add new example, add to table

2025-06-23 14:23:38 +00:00 · 2020-09-30 12:39:36 -07:00
parent 5858d0112d
commit 49b181d3e0
2 changed files with 56 additions and 33 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@ -72,6 +72,8 @@ Field numbers match the numbers in the images below.
 > |                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For devices on   Windows 10 version 1607, the domain information will not be available. |
 > |                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |
 > |                  | InternalIPv6List          | No mapping          | fd30:0000:0000:0001:ff4e:003e:0009:000e,   FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces.                                                                                                                                                                               |
 | | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
 | | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
 > | Internal   field | LastProcessedTimeUtc      | No mapping          | 2017-05-07T01:56:58.9936648Z                                                       | Time when event arrived at the   backend. This field can be used when setting the request parameter for the range of time that detections are retrieved.                         |
 > |                  | Not part of the schema    | deviceVendor        |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft'.                                                                                                                          |
 > |                  | Not part of the schema    | deviceProduct       |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft Defender ATP'.                                                                                                               |
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@ -142,39 +142,60 @@ The return value is an array of alert objects in JSON format.
 Here is an example return value:
 ```json 
-{"AlertTime":"2017-01-23T07:32:54.1861171Z",
+[
-"ComputerDnsName":"desktop-bvccckk",
+{        
-"AlertTitle":"Suspicious PowerShell commandline",
+        "AlertTime": "2020-09-30T14:09:20.35743Z",
-"Category":"SuspiciousActivity",
+        "ComputerDnsName": "mymachine1.domain.com",
-"Severity":"Medium",
+        "AlertTitle": "Suspicious File Activity",
-"AlertId":"636207535742330111_-1114309685",
+        "Category": "Malware",
-"Actor":null,
+        "Severity": "High",
-"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
+        "AlertId": "da637370718981685665_16349121",
-"IocName":null,
+        "Actor": "",
-"IocValue":null,
+        "LinkToWDATP": "https://securitycenter.windows.com/alert/da637370718981685665_16349121",
-"CreatorIocName":null,
+        "IocName": "",
-"CreatorIocValue":null,
+        "IocValue": "",
-"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
+        "CreatorIocName": "",
-"FileName":"powershell.exe",
+        "CreatorIocValue": "",
-"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
+        "Sha1": "aabbccddee1122334455aabbccddee1122334455",
-"IpAddress":null,
+        "FileName": "cmdParent.exe",
-"Url":null,
+        "FilePath": "C:\\WINDOWS\\SysWOW64\\boo3\\qwerty",
-"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
+        "IpAddress": "",
-"UserName":null,
+        "Url": "",
        "IoaDefinitionId": "b20af1d2-5990-4672-87f1-acc2a8ff7725",
        "UserName": "",
        "AlertPart": 0,
-"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
+        "FullId": "da637370718981685665_16349121:R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=",
-"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
+        "LastProcessedTimeUtc": "2020-09-30T14:11:44.0779765Z",
-"ThreatCategory":null,
+        "ThreatCategory": "",
-"ThreatFamily":null,
+        "ThreatFamily": "",
-"ThreatName":null,
+        "ThreatName": "",
-"RemediationAction":null,
+        "RemediationAction": "",
        "RemediationIsSuccess": null,
-"Source":"Microsoft Defender ATP",
+        "Source": "EDR",
-"Md5":null,
+        "Md5": "854b85cbff2752fcb88606bca76f83c6",
-"Sha256":null,
+        "Sha256": "",
        "WasExecutingWhileDetected": null,
-"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
+        "UserDomain": "",
-"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
+        "LogOnUsers": "",
        "MachineDomain": "domain.com",
        "MachineName": "mymachine1",
        "InternalIPv4List": "",
        "InternalIPv6List": "",
        "FileHash": "aabbccddee1122334455aabbccddee1122334455",
        "DeviceID": "deadbeef000040830ee54503926f556dcaf82bb0",
        "MachineGroup": "",
        "Description": "Test Alert",
        "DeviceCreatedMachineTags": "",
        "CloudCreatedMachineTags": "",
        "CommandLine": "",
        "IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
        "ReportID": 1053729833,
        "LinkToMTP": "https://security.microsoft.com/alert/da637370718981685665_16349121",
        "IncidentLinkToMTP": "https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
        "ExternalId": "31DD0A845DDA4059FDEDE031014645350AECABD3",
        "IocUniqueId": "R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY="
 }
 ]
 ```
 ## Code examples