deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update images and text

Browse Source
This commit is contained in:
Joey Caparas
2018-09-24 16:08:47 -07:00
parent 8e14ee5802
commit 60df1934fc
48 changed files with 161 additions and 183 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -14,6 +14,8 @@ ms.date: 12/08/2017
---
# Alert resource type
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
@ -22,36 +24,36 @@ Represents an alert entity in WDATP.
# Methods
Method|Return Type |Description
:---|:---|:---
[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object.
[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection.
[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md)
[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection|List Urls associated with the alert.
[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated witht the alert.
[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object.
[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection.
[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert.
[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert.
[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md).
# Properties
Property | Type | Description
:---|:---|:---
id | String | alert id.
severity | String | severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
id | String | Alert ID
severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
description | String | Description of the threat, identified by the alert.
recommendedAction | String | Action recommended for handling the suspected threat.
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
title | string | Alert title.
threatFamilyName | string | Threat family.
detectionSource | string | detection source
title | string | Alert title
threatFamilyName | string | Threat family
detectionSource | string | Detection source
assignedTo | String | Owner of the alert
classification | String | Speficies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
machineId | String | id of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
# JSON representation
```

6
windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Collect investigation package API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Collect investigation package from a machine.

6
windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,14 @@ ms.date: 12/08/2017
---
# Create alert from event API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity.
## Permissions

2
windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md
View File

@ -25,7 +25,7 @@ ms.date: 09/03/2018
[!include[Prerelease information](prerelease.md)]
These pages describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user.
If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md).

8
windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md
View File

@ -23,9 +23,9 @@ ms.date: 09/03/2018
[!include[Prerelease information](prerelease.md)]
This pages describes how to create an application to get programmatical access to Windows Defender ATP without a user.
This page describes how to create an application to get programmatical access to Windows Defender ATP without a user.
If you need programmatical access Windows Defender ATP on behalf of a user, please refer to [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)
If you are not sure which access you need, see [Use Windows Defender ATP APIs](exposed-apis-intro.md).
@ -102,9 +102,9 @@ This page explains how to create an app, get an access token to Windows Defender
11. Set your application to be multi-tenanted
This is **required** for 3rd party apps (i.e., if you create an application that is intended to run in multiple customers tenant).
This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant).
This is **not required** if you create a service that you want to run in your tenant only (i.e., if you create an application for your own usage that will only interact with your own data)
This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)
Click **Properties** > **Yes** > **Save**.

7
windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md
View File

@ -10,10 +10,15 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 30/07/2018
ms.date: 09/24/2018
---
# Windows Defender ATP APIs using PowerShell
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Full scenario using multiple APIs from Windows Defender ATP.

5
windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md
View File

@ -16,11 +16,6 @@ ms.date: 30/07/2018
# Supported Windows Defender ATP query APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)

5
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,10 @@ ms.date: 12/08/2017
---
# Get alert information by ID API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves an alert by its ID.

5
windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,10 @@ ms.date: 12/08/2017
---
# Get alert related domain information API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves all domains related to a specific alert.

5
windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,10 @@ ms.date: 12/08/2017
---
# Get alert related files information API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves all files related to a specific alert.

5
windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,10 @@ ms.date: 12/08/2017
---
# Get alert related IP information API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves all IPs related to a specific alert.

6
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,10 @@ ms.date: 12/08/2017
---
# Get alert related machine information API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves machine that is related to a specific alert.

5
windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,10 @@ ms.date: 12/08/2017
---
# Get alert related user information API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves the user associated to a specific alert.

6
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,12 @@ ms.date: 12/08/2017
---
# List alerts API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves top recent alerts.

5
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,13 @@ ms.date: 12/08/2017
---
# Get domain related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)

6
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,10 @@ ms.date: 12/08/2017
---
# Get domain related machines API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of machines that have communicated to or from a given domain address.

5
windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,11 @@ ms.date: 12/08/2017
---
# Get domain statistics API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves the prevalence for the given domain.

6
windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,13 @@ ms.date: 12/08/2017
---
# Get file information API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]

8
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,16 @@ ms.date: 12/08/2017
---
# Get file related alerts API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of alerts related to a given file hash.

5
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,11 @@ ms.date: 12/08/2017
---
# Get file related machines API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of machines related to a given file hash.

7
windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,14 @@ ms.date: 12/08/2017
---
# Get file statistics API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves the prevalence for the given file.

5
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -14,14 +14,11 @@ ms.date: 12/08/2017
---
# Get IP related alerts API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of alerts related to a given IP address.

4
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,11 +14,11 @@ ms.date: 12/08/2017
---
# Get IP related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of machines that communicated with or from a particular IP.

7
windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,14 @@ ms.date: 12/08/2017
---
# Get IP statistics API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves the prevalence for the given IP.
## Permissions

6
windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,13 @@ ms.date: 12/08/2017
---
# Get machine by ID API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a machine entity by ID.
## Permissions

8
windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,15 @@ ms.date: 12/08/2017
---
# Get machine log on users API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of logged on users.
## Permissions

4
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,12 @@ ms.date: 12/08/2017
---
# Get machine related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of alerts related to a given machine ID.

6
windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Get machineAction API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Get action performed on a machine.
## Permissions

8
windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,15 @@ ms.date: 12/08/2017
---
# List machines API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
## Permissions

6
windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Get package SAS URI API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md).
## Permissions

6
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Get user related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of alerts related to a given user ID.
## Permissions

6
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Get user related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of machines related to a given user ID.
## Permissions

BIN
windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 59 KiB

7
windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,12 @@ ms.date: 04/24/2018
---
# Was domain seen in org
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Answers whether a domain was seen in the organization.
## Permissions

6
windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,13 @@ ms.date: 12/08/2017
---
# Was IP seen in org
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Answers whether an IP was seen in the organization.
## Permissions

6
windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Isolate machine API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Isolates a machine from accessing external network.
## Permissions

5
windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md
View File

@ -15,6 +15,11 @@ ms.date: 12/08/2017
# MachineAction resource type
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Method|Return Type |Description
:---|:---|:---
[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities.

6
windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Offboard machine API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Offboard machine from WDATP.
## Permissions

6
windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Restrict app execution API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information)
## Permissions

15
windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md
View File

@ -14,21 +14,22 @@ ms.date: 09/03/2018
---
# Advanced hunting API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
This API allows you to run programatically queries that you are used to run from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting)
This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting).
## Limitations
This API is a beta version only and is currently restricted
This API is a beta version only and is currently restricted to the following actions:
1. You can only run a query on data from the last 30 days
2. The results will include a maximum of 10,000 rows
3. The number of executions is limited (up to 15 minutes every hour and 4 hours a day)
3. The number of executions is limited (up to 15 minutes every hour and 4 hours a day)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md)
@ -123,12 +124,12 @@ Content-Type: application/json
```
## Troubleshooting:
## Troubleshoot issues
- Error: (403) Forbidden
If you get this error when calling WDATP API, your token probably does not include the necessary permission.
If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission.
Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token.

23
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md
View File

@ -10,30 +10,31 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 30/07/2018
ms.date: 09/24/2018
---
# Schedule Advanced Hunting using Microsoft Flow
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Schedule advanced query.
>**Prerequisite**: You first need to [create an app](exposed-apis-intro.md).
## Before you begin
You first need to [create an app](exposed-apis-intro.md).
## Use case
If you need to schedule an advanced query and use the results for follow up actions and processing, you can use [Microsoft Flow](https://flow.microsoft.com/) (or Logic Apps) for it!
If you need to schedule an advanced query and use the results for follow up actions and processing, you can use [Microsoft Flow](https://flow.microsoft.com/) (or Logic Apps) for it.
## Define a flow to run query and parse results
You will find below a very basic flow example:
Use the following basic flow as an example.
1. Define the trigger Recurrence by time
1. Define the trigger Recurrence by time.
2. Add an action Select HTTP
2. Add an action: Select HTTP.
![Image of MsFlow choose an action](images/ms-flow-choose-action.png)
@ -59,9 +60,9 @@ You will find below a very basic flow example:
## Expand the flow to use the query results
The below section shows how to use the parsed results to insert them in SQL database.
The following section shows how to use the parsed results to insert them in SQL database.
This is an example only, you could perform on your results any other action supported by Microsoft Flow.
This is an example only, you can use other actions supported by Microsoft Flow.
- Add an 'Apply to each' action
- Select the Results json (which was an output of the last parse action)
@ -76,7 +77,7 @@ The output in the SQL DB is getting updates and can be used for correlation with
## Full flow definition
You can find below the full definition
You can see the full defintion in the following image:
![Image of E2E flow](images/ms-flow-e2e.png)

8
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md
View File

@ -14,6 +14,11 @@ ms.date: 30/07/2018
---
# Create custom reports using Power BI (user authentication)
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
@ -21,7 +26,8 @@ In this section we share Power BI query sample to run a query using **user token
If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial.
>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-nativeapp.md).
## Before you begin
You first need to [create an app](exposed-apis-create-app-nativeapp.md).
## Run a query

20
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md
View File

@ -10,18 +10,24 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 30/07/2018
ms.date: 09/24/2018
---
# Advanced Hunting using PowerShell
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Run advanced queries using PowerShell. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
[!include[Prerelease information](prerelease.md)]
Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
In this section we share PowerShell samples to retrieve a token and use it to run a query.
>**Prerequisite**: You first need to [create an app](exposed-apis-intro.md).
## Before you begin
You first need to [create an app](exposed-apis-intro.md).
## Preparation Instructions
## Preparation instructions
- Open a PowerShell window.
- If your policy does not allow you to run the PowerShell commands, you can run the below command:
@ -29,11 +35,11 @@ In this section we share PowerShell samples to retrieve a token and use it to ru
Set-ExecutionPolicy -ExecutionPolicy Bypass
```
>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
>For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy)
## Get token
- Run the below
- Run the following:
```
$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
@ -60,7 +66,7 @@ where
## Run query
Run the below
Run the following query:
```
$query = 'RegistryEvents | limit 10' # Paste your own query here

10
windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md
View File

@ -14,8 +14,12 @@ ms.date: 30/07/2018
---
# Advanced Hunting using Python
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Run advanced queries using Python. Please read about [Advanced Hunting API](run-advanced-query-api.md) before.
[!include[Prerelease information](prerelease.md)]
Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
In this section we share Python samples to retrieve a token and use it to run a query.
@ -23,7 +27,7 @@ In this section we share Python samples to retrieve a token and use it to run a
## Get token
- Run the below
- Run the following:
```
@ -62,7 +66,7 @@ where
## Run query
Run the below
Run the following query:
```
query = 'RegistryEvents | limit 10' # Paste your own query here

6
windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Run antivirus scan API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Initiate Windows Defender Antivirus scan on a machine.
## Permissions

6
windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,11 @@ ms.date: 12/08/2017
---
# Release machine from isolation API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Undo isolation of a machine.
## Permissions

4
windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md
View File

@ -14,11 +14,11 @@ ms.date: 12/08/2017
---
# Remove app restriction API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Enable execution of any application on the machine.

5
windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,12 @@ ms.date: 12/08/2017
---
# Update alert
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Update the properties of an alert entity.
## Permissions