From 6fa7490d4d452ae26b49cf77a60e7bc7b5f9a160 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 6 Mar 2017 14:15:21 -0800 Subject: [PATCH 1/5] update code line --- ...-example-code-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md index 36b0a25f3b..6e63d9f1b5 100644 --- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md @@ -71,7 +71,7 @@ You can now use the alert ID obtained from creating a new alert definition to cr ## Complete code You can use the complete code to create calls to the API. -[!code[CustomTIAPI](./code/example.py#L1-L51)] +[!code[CustomTIAPI](./code/example.py#L1-L53)] ## Related topics - [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) From c6d9af2be22d164eadebf83e58fd0ef733942334 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Mon, 6 Mar 2017 16:43:29 -0800 Subject: [PATCH 2/5] Fixed H1 position --- windows/manage/windows-libraries.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md index 1608798dce..f8937e7a43 100644 --- a/windows/manage/windows-libraries.md +++ b/windows/manage/windows-libraries.md @@ -10,10 +10,10 @@ author: jasongerend ms.date: 2/6/2017 description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. --- -> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 - # Windows Libraries +> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 + Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. ## Features for Users From 2f25fbb84379730e2d06c2d37d8f9c85cd4c6479 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 6 Mar 2017 21:12:56 -0800 Subject: [PATCH 3/5] add custom ti topics --- windows/keep-secure/TOC.md | 7 ++++ ...ows-defender-advanced-threat-protection.md | 6 +-- ...ows-defender-advanced-threat-protection.md | 2 + ...ows-defender-advanced-threat-protection.md | 39 +++++++++++++++++++ 4 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 4e77353f2f..92fb8a44a9 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -772,6 +772,13 @@ ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) #### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) ##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) ###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md index eecae9a27a..8c54c753a6 100644 --- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Create custom alerts using the threat intelligence (TI) Application program interface (API) +# Create custom alerts using the threat intelligence (TI) application program interface (API) **Applies to:** @@ -23,12 +23,12 @@ localizationpriority: high [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to create specific alerts that are applicable to your organization. +You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. ## Before you begin Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). -### Use the threat intelligence REST APIs to create custom threat intelligence alerts +### Use the threat intelligence REST API to create custom threat intelligence alerts You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource, you call and specify the resource URLs using one of the following operations: - GET diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md index e4a19d51d6..3a89c15e0b 100644 --- a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md @@ -47,5 +47,7 @@ The following features are included in the preview release: - [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization. + >[!NOTE] > All response actions require machines to be on the latest Windows 10 Insider Preview build. diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..ee87fd5701 --- /dev/null +++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -0,0 +1,39 @@ +--- +title: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts +description: Use the custom threat intelligence API to create custom alerts for your organization. +keywords: threat intelligence, alert definitions, indicators of compromise +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Use the threat intelligence API to create custom alerts in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. + +You can use the code examples to guide you in creating calls to the custom threat intelligence API. + +## In this section + +Topic | Description +:---|:--- +[Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. +[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API. +[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. +[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. +[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. +[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API. From cfaaf66ccf8f12546e88d3e97c19a72bcb8ee70d Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 6 Mar 2017 21:22:55 -0800 Subject: [PATCH 4/5] update topic header --- ...ator-concepts-windows-defender-advanced-threat-protection.md | 2 +- ...use-custom-ti-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index 835ddbf45a..be6cfe9d8e 100644 --- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -47,7 +47,7 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. -## Related topic +## Related topics - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) - [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md index ee87fd5701..0757a26702 100644 --- a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Use the threat intelligence API to create custom alerts in Windows Defender ATP +# Use the threat intelligence API to create custom alerts **Applies to:** From 4726e8ee22f1b00336f0bb29912ecee4c054c52a Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 6 Mar 2017 21:36:07 -0800 Subject: [PATCH 5/5] minor edit --- windows/keep-secure/code/example.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/code/example.ps1 b/windows/keep-secure/code/example.ps1 index 877292e484..278824d13a 100644 --- a/windows/keep-secure/code/example.ps1 +++ b/windows/keep-secure/code/example.ps1 @@ -24,7 +24,7 @@ $alertDefinitions = (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value $alertDefinitionPayload = @{ - "Name"= "The Alert's Name" + "Name"= "The alert's name" "Severity"= "Low" "InternalDescription"= "An internal description of the Alert" "Title"= "The Title"