From 45caec75ad6cf8dc7e19a83eefeec8f349bafa88 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Mon, 6 Jan 2020 13:15:38 +0200 Subject: [PATCH] machine actions --- .../collect-investigation-package.md | 34 +++++------------ .../get-machineaction-object.md | 32 ++++++++++------ .../get-machineactions-collection.md | 27 ++++++++++--- .../get-package-sas-uri.md | 9 +++-- .../microsoft-defender-atp/isolate-machine.md | 35 +++++------------ .../microsoft-defender-atp/machineaction.md | 32 ++++++++++++++-- .../offboard-machine-api.md | 35 +++++------------ .../restrict-code-execution.md | 38 ++++++------------- .../microsoft-defender-atp/run-av-scan.md | 34 +++++------------ .../stop-and-quarantine-file.md | 38 +++++-------------- .../unisolate-machine.md | 36 +++++------------- .../unrestrict-code-execution.md | 32 +++++----------- 12 files changed, 154 insertions(+), 228 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index fbfaeaf1bc..1596496d14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -18,11 +18,19 @@ ms.topic: article --- # Collect investigation package API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Collect investigation package from a machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -74,25 +82,3 @@ Content-type: application/json "Comment": "Collect forensics due to alert 1234" } ``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "c9042f9b-8483-4526-87b5-35e4c2532223", - "type": "CollectInvestigationPackage", - "requestor": "Analyst@contoso.com", - "requestorComment": " Collect forensics due to alert 1234", - "status": "InProgress", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", - "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "relatedFileInfo": null -} - -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 0b122f4eb6..dbcaf5b6fb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -18,10 +18,18 @@ ms.topic: article # Get machineAction API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Retrieves specific [Machine Action](machineaction.md) by its ID. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Get action performed on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -77,15 +85,17 @@ HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", - "type": "RunAntiVirusScan", - "requestor": "Analyst@contoso.com", - "requestorComment": "Check machine for viruses due to alert 3212", + "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", + "type": "Isolate", + "scope": "Selective", + "requestor": "Analyst@TestPrd.onmicrosoft.com", + "requestorComment": "test for docs", "status": "Succeeded", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", - "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", - "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", - "relatedFileInfo": null + "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", + "computerDnsName": "desktop-test", + "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", + "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", + "relatedFileInfo": null } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 6389f8c1f4..c9883c2e4a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -18,17 +18,22 @@ ms.topic: article # List MachineActions API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Gets collection of actions done on machines. -Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +## API description +Retrieves a collection of [Machine Actions](machineaction.md). +
Supports [OData V4 queries](https://www.odata.org/documentation/). +
The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties. +
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) -The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". -See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +## Limitations +1. Maximum page size is 10,000. +2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -89,10 +94,12 @@ Content-type: application/json { "id": "69dc3630-1ccc-4342-acf3-35286eec741d", "type": "CollectInvestigationPackage", + "scope": null, "requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", "relatedFileInfo": null @@ -100,10 +107,12 @@ Content-type: application/json { "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan", + "scope": "Full", "requestor": "Analyst@contoso.com", "requestorComment": "Check machine for viruses due to alert 3212", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", "relatedFileInfo": null @@ -111,10 +120,12 @@ Content-type: application/json { "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", "type": "StopAndQuarantineFile", + "scope": null, "requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z", "relatedFileInfo": { @@ -151,10 +162,12 @@ Content-type: application/json { "id": "69dc3630-1ccc-4342-acf3-35286eec741d", "type": "CollectInvestigationPackage", + "scope": null, "requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", "relatedFileInfo": null @@ -162,10 +175,12 @@ Content-type: application/json { "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan", + "scope": "Full", "requestor": "Analyst@contoso.com", "requestorComment": "Check machine for viruses due to alert 3212", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", "relatedFileInfo": null diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index d3b61ac453..986c832afc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -18,11 +18,14 @@ ms.topic: article # Get package SAS URI API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md). -Get a URI that allows downloading of an [investigation package](collect-investigation-package.md). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 4a1fb9b49b..8b8c759287 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -18,12 +18,19 @@ ms.topic: article # Isolate machine API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Isolates a machine from accessing external network. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -85,27 +92,5 @@ Content-type: application/json “IsolationType”: “Full” } -``` -**Response** -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "b89eb834-4578-496c-8be0-03f004061435", - "type": "Isolate", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Isolate machine due to alert 1234", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", - "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z", - "relatedFileInfo": null -} - -``` - -To unisolate a machine, see [Release machine from isolation](unisolate-machine.md). +- To unisolate a machine, see [Release machine from isolation](unisolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index 714a678227..fdd4146f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -18,8 +18,11 @@ ms.topic: article # MachineAction resource type -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +- See [Response Actions](respond-machine-alerts.md) for more information | Method | Return Type | Description | |:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------| @@ -33,6 +36,7 @@ ms.topic: article | [Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction. | | [Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). | | [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP. | +| [Stop and quarantine file](stop-and-quarantine-file.md) | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it. |
@@ -42,11 +46,31 @@ ms.topic: article |:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | id | Guid | Identity of the [Machine Action](machineaction.md) entity. | | type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" | +| scope | string | Scope of the action. "Full" or "Selective" in case of Isolation, "Quick" or "Full" in case of Anti-Virus scan. | | requestor | String | Identity of the person that executed the action. | | requestorComment | String | Comment that was written when issuing the action. | | status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". | -| machineId | String | Id of the machine on which the action was executed. | +| machineId | String | Id of the [machine](machine.md) on which the action was executed. | +| machineId | String | Name of the [machine](machine.md) on which the action was executed. | | creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. | | lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. | -| relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5". | +| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1" ,"Sha256" and "Md5". | + +## Json representation + +```json +{ + "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", + "type": "Isolate", + "scope": "Selective", + "requestor": "Analyst@TestPrd.onmicrosoft.com", + "requestorComment": "test for docs", + "status": "Succeeded", + "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378", + "computerDnsName": "desktop-test", + "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z", + "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", + "relatedFileInfo": null +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 314f1a67e6..ab3dd486d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -18,12 +18,19 @@ ms.topic: article # Offboard machine API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Offboard machine from Microsoft Defender ATP. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -76,26 +83,4 @@ Content-type: application/json { "Comment": "Offboard machine by automation" } -``` - -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "c9042f9b-8483-4526-87b5-35e4c2532223", - "type": "OffboardMachine", - "requestor": "Analyst@contoso.com", - "requestorComment": "offboard machine by automation", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", - "relatedFileInfo": null -} - -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index dd7b5aa37f..6addf06827 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -18,11 +18,18 @@ ms.topic: article # Restrict app execution API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +## API description +Restrict execution of all applications on the machine except a predefined set. + + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts.md) for more information) [!include[Machine actions note](../../includes/machineactionsnote.md)] @@ -76,29 +83,6 @@ Content-type: application/json } ``` -**Response** -Here is an example of the response. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "78d408d1-384c-4c19-8b57-ba39e378011a", - "type": "RestrictCodeExecution", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Restrict code execution due to alert 1234", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "relatedFileInfo": null -} - -``` - -To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md). +- To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 648cd1a9ee..10a0f81607 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -18,12 +18,19 @@ ms.topic: article # Run antivirus scan API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Initiate Windows Defender Antivirus scan on a machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -85,26 +92,3 @@ Content-type: application/json } ``` -**Response** - -Here is an example of the response. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", - "type": "RunAntiVirusScan", - "requestor": "Analyst@contoso.com", - "requestorComment": "Check machine for viruses due to alert 3212", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", - "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z", - "relatedFileInfo": null -} - -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 90a5c9e590..edfd07e6a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -18,12 +18,19 @@ ms.topic: article # Stop and quarantine file API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Stop execution of a file on a machine and delete it. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -78,30 +85,3 @@ Content-type: application/json } ``` -**Response** - -Here is an example of the response. - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "141408d1-384c-4c19-8b57-ba39e378011a", - "type": "StopAndQuarantineFile", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", - "relatedFileInfo": { - "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", - "fileIdentifierType": "Sha1" - } -} - -``` - diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 9c17d1b578..40c5117a86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -19,12 +19,19 @@ ms.topic: article # Release machine from isolation API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Undo isolation of a machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -80,30 +87,7 @@ Content-type: application/json } ``` -**Response** -Here is an example of the response. ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558", - "type": "Unisolate", - "requestor": "Analyst@contoso.com ", - "requestorComment": "Unisolate machine since it was clean and validated ", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z", - "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z", - "relatedFileInfo": null -} - -``` - -To isolate a machine, see [Isolate machine](isolate-machine.md). +- To isolate a machine, see [Isolate machine](isolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index fdb3691cc4..9687b34e41 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -18,12 +18,19 @@ ms.topic: article # Remove app restriction API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +## API description Enable execution of any application on the machine. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + [!include[Machine actions note](../../includes/machineactionsnote.md)] ## Permissions @@ -78,26 +85,5 @@ Content-type: application/json ``` -**Response** - -Here is an example of the response. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", - "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", - "type": "UnrestrictCodeExecution", - "requestor": "Analyst@contoso.com", - "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", - "status": "InProgress", - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", - "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z", - "relatedFileInfo": null -} - -``` To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution.md).