mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #9243 from MicrosoftDocs/repo_sync_working_branch
Resolve syncing conflicts from repo_sync_working_branch to public
This commit is contained in:
Gary Moore
GitHub
commit
4fcefb583e
@ -35,7 +35,7 @@
|
||||
"
|
||||
## Acrolinx Scorecards
|
||||
|
||||
**The minimum Acrolinx topic score of 65 is required for all MARVEL content merged to the default branch.**
|
||||
**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.**
|
||||
|
||||
If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:
|
||||
|
||||
|
||||
@ -16535,6 +16535,11 @@
|
||||
"redirect_url": "https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md",
|
||||
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table",
|
||||
"redirect_document_id": true
|
||||
},
|
||||
{
|
||||
"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
|
||||
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
|
||||
|
||||
@ -159,16 +159,16 @@
|
||||
### [Personalization CSP](personalization-csp.md)
|
||||
#### [Personalization DDF file](personalization-ddf.md)
|
||||
### [Policy CSP](policy-configuration-service-provider.md)
|
||||
#### [Policy DDF file](policy-ddf-file.md)
|
||||
#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
|
||||
#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
|
||||
#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
|
||||
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
|
||||
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
|
||||
#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
|
||||
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
|
||||
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
|
||||
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
|
||||
#### [Policy CSP DDF file](policy-ddf-file.md)
|
||||
#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
|
||||
#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
|
||||
#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
|
||||
#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
|
||||
#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
|
||||
#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
|
||||
#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
|
||||
#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
|
||||
#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
|
||||
#### [AboveLock](policy-csp-abovelock.md)
|
||||
#### [Accounts](policy-csp-accounts.md)
|
||||
#### [ActiveXControls](policy-csp-activexcontrols.md)
|
||||
|
||||
@ -177,6 +177,10 @@ ms.localizationpriority: medium
|
||||
<dd>
|
||||
<a href="#browser-showmessagewhenopeningsitesininternetexplorer">Browser/ShowMessageWhenOpeningSitesInInternetExplorer</a>
|
||||
</dd>
|
||||
|
||||
<dd>
|
||||
<a href="#browser-suppressedgedeprecationnotification">Browser/SuppressEdgeDeprecationNotification</a>
|
||||
</dd>
|
||||
<dd>
|
||||
<a href="#browser-syncfavoritesbetweenieandmicrosoftedge">Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</a>
|
||||
</dd>
|
||||
@ -4069,6 +4073,74 @@ Most restricted value: 0
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--Policy-->
|
||||
<a href="" id="browser-suppressedgedeprecationnotification"></a>**Browser/SuppressEdgeDeprecationNotification**
|
||||
|
||||
<!--SupportedSKUs-->
|
||||
<table>
|
||||
<tr>
|
||||
<th>Windows Edition</th>
|
||||
<th>Supported?</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Home</td>
|
||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Pro</td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Business</td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Enterprise</td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Education</td>
|
||||
<td><img src="images/checkmark.png" alt="check mark" /></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<!--/SupportedSKUs-->
|
||||
<hr/>
|
||||
|
||||
<!--Scope-->
|
||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
||||
|
||||
> [!div class = "checklist"]
|
||||
> * User
|
||||
> * Device
|
||||
|
||||
<hr/>
|
||||
|
||||
<!--/Scope-->
|
||||
<!--Description-->
|
||||
This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls.
|
||||
By default, a notification will be presented to the user informing them of this upon application startup.
|
||||
With this policy, you can either allow (default) or suppress this notification.
|
||||
|
||||
> [!NOTE]
|
||||
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
|
||||
|
||||
<!--/Description-->
|
||||
<!--ADMXMapped-->
|
||||
ADMX Info:
|
||||
- GP English name: *Suppress Edge Deprecation Notification*
|
||||
- GP name: *SuppressEdgeDeprecationNotification*
|
||||
- GP path: *Windows Components/Microsoft Edge*
|
||||
- GP ADMX file name: *MicrosoftEdge.admx*
|
||||
|
||||
<!--/ADMXMapped-->
|
||||
<!--SupportedValues-->
|
||||
Supported values:
|
||||
|
||||
- 0 (default) – Allowed. Notification will be shown at application startup.
|
||||
- 1 – Prevented/not allowed.
|
||||
|
||||
<hr/>
|
||||
<!--Policy-->
|
||||
<a href="" id="browser-syncfavoritesbetweenieandmicrosoftedge"></a>**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Alter Windows 10 Start and taskbar via mobile device management
|
||||
description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users.
|
||||
description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users.
|
||||
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
|
||||
@ -429,7 +429,8 @@
|
||||
##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
|
||||
##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
|
||||
##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
|
||||
##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)
|
||||
##### [DeviceTvmSoftwareInventory](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md)
|
||||
##### [DeviceTvmSoftwareVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)
|
||||
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
|
||||
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
|
||||
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
|
||||
|
||||
@ -18,6 +18,11 @@ ms.technology: mde
|
||||
---
|
||||
|
||||
# Threat Protection
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -25,14 +25,16 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
|
||||
A script can help you with an alternative to MBSA’s patch-compliance checking:
|
||||
|
||||
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
|
||||
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0/Content/Scan-UpdatesOffline.ps1).
|
||||
|
||||
For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
|
||||
|
||||
For example:
|
||||
|
||||
[](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
|
||||
[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0/Content/Scan-UpdatesOffline.ps1)
|
||||
|
||||
The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) ([wsusscn2.cab](https://go.microsoft.com/fwlink/?LinkID=74689)) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
|
||||
The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) ([wsusscn2.cab](https://go.microsoft.com/fwlink/?LinkID=74689)) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
|
||||
|
||||
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
|
||||
|
||||
## More Information
|
||||
|
||||
@ -23,8 +23,6 @@ ms.technology: mde
|
||||
|
||||
Applies to:
|
||||
- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
@ -33,8 +31,9 @@ Applies to:
|
||||
|
||||
Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
|
||||
|
||||
## Before you begin
|
||||
Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
|
||||
## Before you begin
|
||||
|
||||
See [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). Although [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment, and thus impacts what entries are created and maintained in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), potentially reducing visibility for your security analysts.
|
||||
|
||||
> [!NOTE]
|
||||
> Depending on your choice of onboarding method, devices can appear in Microsoft Defender Security Center as either:
|
||||
@ -74,31 +73,27 @@ This scenario uses a centrally located script and runs it using a domain-based g
|
||||
|
||||
#### Use Group Policy management console to run the script when the virtual machine starts
|
||||
1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
|
||||
1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
|
||||
1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
|
||||
1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
|
||||
1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
|
||||
1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field.
|
||||
Enter the following:
|
||||
|
||||
> Action = "Start a program" <br>
|
||||
> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe <br>
|
||||
> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"
|
||||
|
||||
Click **OK** and close any open GPMC windows.
|
||||
2. In the Group Policy Management Editor, go to **Computer configuration** > **Preferences** > **Control panel settings**.
|
||||
3. Right-click **Scheduled tasks**, click **New**, and then select **Immediate Task** (At least Windows 7).
|
||||
4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. `NT AUTHORITY\SYSTEM` appears as the user account under which the task will run.
|
||||
5. Select **Run whether user is logged on or not** and select the **Run with highest privileges** option.
|
||||
6. Go to the **Actions** tab and select **New**. Confirm that **Start a program** is selected in the **Action** field.
|
||||
7. Specify the following: <br/>
|
||||
- Action = **Start a program**
|
||||
- Program/Script = `C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe`
|
||||
- Add Arguments (optional) = `-ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"`
|
||||
8. Select **OK** and close any open GPMC windows.
|
||||
|
||||
### Scenario 3: Onboarding using management tools
|
||||
|
||||
If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager.
|
||||
|
||||
For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
|
||||
|
||||
> [!WARNING]
|
||||
> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
|
||||
|
||||
> [!TIP]
|
||||
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
|
||||
|
||||
If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
|
||||
|
||||
> [!WARNING]
|
||||
> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), the rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
|
||||
|
||||
## Tagging your machines when building your image
|
||||
|
||||
As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
|
||||
|
||||
@ -20,6 +20,10 @@ ms.technology: mde
|
||||
|
||||
# Access the Microsoft Defender Security Center MSSP customer portal
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
|
||||
@ -19,18 +19,18 @@ ms.technology: mde
|
||||
|
||||
# Add or Remove Machine Tags API
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
## API description
|
||||
|
||||
Adds or remove tag to a specific [Machine](machine.md).
|
||||
|
||||
@ -20,13 +20,13 @@ ms.technology: mde
|
||||
|
||||
# Configure advanced features in Defender for Endpoint
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
|
||||
|
||||
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with.
|
||||
|
||||
@ -23,9 +23,11 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
|
||||
|
||||
|
||||
@ -23,8 +23,8 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
|
||||
|
||||
|
||||
@ -23,10 +23,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -23,10 +23,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,10 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -22,10 +22,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
|
||||
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
|
||||
title: DeviceTvmSoftwareInventory table in the advanced hunting schema
|
||||
description: Learn about the inventory of software in your devices in the DeviceTvmSoftwareInventory table of the advanced hunting schema.
|
||||
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
@ -8,8 +8,8 @@ ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: dolmont
|
||||
author: DulceMontemayor
|
||||
ms.author: maccruz
|
||||
author: schmurky
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
@ -18,21 +18,22 @@ ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# DeviceTvmSoftwareInventoryVulnerabilities
|
||||
# DeviceTvmSoftwareInventory
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
|
||||
The `DeviceTvmSoftwareInventory` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software currently installed on devices in your network, including end of support information. You can, for instance, hunt for events involving devices that are installed with a currently vulnerable software version. Use this reference to construct queries that return information from the table.
|
||||
|
||||
>[!NOTE]
|
||||
>The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
|
||||
|
||||
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
@ -46,8 +47,8 @@ For information on other tables in the advanced hunting schema, see [the advance
|
||||
| `SoftwareVendor` | string | Name of the software vendor |
|
||||
| `SoftwareName` | string | Name of the software product |
|
||||
| `SoftwareVersion` | string | Version number of the software product |
|
||||
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
|
||||
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
||||
| `EndOfSupportStatus` | string | Indicates the lifecycle stage of the software product relative to its specified end-of-support (EOS) or end-of-life (EOL) date |
|
||||
| `EndOfSupportDate` | string | End-of-support (EOS) or end-of-life (EOL) date of the software product |
|
||||
|
||||
|
||||
|
||||
@ -57,3 +58,4 @@ For information on other tables in the advanced hunting schema, see [the advance
|
||||
- [Learn the query language](advanced-hunting-query-language.md)
|
||||
- [Understand the schema](advanced-hunting-schema-reference.md)
|
||||
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
|
||||
@ -0,0 +1,62 @@
|
||||
---
|
||||
title: DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema
|
||||
description: Learn about software vulnerabilities found on devices and the list of available security updates that address each vulnerability in the DeviceTvmSoftwareVulnerabilities table of the advanced hunting schema.
|
||||
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.author: maccruz
|
||||
author: schmurky
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# DeviceTvmSoftwareVulnerabilities
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
The `DeviceTvmSoftwareVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
|
||||
|
||||
>[!NOTE]
|
||||
>The `DeviceTvmSoftwareInventory` and `DeviceTvmSoftwareVulnerabilities` tables have replaced the `DeviceTvmSoftwareInventoryVulnerabilities` table. Together, the first two tables include more columns you can use to help inform your vulnerability management activities.
|
||||
|
||||
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
|
||||
|
||||
| Column name | Data type | Description |
|
||||
|-------------|-----------|-------------|
|
||||
| `DeviceId` | string | Unique identifier for the device in the service |
|
||||
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
|
||||
| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
|
||||
| `OSVersion` | string | Version of the operating system running on the device |
|
||||
| `OSArchitecture` | string | Architecture of the operating system running on the device |
|
||||
| `SoftwareVendor` | string | Name of the software vendor |
|
||||
| `SoftwareName` | string | Name of the software product |
|
||||
| `SoftwareVersion` | string | Version number of the software product |
|
||||
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
|
||||
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
|
||||
| `RecommendedSecurityUpdate` | string | Name or description of the security update provided by the software vendor to address the vulnerability |
|
||||
| `RecommendedSecurityUpdateId` | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles |
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Advanced hunting overview](advanced-hunting-overview.md)
|
||||
- [Learn the query language](advanced-hunting-query-language.md)
|
||||
- [Understand the schema](advanced-hunting-schema-reference.md)
|
||||
- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
|
||||
@ -22,10 +22,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
@ -24,10 +24,10 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
|
||||
|
||||
|
||||
Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
|
||||
|
||||
| Error type | Cause | Resolution | Error message examples |
|
||||
|
||||
@ -24,8 +24,8 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
[Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.
|
||||
|
||||
|
||||
@ -22,8 +22,7 @@ ms.technology: mde
|
||||
# FileProfile()
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query.
|
||||
|
||||
|
||||
@ -24,8 +24,12 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
|
||||
|
||||
|
||||
With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity.
|
||||
|
||||
The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections:
|
||||
|
||||
@ -22,7 +22,6 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
|
||||
@ -23,7 +23,6 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
@ -65,7 +64,8 @@ Table and column names are also listed within the Microsoft Defender Security Ce
|
||||
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
|
||||
| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
|
||||
| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
|
||||
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
|
||||
| **[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)** | Inventory of software installed on devices, including their version information and end-of-support status |
|
||||
| **[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)** | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability |
|
||||
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
|
||||
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
|
||||
| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
|
||||
|
||||
@ -24,8 +24,13 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
|
||||
|
||||
## In this section
|
||||
Topic | Description
|
||||
|
||||
@ -23,10 +23,8 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
- [Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
|
||||
|
||||
@ -22,17 +22,15 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
|
||||
## Methods
|
||||
|
||||
Method |Return Type |Description
|
||||
|
||||
@ -29,6 +29,9 @@ ms.technology: mde
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
|
||||
Learn how to deploy Defender for Endpoint for Android on Intune
|
||||
Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
|
||||
device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
|
||||
@ -52,8 +55,7 @@ Learn how to deploy Defender for Endpoint for Android on Intune Company Portal -
|
||||
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
|
||||
**Android Apps** \> **Add \> Android store app** and choose **Select**.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2. On the **Add app** page and in the *App Information* section enter:
|
||||
|
||||
@ -64,7 +66,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
|
||||
|
||||
Other fields are optional. Select **Next**.
|
||||
|
||||
|
||||
|
||||
|
||||
3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Choose **Select** and then **Next**.
|
||||
|
||||
@ -72,14 +74,15 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
|
||||
>The selected user group should consist of Intune enrolled users.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
> 
|
||||
|
||||
|
||||
4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
|
||||
|
||||
In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
5. In the app information page that is displayed, in the **Monitor** section,
|
||||
@ -87,7 +90,7 @@ select **Device install status** to verify that the device installation has
|
||||
completed successfully.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
|
||||
### Complete onboarding and check status
|
||||
@ -124,14 +127,13 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
|
||||
**Android Apps** \> **Add** and select **Managed Google Play app**.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
|
||||
> 
|
||||
|
||||
2. On your managed Google Play page that loads subsequently, go to the search
|
||||
box and lookup **Microsoft Defender.** Your search should display the Microsoft
|
||||
Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
|
||||
|
||||
|
||||
|
||||
|
||||
3. In the App description page that comes up next, you should be able to see app
|
||||
details on Defender for Endpoint. Review the information on the page and then
|
||||
@ -181,7 +183,7 @@ Defender ATP should be visible in the apps list.
|
||||
|
||||
1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
|
||||
|
||||
|
||||
|
||||
|
||||
1. In the **Create app configuration policy** page, enter the following details:
|
||||
|
||||
@ -201,19 +203,19 @@ Defender ATP should be visible in the apps list.
|
||||
Then select **OK**.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
|
||||
1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
|
||||
1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
|
||||
1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
|
||||
@ -221,7 +223,7 @@ Defender ATP should be visible in the apps list.
|
||||
The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.
|
||||
|
||||
> [!div class="mx-imgBorder"]
|
||||
> 
|
||||
> 
|
||||
|
||||
|
||||
10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
|
||||
|
||||
@ -24,6 +24,8 @@ ms.technology: mde
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
|
||||
Defender for Endpoint for Android collects information from your configured
|
||||
Android devices and stores it in the same tenant where you have Defender for Endpoint.
|
||||
|
||||
@ -25,13 +25,16 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
When onboarding a device, you might see sign in issues after the app is installed.
|
||||
|
||||
|
||||
During onboarding, you might encounter sign in issues after the app is installed on your device.
|
||||
|
||||
This article provides solutions to help address the sign-on issues.
|
||||
|
||||
@ -28,6 +28,9 @@ ms.technology: mde
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
|
||||
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
|
||||
|
||||
These license terms ("Terms") are an agreement between Microsoft Corporation (or
|
||||
|
||||
@ -24,8 +24,7 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
|
||||
The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively.
|
||||
|
||||
@ -22,9 +22,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
@ -38,6 +38,7 @@ Microsoft Defender API has an official Flow Connector with many capabilities.
|
||||
> [!NOTE]
|
||||
> For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](https://docs.microsoft.com/power-automate/triggers-introduction#licensing-for-premium-connectors).
|
||||
|
||||
|
||||
## Usage example
|
||||
|
||||
The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
|
||||
|
||||
@ -26,9 +26,14 @@ ms.technology: mde
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
|
||||
|
||||
Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
|
||||
|
||||
Watch this video for a quick overview of Defender for Endpoint's APIs.
|
||||
|
||||
@ -24,7 +24,7 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
|
||||
@ -22,7 +22,7 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
|
||||
@ -23,10 +23,11 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
|
||||
## Why attack surface reduction rules are important
|
||||
|
||||
Your organization's attack surface includes all the places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means protecting your organization's devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Microsoft Defender for Endpoint can help!
|
||||
|
||||
@ -21,7 +21,7 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Onboard non-Windows devices to the Microsoft Defender ATP service
|
||||
title: Onboard non-Windows devices to the Microsoft Defender for Endpoint service
|
||||
description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender ATP service.
|
||||
keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -24,12 +24,13 @@ ms.technology: mde
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- macOS
|
||||
- Linux
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
**Platforms**
|
||||
- macOS
|
||||
- Linux
|
||||
|
||||
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
|
||||
|
||||
Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
|
||||
|
||||
@ -37,14 +37,12 @@ ms.technology: mde
|
||||
|
||||
Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up.
|
||||
|
||||
Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
|
||||
If you're a Defender for Endpoint customer, you need to apply for Microsoft Threat Experts - Targeted Attack Notifications to get special insights and analysis to help identify the most critical threats, so you can respond to them quickly. Contact your account team or Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand to consult with our threat experts on relevant detections and adversaries.
|
||||
|
||||
If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription.
|
||||
## Apply for Microsoft Threat Experts - Targeted Attack Notifications service
|
||||
If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender Security Center.
|
||||
|
||||
## Register to Microsoft Threat Experts managed threat hunting service
|
||||
If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender for Endpoint portal.
|
||||
|
||||
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
|
||||
1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts - Targeted Attack Notifications**.
|
||||
|
||||
2. Click **Apply**.
|
||||
|
||||
@ -58,11 +56,14 @@ If you're already a Defender for Endpoint customer, you can apply through the Mi
|
||||
|
||||
|
||||
|
||||
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
|
||||
When accepted, you will receive a welcome email and you will see the **Apply** button change to a toggle that is “on”. In case you want to take yourself out of the Targeted Attack Notifications service, slide the toggle “off” and click **Save preferences** at the bottom of the page.
|
||||
|
||||
## Receive targeted attack notification from Microsoft Threat Experts
|
||||
## Where you'll see the targeted attack notifications from Microsoft Threat Experts
|
||||
You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
|
||||
- The Defender for Endpoint portal's **Incidents** page
|
||||
- The Defender for Endpoint portal's **Alerts** dashboard
|
||||
- OData alerting [API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/get-alerts) and [REST API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api)
|
||||
- [DeviceAlertEvents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table) table in Advanced hunting
|
||||
- Your email, if you choose to configure it
|
||||
|
||||
To receive targeted attack notifications through email, create an email notification rule.
|
||||
@ -77,13 +78,15 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
|
||||
|
||||
2. From the dashboard, select the same alert topic that you got from the email, to view the details.
|
||||
|
||||
## Subscribe to Microsoft Threat Experts - Experts on Demand
|
||||
If you're already a Defender for Endpoint customer, you can contact your Microsoft representative to subscribe to Microsoft Threat Experts - Experts on Demand.
|
||||
|
||||
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
|
||||
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
|
||||
|
||||
> [!NOTE]
|
||||
> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
|
||||
> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
|
||||
> - You need to have the **Manage security settings** permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
|
||||
|
||||
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
|
||||
|
||||
@ -106,7 +109,7 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
|
||||
4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
|
||||
|
||||
> [!NOTE]
|
||||
> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub.
|
||||
> If you would like to track the status of your Experts on Demand cases through Microsoft Services Hub, reach out to your Technical Account Manager.
|
||||
|
||||
Watch this video for a quick overview of the Microsoft Services Hub.
|
||||
|
||||
@ -114,7 +117,7 @@ Watch this video for a quick overview of the Microsoft Services Hub.
|
||||
|
||||
|
||||
|
||||
## Sample investigation topics that you can consult with Microsoft Threat Experts
|
||||
## Sample investigation topics that you can consult with Microsoft Threat Experts - Experts on Demand
|
||||
|
||||
**Alert information**
|
||||
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
|
||||
|
||||
@ -114,7 +114,7 @@ The following downloadable spreadsheet lists the services and their associated U
|
||||
|
||||
|**Spreadsheet of domains list**|**Description**|
|
||||
|:-----|:-----|
|
||||
|<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
|
||||
|<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx)
|
||||
|
||||
|
||||
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
|
||||
@ -157,7 +157,7 @@ Please see the following guidance to eliminate the wildcard (*) requirement for
|
||||
|
||||
3. Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace.
|
||||
|
||||
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)).
|
||||
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/a/5/8a51eee5-cd02-431c-9d78-a58b7f77c070/mde-urls.xlsx)).
|
||||
|
||||
|
||||
|
||||
|
||||
@ -31,9 +31,6 @@ ms.technology: mde
|
||||
- Windows Server (SAC) version 1803 and later
|
||||
- Windows Server 2019 and later
|
||||
- Windows Server 2019 core edition
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
|
||||
|
||||
|
||||
Binary file not shown.
@ -22,7 +22,6 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
@ -50,7 +49,7 @@ Enable security information and event management (SIEM) integration so you can p
|
||||
## Enabling SIEM integration
|
||||
1. In the navigation pane, select **Settings** > **SIEM**.
|
||||
|
||||
|
||||
|
||||
|
||||
>[!TIP]
|
||||
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
|
||||
@ -61,7 +60,7 @@ Enable security information and event management (SIEM) integration so you can p
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
3. Choose the SIEM type you use in your organization.
|
||||
|
||||
|
||||
@ -23,6 +23,11 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
[Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
|
||||
|
||||
|
||||
@ -21,8 +21,10 @@ ms.technology: mde
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows:
|
||||
|
||||
|
||||
@ -19,10 +19,12 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
[Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients.
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: See how exploit protection works in a demo
|
||||
description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps.
|
||||
title: See how Exploit protection works in a demo
|
||||
description: See how Exploit Protection can prevent suspicious behaviors from occurring on specific apps.
|
||||
keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
@ -21,36 +21,38 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
[Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.)
|
||||
|
||||
This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur.
|
||||
In audit, you can see how mitigation works for certain apps in a test environment. This shows what *would* have happened if you enabled exploit protection in your production environment. This way, you can verify that exploit protection doesn't adversely affect your line-of-business apps, and see which suspicious or malicious events occur.
|
||||
|
||||
> [!TIP]
|
||||
> You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works.
|
||||
|
||||
## Enable exploit protection in audit mode
|
||||
## Enable exploit protection for testing
|
||||
|
||||
You can set mitigation in audit mode for specific programs either by using the Windows Security app or Windows PowerShell.
|
||||
You can set mitigations in a testing mode for specific programs by using the Windows Security app or Windows PowerShell.
|
||||
|
||||
### Windows Security app
|
||||
|
||||
1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**.
|
||||
1. Open the Windows Security app. Select the shield icon in the task bar or search the start menu for **Defender**.
|
||||
|
||||
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**.
|
||||
|
||||
3. Go to **Program settings** and choose the app you want to apply protection to:
|
||||
|
||||
1. If the app you want to configure is already listed, select it and then select **Edit**
|
||||
2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.
|
||||
2. If the app is not listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app.
|
||||
- Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
|
||||
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
|
||||
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
|
||||
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You'll be notified if you need to restart the process, app, or Windows.
|
||||
|
||||
5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration.
|
||||
|
||||
@ -65,7 +67,7 @@ Set-ProcessMitigation -<scope> <app executable> -<action> <mitigation or options
|
||||
```
|
||||
|
||||
Where:
|
||||
|
||||
```
|
||||
* \<Scope>:
|
||||
* `-Name` to indicate the mitigations should be applied to a specific app. Specify the app's executable after this flag.
|
||||
* \<Action>:
|
||||
@ -73,10 +75,10 @@ Where:
|
||||
* `-Disable` to disable the mitigation
|
||||
* \<Mitigation>:
|
||||
* The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
|
||||
|
||||
```
|
||||
|Mitigation | Audit mode cmdlet |
|
||||
|---|---|
|
||||
|Arbitrary code guard (ACG) | `AuditDynamicCode` |
|
||||
|Arbitrary Code Guard (ACG) | `AuditDynamicCode` |
|
||||
|Block low integrity images | `AuditImageLoad`
|
||||
|Block untrusted fonts | `AuditFont`, `FontAuditOnly` |
|
||||
|Code integrity guard | `AuditMicrosoftSigned`, `AuditStoreSigned` |
|
||||
@ -89,20 +91,20 @@ For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named
|
||||
Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
|
||||
```
|
||||
|
||||
You can disable audit mode by replacing `-Enable` with `-Disable`.
|
||||
You can disable **audit mode** by replacing `-Enable` with `-Disable`.
|
||||
|
||||
## Review exploit protection audit events
|
||||
|
||||
To review which apps would have been blocked, open Event Viewer and filter for the following events in the Security-Mitigations log.
|
||||
|
||||
|Feature | Provider/source | Event ID | Description |
|
||||
| Feature | Provider/source | Event ID | Description |
|
||||
|---|---|--|---|
|
||||
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
|
||||
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
|
||||
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
|
||||
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
|
||||
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
|
||||
|Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
|
||||
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit |
|
||||
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit |
|
||||
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit |
|
||||
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit |
|
||||
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit |
|
||||
| Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit |
|
||||
|
||||
## See also
|
||||
|
||||
|
||||
@ -19,10 +19,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
[Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
|
||||
|
||||
|
||||
@ -25,6 +25,10 @@ ms.technology: mde
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
|
||||
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
|
||||
|
||||
@ -246,10 +250,10 @@ You can conveniently run any available simulation right from the catalog.
|
||||
Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run.
|
||||
|
||||
**Examples:**
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Evaluation report
|
||||
|
||||
@ -26,10 +26,11 @@ ms.technology: mde
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Event Viewer
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices.
|
||||
|
||||
|
||||
@ -19,10 +19,11 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
|
||||
|
||||
|
||||
@ -24,8 +24,10 @@ ms.technology: mde
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Exploit protection provides advanced protections for applications that the IT Pro can apply after the developer has compiled and distributed the software.
|
||||
|
||||
|
||||
@ -24,8 +24,10 @@ ms.technology: mde
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803.
|
||||
|
||||
|
||||
@ -23,9 +23,10 @@ ms.technology: mde
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Create an Application to access Microsoft Defender for Endpoint without a user
|
||||
title: Create an Application to access Microsoft Defender for Endpoint without a user
|
||||
ms.reviewer:
|
||||
description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user.
|
||||
keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query
|
||||
@ -25,7 +25,7 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
|
||||
@ -25,12 +25,13 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
|
||||
|
||||
Full scenario using multiple APIs from Microsoft Defender for Endpoint.
|
||||
|
||||
|
||||
@ -22,8 +22,8 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
@ -31,17 +31,18 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
|
||||
|
||||
Not all properties are filterable.
|
||||
|
||||
## Properties that supports $filter:
|
||||
|
||||
## Properties that support $filter:
|
||||
```
|
||||
- [Alert](alerts.md): ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category```.
|
||||
- [Machine](machine.md): ```ComputerDnsName```, ```LastSeen```, ```HealthStatus```, ```OsPlatform```, ```RiskScore``` and ```RbacGroupId```.
|
||||
- [MachineAction](machineaction.md): ```Status```, ```MachineId```, ```Type```, ```Requestor``` and ```CreationDateTimeUtc```.
|
||||
- [Indicator](ti-indicator.md): ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```severity ``` and ```action ```.
|
||||
|
||||
```
|
||||
### Example 1
|
||||
|
||||
Get 10 latest Alerts with related Evidence:
|
||||
|
||||
@ -25,7 +25,6 @@ ms.technology: mde
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
## Overview
|
||||
|
||||
@ -22,14 +22,11 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>This action is taken by the MSSP.
|
||||
|
||||
|
||||
@ -24,7 +24,7 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
|
||||
@ -23,8 +23,9 @@ ms.technology: mde
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
|
||||
|
||||
|
||||
@ -24,7 +24,7 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
|
||||
@ -19,10 +19,8 @@ ms.technology: mde
|
||||
|
||||
# Get alert related domain information API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get machine by ID API
|
||||
description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, devices, entity, id
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,25 +12,25 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get machine by ID API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
|
||||
## API description
|
||||
Retrieves specific [Machine](machine.md) by its device ID or computer name.
|
||||
|
||||
@ -41,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name.
|
||||
|
||||
|
||||
## Permissions
|
||||
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
|
||||
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
|
||||
|
||||
Permission type | Permission | Permission display name
|
||||
:---|:---|:---
|
||||
@ -91,39 +91,29 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
|
||||
Here is an example of the response.
|
||||
|
||||
|
||||
```json
|
||||
```http
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: application/json
|
||||
{
|
||||
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",
|
||||
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
|
||||
"computerDnsName": "mymachine1.contoso.com",
|
||||
"firstSeen": "2018-08-02T14:55:03.7791856Z",
|
||||
"lastSeen": "2021-01-25T07:27:36.052313Z",
|
||||
"lastSeen": "2018-08-02T14:55:03.7791856Z",
|
||||
"osPlatform": "Windows10",
|
||||
"version": "1709",
|
||||
"osProcessor": "x64",
|
||||
"version": "1901",
|
||||
"lastIpAddress": "10.166.113.46",
|
||||
"lastExternalIpAddress": "167.220.203.175",
|
||||
"osBuild": 19042,
|
||||
"lastIpAddress": "172.17.230.209",
|
||||
"lastExternalIpAddress": "167.220.196.71",
|
||||
"osBuild": 18209,
|
||||
"healthStatus": "Active",
|
||||
"deviceValue": "Normal",
|
||||
"rbacGroupId": 140,
|
||||
"rbacGroupName": "The-A-Team",
|
||||
"riskScore": "Low",
|
||||
"exposureLevel": "Low",
|
||||
"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
|
||||
"machineTags": [
|
||||
"Tag1",
|
||||
"Tag2"
|
||||
],
|
||||
"ipAddresses": [
|
||||
{
|
||||
"ipAddress": "10.166.113.47",
|
||||
"macAddress": "8CEC4B897E73",
|
||||
"operationalStatus": "Up"
|
||||
},
|
||||
{
|
||||
"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
|
||||
"macAddress": "8CEC4B897E73",
|
||||
"operationalStatus": "Up"
|
||||
}
|
||||
]
|
||||
"exposureLevel": "Medium",
|
||||
"isAadJoined": true,
|
||||
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
|
||||
"machineTags": [ "test tag 1", "test tag 2" ]
|
||||
}
|
||||
|
||||
```
|
||||
|
||||
@ -1,104 +1,103 @@
|
||||
---
|
||||
title: List exposure score by device group
|
||||
description: Retrieves a list of exposure scores by device group.
|
||||
keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: levinec
|
||||
ms.author: ellevin
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List exposure score by device group
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieves a collection of alerts related to a given domain address.
|
||||
|
||||
## Permissions
|
||||
|
||||
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
|
||||
|
||||
Permission type | Permission | Permission display name
|
||||
:---|:---|:---
|
||||
Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
|
||||
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
|
||||
|
||||
## HTTP request
|
||||
|
||||
```
|
||||
GET /api/exposureScore/ByMachineGroups
|
||||
```
|
||||
|
||||
## Request headers
|
||||
|
||||
| Name | Type | Description
|
||||
|:--------------|:-------|:--------------|
|
||||
| Authorization | String | Bearer {token}.**Required**.
|
||||
|
||||
## Request body
|
||||
|
||||
Empty
|
||||
|
||||
## Response
|
||||
|
||||
If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
|
||||
|
||||
## Example
|
||||
|
||||
### Request
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
|
||||
```
|
||||
|
||||
### Response
|
||||
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore",
|
||||
"value": [
|
||||
{
|
||||
"time": "2019-12-03T09:51:28.214338Z",
|
||||
"score": 41.38041766305988,
|
||||
"rbacGroupName": "GroupOne"
|
||||
},
|
||||
{
|
||||
"time": "2019-12-03T09:51:28.2143399Z",
|
||||
"score": 37.403726933165366,
|
||||
"rbacGroupName": "GroupTwo"
|
||||
}
|
||||
...
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
|
||||
- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
|
||||
---
|
||||
title: List exposure score by device group
|
||||
description: Retrieves a list of exposure scores by device group.
|
||||
keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: levinec
|
||||
ms.author: ellevin
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# List exposure score by device group
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieves a collection of alerts related to a given domain address.
|
||||
|
||||
## Permissions
|
||||
|
||||
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
|
||||
|
||||
Permission type | Permission | Permission display name
|
||||
:---|:---|:---
|
||||
Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
|
||||
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
|
||||
|
||||
## HTTP request
|
||||
|
||||
```
|
||||
GET /api/exposureScore/ByMachineGroups
|
||||
```
|
||||
|
||||
## Request headers
|
||||
|
||||
| Name | Type | Description
|
||||
|:--------------|:-------|:--------------|
|
||||
| Authorization | String | Bearer {token}.**Required**.
|
||||
|
||||
## Request body
|
||||
|
||||
Empty
|
||||
|
||||
## Response
|
||||
|
||||
If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
|
||||
|
||||
## Example
|
||||
|
||||
### Request
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
|
||||
```
|
||||
|
||||
### Response
|
||||
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore",
|
||||
"value": [
|
||||
{
|
||||
"time": "2019-12-03T09:51:28.214338Z",
|
||||
"score": 41.38041766305988,
|
||||
"rbacGroupName": "GroupOne"
|
||||
},
|
||||
{
|
||||
"time": "2019-12-03T09:51:28.2143399Z",
|
||||
"score": 37.403726933165366,
|
||||
"rbacGroupName": "GroupTwo"
|
||||
}
|
||||
...
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
|
||||
- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get machine logon users API
|
||||
description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, device, log on, users
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get machine logon users API
|
||||
@ -24,7 +23,7 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
@ -87,7 +86,9 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
|
||||
Here is an example of the response.
|
||||
|
||||
|
||||
```json
|
||||
```http
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: application/json
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users",
|
||||
"value": [
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get machine related alerts API
|
||||
description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, get, devices, related, alerts
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get machine related alerts API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,7 +28,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
## API description
|
||||
Retrieves all [Alerts](alerts.md) related to a specific device.
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get MachineAction object API
|
||||
description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, machineaction object
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get machineAction API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -77,7 +75,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action]
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
|
||||
```
|
||||
|
||||
@ -86,7 +84,9 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42
|
||||
Here is an example of the response.
|
||||
|
||||
|
||||
```json
|
||||
```
|
||||
HTTP/1.1 200 Ok
|
||||
Content-type: application/json
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
|
||||
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
|
||||
|
||||
@ -3,7 +3,7 @@ title: List machineActions API
|
||||
description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, graph api, supported apis, machineaction collection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List MachineActions API
|
||||
@ -30,7 +29,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
## API description
|
||||
Retrieves a collection of [Machine Actions](machineaction.md).
|
||||
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
|
||||
@ -82,7 +80,7 @@ If successful, this method returns 200, Ok response code with a collection of [m
|
||||
|
||||
Here is an example of the request on an organization that has three MachineActions.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/machineactions
|
||||
```
|
||||
|
||||
@ -91,7 +89,9 @@ GET https://api.securitycenter.microsoft.com/api/machineactions
|
||||
Here is an example of the response.
|
||||
|
||||
|
||||
```json
|
||||
```
|
||||
HTTP/1.1 200 Ok
|
||||
Content-type: application/json
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",
|
||||
"value": [
|
||||
|
||||
@ -3,7 +3,7 @@ title: List devices by software
|
||||
description: Retrieve a list of devices that has this software installed.
|
||||
keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List devices by software
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,7 +28,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieve a list of device references that has this software installed.
|
||||
@ -67,7 +64,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences
|
||||
```
|
||||
|
||||
@ -76,6 +73,7 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
|
||||
"value": [
|
||||
|
||||
@ -3,7 +3,7 @@ title: List devices by vulnerability
|
||||
description: Retrieves a list of devices affected by a vulnerability.
|
||||
keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List devices by vulnerability
|
||||
@ -23,13 +22,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieves a list of devices affected by a vulnerability.
|
||||
@ -67,7 +65,7 @@ If successful, this method returns 200 OK with the vulnerability information in
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences
|
||||
```
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: List machines API
|
||||
description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
|
||||
keywords: apis, graph api, supported apis, get, devices
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List machines API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,15 +28,11 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
## API description
|
||||
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
|
||||
|
||||
Supports [OData V4 queries](https://www.odata.org/documentation/).
|
||||
|
||||
The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
|
||||
|
||||
See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md).
|
||||
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
|
||||
<br>The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
|
||||
<br>See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
|
||||
|
||||
|
||||
## Limitations
|
||||
@ -58,8 +52,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
|
||||
|
||||
>[!Note]
|
||||
> When obtaining a token using user credentials:
|
||||
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information).
|
||||
>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md).
|
||||
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
|
||||
>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
|
||||
|
||||
## HTTP request
|
||||
|
||||
@ -95,44 +89,32 @@ GET https://api.securitycenter.microsoft.com/api/machines
|
||||
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
```http
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: application/json
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
|
||||
"value": [
|
||||
{
|
||||
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
|
||||
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
|
||||
"computerDnsName": "mymachine1.contoso.com",
|
||||
"firstSeen": "2018-08-02T14:55:03.7791856Z",
|
||||
"lastSeen": "2021-01-25T07:27:36.052313Z",
|
||||
"lastSeen": "2018-08-02T14:55:03.7791856Z",
|
||||
"osPlatform": "Windows10",
|
||||
"version": "1709",
|
||||
"osProcessor": "x64",
|
||||
"version": "1901",
|
||||
"lastIpAddress": "10.166.113.46",
|
||||
"lastExternalIpAddress": "167.220.203.175",
|
||||
"osBuild": 19042,
|
||||
"lastIpAddress": "172.17.230.209",
|
||||
"lastExternalIpAddress": "167.220.196.71",
|
||||
"osBuild": 18209,
|
||||
"healthStatus": "Active",
|
||||
"deviceValue": "Normal",
|
||||
"rbacGroupId": 140,
|
||||
"rbacGroupName": "The-A-Team",
|
||||
"riskScore": "Low",
|
||||
"exposureLevel": "Low",
|
||||
"aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
|
||||
"machineTags": [
|
||||
"Tag1",
|
||||
"Tag2"
|
||||
],
|
||||
"ipAddresses": [
|
||||
{
|
||||
"ipAddress": "10.166.113.47",
|
||||
"macAddress": "8CEC4B897E73",
|
||||
"operationalStatus": "Up"
|
||||
},
|
||||
{
|
||||
"ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
|
||||
"macAddress": "8CEC4B897E73",
|
||||
"operationalStatus": "Up"
|
||||
}
|
||||
]
|
||||
},
|
||||
"exposureLevel": "Medium",
|
||||
"isAadJoined": true,
|
||||
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
|
||||
"machineTags": [ "test tag 1", "test tag 2" ]
|
||||
}
|
||||
...
|
||||
]
|
||||
}
|
||||
|
||||
@ -4,7 +4,7 @@ description: Retrieve a collection of device security states using Microsoft Def
|
||||
keywords: apis, graph api, supported apis, get, device, security, state
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -13,9 +13,8 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Get Machines security states collection API
|
||||
@ -60,8 +59,9 @@ If successful - 200 OK.
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
|
||||
Content-type: application/json
|
||||
```
|
||||
|
||||
**Response**
|
||||
@ -69,7 +69,9 @@ GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
|
||||
Here is an example of the response.
|
||||
Field *id* contains device id and equal to the field *id** in devices info.
|
||||
|
||||
```json
|
||||
```
|
||||
HTTP/1.1 200 OK
|
||||
Content-type: application/json
|
||||
{
|
||||
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates",
|
||||
"@odata.count":444,
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get missing KBs by device ID
|
||||
description: Retrieves missing security updates by device ID
|
||||
keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: levinec
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get missing KBs by device ID
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,11 +28,7 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
## API description
|
||||
Retrieves missing KBs (security updates) by device ID.
|
||||
|
||||
## Limitations
|
||||
1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
|
||||
Retrieves missing KBs (security updates) by device ID
|
||||
|
||||
## HTTP request
|
||||
|
||||
@ -62,7 +56,7 @@ If successful, this method returns 200 OK, with the specified device missing kb
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
|
||||
```
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get missing KBs by software ID
|
||||
description: Retrieves missing security updates by software ID
|
||||
keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: levinec
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get missing KBs by software ID
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,7 +28,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
Retrieves missing KBs (security updates) by software ID
|
||||
|
||||
## Permissions
|
||||
@ -68,7 +65,7 @@ If successful, this method returns 200 OK, with the specified software missing k
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs
|
||||
```
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get package SAS URI API
|
||||
description: Use this API to get a URI that allows downloading an investigation package.
|
||||
keywords: apis, graph api, supported apis, get package, sas, uri
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get package SAS URI API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,7 +28,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
## API description
|
||||
Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md).
|
||||
|
||||
@ -73,15 +70,19 @@ If successful, this method returns 200, Ok response code with object that holds
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
|
||||
|
||||
```
|
||||
|
||||
**Response**
|
||||
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
```
|
||||
HTTP/1.1 200 Ok
|
||||
Content-type: application/json
|
||||
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
|
||||
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
title: Get recommendation by Id
|
||||
description: Retrieves a security recommendation by its ID.
|
||||
keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
|
||||
keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get recommendation by ID
|
||||
@ -67,7 +66,7 @@ If successful, this method returns 200 OK with the security recommendations in t
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome
|
||||
```
|
||||
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
title: List devices by recommendation
|
||||
description: Retrieves a list of devices associated with the security recommendation.
|
||||
keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
|
||||
description: Retrieves a list of devices associated with the security recommendation.
|
||||
keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List devices by recommendation
|
||||
@ -23,13 +22,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieves a list of devices associated with the security recommendation.
|
||||
@ -67,7 +65,7 @@ If successful, this method returns 200 OK with the list of devices associated wi
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences
|
||||
```
|
||||
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
title: Get recommendation by software
|
||||
description: Retrieves a security recommendation related to a specific software.
|
||||
keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
|
||||
keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get recommendation by software
|
||||
@ -23,7 +22,7 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
@ -67,7 +66,7 @@ If successful, this method returns 200 OK with the software associated with the
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software
|
||||
```
|
||||
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
title: List vulnerabilities by recommendation
|
||||
description: Retrieves a list of vulnerabilities associated with the security recommendation.
|
||||
keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
|
||||
keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List vulnerabilities by recommendation
|
||||
@ -23,13 +22,12 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieves a list of vulnerabilities associated with the security recommendation.
|
||||
@ -67,7 +65,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
|
||||
```
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: Get security recommendations
|
||||
description: Retrieves a collection of security recommendations related to a given device ID.
|
||||
keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,9 +12,8 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get security recommendations
|
||||
@ -23,7 +22,7 @@ ms.technology: mde
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
|
||||
|
||||
@ -31,12 +30,8 @@ ms.technology: mde
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
## API description
|
||||
Retrieves a collection of security recommendations related to a given device ID.
|
||||
|
||||
## Limitations
|
||||
1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
|
||||
|
||||
## Permissions
|
||||
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
|
||||
|
||||
@ -70,7 +65,7 @@ If successful, this method returns 200 OK with the security recommendations in t
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
|
||||
```
|
||||
|
||||
@ -79,7 +74,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4
|
||||
Here is an example of the response.
|
||||
|
||||
|
||||
```json
|
||||
```
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
|
||||
"value": [
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
title: Get software by Id
|
||||
description: Retrieves a list of sofware by ID.
|
||||
description: Retrieves a list of exposure scores by device group.
|
||||
keywords: apis, graph api, supported apis, get, software, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# Get software by Id
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,7 +28,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieves software details by ID.
|
||||
@ -67,7 +64,7 @@ If successful, this method returns 200 OK with the specified software data in th
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
|
||||
```
|
||||
|
||||
@ -76,6 +73,7 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",
|
||||
"id": "microsoft-_-edge",
|
||||
|
||||
@ -1,9 +1,9 @@
|
||||
---
|
||||
title: List software version distribution
|
||||
description: Retrieves a list of your organization's software version distribution
|
||||
title: List software version distribution
|
||||
description: Retrieves a list of your organization's software version distribution
|
||||
keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List software version distribution
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,7 +28,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
[!include[Prerelease information](../../includes/prerelease.md)]
|
||||
|
||||
Retrieves a list of your organization's software version distribution.
|
||||
@ -67,7 +64,7 @@ If successful, this method returns 200 OK with a list of software distributions
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions
|
||||
```
|
||||
|
||||
@ -76,6 +73,7 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions",
|
||||
"value": [
|
||||
|
||||
@ -3,7 +3,7 @@ title: List software
|
||||
description: Retrieves a list of software inventory
|
||||
keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: DulceMontemayor
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List software inventory API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -30,7 +28,6 @@ ms.technology: mde
|
||||
|
||||
[!include[Improve request performance](../../includes/improve-request-performance.md)]
|
||||
|
||||
|
||||
Retrieves the organization software inventory.
|
||||
|
||||
## Permissions
|
||||
@ -66,7 +63,7 @@ If successful, this method returns 200 OK with the software inventory in the bod
|
||||
|
||||
Here is an example of the request.
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/Software
|
||||
```
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ description: Learn the steps and requirements to integrate your solution with Mi
|
||||
keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
search.appverid: met150
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -14,18 +14,19 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.technology: mde
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
---
|
||||
|
||||
# Become a Microsoft Defender for Endpoint partner
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
**Applies to:**
|
||||
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
|
||||
|
||||
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
|
||||
To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps.
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ title: List Indicators API
|
||||
description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
|
||||
keywords: apis, public api, supported apis, Indicators collection
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: m365-security
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
@ -12,16 +12,14 @@ author: mjcaparas
|
||||
ms.localizationpriority: medium
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.technology: mde
|
||||
---
|
||||
|
||||
# List Indicators API
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
|
||||
|
||||
- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
|
||||
@ -78,7 +76,7 @@ If successful, this method returns 200, Ok response code with a collection of [I
|
||||
|
||||
Here is an example of a request that gets all Indicators
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/indicators
|
||||
```
|
||||
|
||||
@ -86,7 +84,9 @@ GET https://api.securitycenter.microsoft.com/api/indicators
|
||||
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
```
|
||||
HTTP/1.1 200 Ok
|
||||
Content-type: application/json
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
|
||||
"value": [
|
||||
@ -139,7 +139,7 @@ Here is an example of the response.
|
||||
|
||||
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
|
||||
|
||||
```http
|
||||
```
|
||||
GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock'
|
||||
```
|
||||
|
||||
@ -147,7 +147,9 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A
|
||||
|
||||
Here is an example of the response.
|
||||
|
||||
```json
|
||||
```
|
||||
HTTP/1.1 200 Ok
|
||||
Content-type: application/json
|
||||
{
|
||||
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
|
||||
"value": [
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user