemachineactions/{id} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with the *FileMachineAction* object. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/filemachineactions/7327b54fd718525cbca07dacde913b5ac3c85673 +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "stopAndQuarantineFile", + "status": "Success", + "error": "Unknown" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1fcfb04357 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -0,0 +1,67 @@ +--- +title: Get MachineAction object API +description: Use this API to create calls related to get machineaction object +keywords: apis, graph api, supported apis, machineaction object +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get MachineAction object +Get MachineAction object + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +GET /testwdatppreview/machineactions/{id} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with the *MachineAction* object. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673 +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", + "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "type": "UnrestrictExecution", + "status": "Success", + "error": "Unknown" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5c62aa0f2a --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -0,0 +1,67 @@ +--- +title: Get package SAS URI API +description: Use this API to get a URI that allows downloading an investigation package. +keywords: apis, graph api, supported apis, get package, sas, uri +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get package SAS URI +Get a Uri that allows downloading an investigation package. + +## Permissions +User needs to have “secop” permissions. + +## HTTP request +``` +POST /testwdatppreview/machineactions/{id}/getPackageUri +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri + +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json + +{ + "@odata.context": "https://graph.microsoft.com/testrespver1/$metadata#Edm.String", + "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" +} + +``` From caee7fed34e9312862d745dc40a78d7b597f23af Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 22:39:02 -0700 Subject: [PATCH 03/10] update toc to add apis --- windows/threat-protection/TOC.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index a1c9446bfb..6e060b5dd5 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -63,6 +63,20 @@ #### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) #### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md) ### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md) +### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) +### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) +### [Isolate machine](isolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) +### [Unisolate machine](unisoalte-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) +### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) +### [Remove code execution restriction](windows-defender-atp\unrestrict-code-executionwindows-defender-advanced-threat-protection.md) +### [Run antivirus scan](windows-defender-atp\run-antivirus-scan-windows-defender-advanced-threat-protection.md) +### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) +### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) +### [Block file](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) +### [Unblock file](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md) +### [Get package SAS URI](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) +### [Get MachineAction object](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) +### [Get FileMachineAction object](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) #### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md) #### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) #### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md) From f2527a6ea1e143ae9732c7cbeaf99b833681743a Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 22:48:51 -0700 Subject: [PATCH 04/10] udpate toc --- windows/threat-protection/TOC.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 6e060b5dd5..754186ac75 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -63,20 +63,6 @@ #### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) #### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md) ### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md) -### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) -### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) -### [Isolate machine](isolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) -### [Unisolate machine](unisoalte-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) -### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) -### [Remove code execution restriction](windows-defender-atp\unrestrict-code-executionwindows-defender-advanced-threat-protection.md) -### [Run antivirus scan](windows-defender-atp\run-antivirus-scan-windows-defender-advanced-threat-protection.md) -### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) -### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) -### [Block file](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) -### [Unblock file](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md) -### [Get package SAS URI](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) -### [Get MachineAction object](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) -### [Get FileMachineAction object](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) #### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md) #### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) #### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md) @@ -84,6 +70,20 @@ #### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md) #### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md) #### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) +#### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) +#### [Isolate machine](isolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) +#### [Unisolate machine](unisoalte-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) +#### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) +#### [Remove code execution restriction](windows-defender-atp\unrestrict-code-executionwindows-defender-advanced-threat-protection.md) +#### [Run antivirus scan](windows-defender-atp\run-antivirus-scan-windows-defender-advanced-threat-protection.md) +#### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) +#### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) +#### [Block file](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) +#### [Unblock file](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md) +#### [Get package SAS URI](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) +#### [Get MachineAction object](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) +#### [Get FileMachineAction object](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) ### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) ### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) #### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) From 97407301e35d92820d57246779672576d71d7787 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 22:51:22 -0700 Subject: [PATCH 05/10] fix links --- windows/threat-protection/TOC.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 754186ac75..e8493bb003 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -72,11 +72,11 @@ #### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) ### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) #### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) -#### [Isolate machine](isolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) -#### [Unisolate machine](unisoalte-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) +#### [Isolate machine](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md) +#### [Unisolate machine](unisolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) #### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) -#### [Remove code execution restriction](windows-defender-atp\unrestrict-code-executionwindows-defender-advanced-threat-protection.md) -#### [Run antivirus scan](windows-defender-atp\run-antivirus-scan-windows-defender-advanced-threat-protection.md) +#### [Remove code execution restriction](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +#### [Run antivirus scan](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md) #### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) #### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) #### [Block file](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) From f7b038cff2dbbab104eacccf03153269d981d9b7 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 23:03:22 -0700 Subject: [PATCH 06/10] update apis --- windows/threat-protection/TOC.md | 27 ++-- ...ows-defender-advanced-threat-protection.md | 98 +------------- ...ows-defender-advanced-threat-protection.md | 125 ++++++++++++++++++ 3 files changed, 141 insertions(+), 109 deletions(-) create mode 100644 windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index e8493bb003..8ffdbfa378 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -71,19 +71,20 @@ #### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md) #### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) ### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md) -#### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) -#### [Isolate machine](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md) -#### [Unisolate machine](unisolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) -#### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) -#### [Remove code execution restriction](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -#### [Run antivirus scan](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md) -#### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) -#### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) -#### [Block file](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) -#### [Unblock file](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md) -#### [Get package SAS URI](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) -#### [Get MachineAction object](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) -#### [Get FileMachineAction object](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md) +##### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) +##### [Isolate machine](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md) +##### [Unisolate machine](unisolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) +##### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) +##### [Remove code execution restriction](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +##### [Run antivirus scan](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md) +##### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) +##### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) +##### [Block file](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md) +##### [Unblock file](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md) +##### [Get package SAS URI](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) +##### [Get MachineAction object](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) +##### [Get FileMachineAction object](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) ### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) ### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md) #### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index f188d8d4ff..a39fc723d2 100644 --- a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -94,102 +94,8 @@ HttpResponseMessage response = client.GetAsync(ep).Result; string resp = response.Content.ReadAsStringAsync().Result; Console.WriteLine($"response for: {ep} \r\n {resp}"); ``` -## Supported APIs -| Entity | Action | Description | Functions | Route | -|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------| -| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} | -| | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts | -| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts | -| | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} | -| | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines | -| | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files | -| | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor | -| | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains | -| | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips | -| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines | -| | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts | -| | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers | -| | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) | -| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines | -| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines | -| | Stats | Retrieves the prevalence for the given domain | | /domains/{id}/stats | -| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines | -| | Stats | Retrieves the prevalence for the given IP | | /ips/{id}/stats | -| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines | -| | Stats | Retrieves the prevalence for the given file | | /files/{id}/machines | - -### Example queries -After creating the application, you can run the following queries. - -Fetching the top 20 alerts with machine information: -``` -private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; -private const string resourceId = "https://graph.microsoft.com"; -private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; -private const string redirect = "https://localhost"; -HttpClient client = new HttpClient(); -AuthenticationContext auth = new AuthenticationContext(authority); -var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; -client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); -var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow -HttpResponseMessage response = client.GetAsync(ep).Result; -string resp = response.Content.ReadAsStringAsync().Result; -Console.WriteLine($"response for: {ep} \r\n {resp}"); -``` - -Response: -``` -{ - "@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts", - "@odata.count": 20, - "@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20", - "value": [ - { - "id": "636341278149188342_1960231459", - "severity": "Medium", - "status": "New", - "description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", - "recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.", - "alertCreationTime": "2017-06-27T02:36:53.7841015Z", - "category": "Installation", - "title": "Process hollowing detected", - "threatFamilyName": null, - "detectionSource": null, - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2017-06-29T10:11:54.2872094Z", - "firstEventTime": "2017-06-27T02:30:23.9320988Z", - "machine": { - "id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b", - "computerDnsName": null, - "firstSeen": "0001-01-01T00:00:00Z", - "isOnline": false, - "osPlatform": null, - "osVersion": null, - "systemProductName": null, - "lastIpAddress": null, - "lastExternalIpAddress": null, - "agentVersion": null, - "osBuild": null, - "healthStatus": "Active", - "isAadJoined": null - } - }, -}…. - -``` ## Related topics -- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) +- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8522966f5b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -0,0 +1,125 @@ +--- +title: Supported Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Supported Windows Defender ATP APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +| Entity | Action | Description | Functions | Route | +|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------| +| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} | +| | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts | +| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts | +| | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} | +| | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines | +| | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files | +| | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor | +| | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains | +| | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips | +| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines | +| | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts | +| | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers | +| | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) | +| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines | +| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines | +| | Stats | Retrieves the prevalence for the given domain | | /domains/{id}/stats | +| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines | +| | Stats | Retrieves the prevalence for the given IP | | /ips/{id}/stats | +| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} | +| | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts | +| | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines | +| | Stats | Retrieves the prevalence for the given file | | /files/{id}/machines | + +### Example queries +After creating the application, you can run the following queries. + +Fetching the top 20 alerts with machine information: +``` +private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; +private const string resourceId = "https://graph.microsoft.com"; +private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; +private const string redirect = "https://localhost"; +HttpClient client = new HttpClient(); +AuthenticationContext auth = new AuthenticationContext(authority); +var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; +client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); +var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow +HttpResponseMessage response = client.GetAsync(ep).Result; +string resp = response.Content.ReadAsStringAsync().Result; +Console.WriteLine($"response for: {ep} \r\n {resp}"); +``` + +Response: +``` +{ + "@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts", + "@odata.count": 20, + "@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20", + "value": [ + { + "id": "636341278149188342_1960231459", + "severity": "Medium", + "status": "New", + "description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", + "recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.", + "alertCreationTime": "2017-06-27T02:36:53.7841015Z", + "category": "Installation", + "title": "Process hollowing detected", + "threatFamilyName": null, + "detectionSource": null, + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2017-06-29T10:11:54.2872094Z", + "firstEventTime": "2017-06-27T02:30:23.9320988Z", + "machine": { + "id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b", + "computerDnsName": null, + "firstSeen": "0001-01-01T00:00:00Z", + "isOnline": false, + "osPlatform": null, + "osVersion": null, + "systemProductName": null, + "lastIpAddress": null, + "lastExternalIpAddress": null, + "agentVersion": null, + "osBuild": null, + "healthStatus": "Active", + "isAadJoined": null + } + }, +}…. + +``` + +## Related topics +- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) + From e4d4fefaf4263ca9972f08f2889bf7f43677530a Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 23:04:33 -0700 Subject: [PATCH 07/10] fix link --- windows/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 8ffdbfa378..921a60a7d1 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -74,7 +74,7 @@ #### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md) ##### [Collect investigation package](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md) ##### [Isolate machine](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md) -##### [Unisolate machine](unisolate-machine-windows-defender-atp\windows-defender-advanced-threat-protection.md) +##### [Unisolate machine](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md) ##### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) ##### [Remove code execution restriction](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) ##### [Run antivirus scan](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md) From d325e636759f2e650acc3d63667d7202d7dfc2e4 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 23:21:26 -0700 Subject: [PATCH 08/10] remove related topic --- .../exposed-apis-windows-defender-advanced-threat-protection.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index a39fc723d2..259f35f8eb 100644 --- a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -98,4 +98,3 @@ Console.WriteLine($"response for: {ep} \r\n {resp}"); ## Related topics - [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) -- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md) From 35184e046089a1dd84d902dd39cee29bff459c22 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 23:31:21 -0700 Subject: [PATCH 09/10] fix code block --- ...ge-windows-defender-advanced-threat-protection.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index cf4545b1cf..4cd36dd259 100644 --- a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -54,18 +54,8 @@ Content-type: application/json { "Comment": "Collect forensics due to alert 1234" } -Response -Here is an example of the response. Note: The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "CollectInvestigationPackage", - "status": "InProgress", - "error": "Unknown" -} ``` + Response Here is an example of the response. From adf974584a1d1827b7ce55a00cff49e12fe79bc8 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Thu, 24 Aug 2017 23:35:05 -0700 Subject: [PATCH 10/10] unrestrict code execution --- windows/threat-protection/TOC.md | 2 +- ...e-execution-windows-defender-advanced-threat-protection.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 921a60a7d1..02458df8ff 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -76,7 +76,7 @@ ##### [Isolate machine](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md) ##### [Unisolate machine](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md) ##### [Restrict code execution](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md) -##### [Remove code execution restriction](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +##### [Unrestrict code execution](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md) ##### [Run antivirus scan](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md) ##### [Stop and quarantine files](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md) ##### [Request sample](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index e9777ece2f..65989bb731 100644 --- a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Remove code execution restriction API +title: Unrestrict code execution API description: Use this API to create calls related to removing a restriction from applications from executing. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 09/01.2017 --- -# Remove code execution restriction +# Unrestrict code execution Remove code execution restriction. ## Permissions