diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index c53ee2581c..0bdc19aaac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -28,7 +28,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. +Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center. Pull detections using your SIEM solution or by connecting directly to the detections REST API. >[!NOTE] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. @@ -36,7 +36,14 @@ Enable security information and event management (SIEM) integration so you can p >- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites -- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. + +- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: + + - Security Administrator and either Global Administrator + - Cloud Application Administrator + - Application Administrator + - Owner of the service principal + - During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site. ## Enabling SIEM integration @@ -47,7 +54,7 @@ Enable security information and event management (SIEM) integration so you can p >[!TIP] >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. -2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. +2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. > [!WARNING] >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 20194e3e9e..c93c7f464b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -56,7 +56,7 @@ This page explains how to create an AAD application, get an access token to Micr ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png) -3. In the registration from, enter the following information then click **Register**. +3. In the registration from, enter the following information then select **Register**. ![Image of Create application window](images/nativeapp-create2.png) @@ -65,45 +65,45 @@ This page explains how to create an AAD application, get an access token to Micr 4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission: - - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. + - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**. - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. ![Image of API access and API selection](images/add-permission.png) - - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions** + - Choose **Delegated permissions** > **Alert.Read** > select **Add permissions** ![Image of API access and API selection](images/application-permissions-public-client.png) - - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example! + - **Important note**: Select the relevant permissions. Read alerts is only an example. For instance, - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - To [isolate a device](isolate-machine.md), select 'Isolate machine' permission - - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + - To determine which permission you need, view the **Permissions** section in the API you are interested to call. - - Click **Grant consent** + - Select **Grant consent** - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. + **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect. ![Image of Grant permissions](images/grant-consent.png) 6. Write down your application ID and your tenant ID: - - On your application page, go to **Overview** and copy the following: + - On your application page, go to **Overview** and copy the following information: ![Image of created app id](images/app-and-tenant-ids.png) ## Get an access token -For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) +For more information on AAD token, see [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) ### Using C# - Copy/Paste the below class in your application. -- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token. +- Use **AcquireUserTokenAsync** method with your application ID, tenant ID, user name, and password to acquire a token. ```csharp namespace WindowsDefenderATP @@ -145,10 +145,10 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co ## Validate the token -Sanity check to make sure you got a correct token: +Verify to make sure you got a correct token: - Copy/paste into [JWT](https://jwt.ms) the token you got in the previous step in order to decode it - Validate you get a 'scp' claim with the desired app permissions -- In the screen shot below you can see a decoded token acquired from the app in the tutorial: +- In the screenshot below you can see a decoded token acquired from the app in the tutorial: ![Image of token validation](images/nativeapp-decoded-token.png) @@ -156,7 +156,7 @@ Sanity check to make sure you got a correct token: - Choose the API you want to use - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) - Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme) -- The Expiration time of the token is 1 hour (you can send more then one request with the same token) +- The Expiration time of the token is 1 hour (you can send more than one request with the same token) - Example of sending a request to get a list of alerts **using C#** diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md index 4158bfea2b..0ad991db3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md @@ -1,6 +1,6 @@ --- title: Supported Microsoft Defender Advanced Threat Protection response APIs -description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls. +description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls. keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -28,24 +28,24 @@ ms.topic: conceptual > [!TIP] > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) -Learn about the supported response related API calls you can run and details such as the required request headers, and expected response from the calls. +Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls. ## In this section Topic | Description :---|:--- -Collect investigation package | Run this to collect an investigation package from a device. -Isolate device | Run this to isolate a device from the network. +Collect investigation package | Run this API to collect an investigation package from a device. +Isolate device | Run this API to isolate a device from the network. Unisolate device | Remove a device from isolation. -Restrict code execution | Run this to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. +Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated. Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage. -Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. -Get package SAS URI | Run this to get a URI that allows downloading an investigation package. -Get MachineAction object | Run this to get MachineAction object. +Get package SAS URI | Run this API to get a URI that allows downloading an investigation package. +Get MachineAction object | Run this API to get MachineAction object. Get MachineActions collection | Run this to get MachineAction collection. -Get FileActions collection | Run this to get FileActions collection. -Get FileMachineAction object | Run this to get FileMachineAction object. -Get FileMachineActions collection | Run this to get FileMachineAction collection. +Get FileActions collection | Run this API to get FileActions collection. +Get FileMachineAction object | Run this API to get FileMachineAction object. +Get FileMachineActions collection | Run this API to get FileMachineAction collection.