From 085bb5da8c59e7f525c0eca1cfbc6626a8320d4f Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Mon, 26 Nov 2018 20:58:01 +0200 Subject: [PATCH 1/9] s --- ...defender-advanced-threat-protection-new.md | 61 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 4 +- 3 files changed, 37 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index b1cde1afaf..da80f7bb7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -37,45 +37,48 @@ Method|Return Type |Description # Properties Property | Type | Description :---|:---|:--- -id | String | Alert ID -severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'. -status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +id | String | Alert ID. +incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. +assignedTo | String | Owner of the alert. +severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. +status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. +investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . +classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' . +detectionSource | string | Detection source. +threatFamilyName | string | Threat family. +title | string | Alert title. description | String | Description of the threat, identified by the alert. recommendedAction | String | Action recommended for handling the suspected threat. alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. -category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. -title | string | Alert title -threatFamilyName | string | Threat family -detectionSource | string | Detection source -assignedTo | String | Owner of the alert -classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. -determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' -resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. # JSON representation ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 53054cc36b..88f5545da4 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/CreateAlertByReference +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference ``` ## Request headers @@ -77,7 +77,7 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/CreateAlertByReference +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference Content-Length: application/json { diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 02ebbe143c..de8091bda2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,9 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] -Retrieves top recent alerts. +- Retrieves a collection of Alerts. +- Supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". ## Permissions From 0e1e123204288bb3b7114683dcf812bd70c91cad Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Mon, 26 Nov 2018 21:43:02 +0200 Subject: [PATCH 2/9] s --- .../exposed-apis-odata-samples.md | 59 +++++++++++++-- ...defender-advanced-threat-protection-new.md | 39 +++++----- ...defender-advanced-threat-protection-new.md | 74 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 74 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 37 +++++----- ...defender-advanced-threat-protection-new.md | 37 +++++----- ...defender-advanced-threat-protection-new.md | 37 +++++----- ...defender-advanced-threat-protection-new.md | 10 +-- ...defender-advanced-threat-protection-new.md | 74 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 41 +++++----- 10 files changed, 271 insertions(+), 211 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index dfc82df1d8..2892815b80 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -21,8 +21,13 @@ ms.date: 11/15/2018 - If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) -- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. -- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. +- Not all properties are filterable. + +### Properties that supports $filter: + +- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. +- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. +- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type and CreationDateTimeUtc. ### Example 1 @@ -70,6 +75,50 @@ Content-type: application/json ### Example 2 +- Get all the alerts that created after 2018-10-20 00:00:00 + +``` +HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + . + . + . + ] +} +``` + +### Example 3 + - Get all the machines with 'High' 'RiskScore' ``` @@ -110,7 +159,7 @@ Content-type: application/json } ``` -### Example 3 +### Example 4 - Get top 100 machines with 'HealthStatus' not equals to 'Active' @@ -152,7 +201,7 @@ Content-type: application/json } ``` -### Example 4 +### Example 5 - Get all the machines that last seen after 2018-10-20 @@ -194,7 +243,7 @@ Content-type: application/json } ``` -### Example 5 +### Example 6 - Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index d2187f343b..88cda0c956 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -64,7 +64,7 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442 ``` **Response** @@ -75,24 +75,25 @@ Here is an example of the response. ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index de8091bda2..baf2f17c9a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -88,44 +88,46 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" }, { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 2", - "recommendedAction": "Some recommended action 2", - "alertCreationTime": "2018-08-04T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 2", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-03T07:02:52.0894451Z", - "firstEventTime": "2018-08-03T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index b1e8502727..39c7ea3379 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -84,44 +84,46 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" }, { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 2", - "recommendedAction": "Some recommended action 2", - "alertCreationTime": "2018-08-04T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 2", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-03T07:02:52.0894451Z", - "firstEventTime": "2018-08-03T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index e34b9d8c77..b8db356dde 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -82,24 +82,25 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636692391408655573_2010598859", - "severity": "Low", - "status": "New", - "description": "test alert", - "recommendedAction": "do this and that", - "alertCreationTime": "2018-08-07T11:45:40.0199932Z", - "category": "None", - "title": "test alert", - "threatFamilyName": null, - "detectionSource": "CustomerTI", - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2018-08-03T16:45:21.7115182Z", - "firstEventTime": "2018-08-03T16:45:21.7115182Z", - "actorName": null, - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 981c022145..601886b8ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -81,24 +81,25 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636692391408655573_2010598859", - "severity": "Low", - "status": "New", - "description": "test alert", - "recommendedAction": "do this and that", - "alertCreationTime": "2018-08-07T11:45:40.0199932Z", - "category": "None", - "title": "test alert", - "threatFamilyName": null, - "detectionSource": "CustomerTI", - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2018-08-03T16:45:21.7115182Z", - "firstEventTime": "2018-08-03T16:45:21.7115182Z", - "actorName": null, - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 65ee88ebb5..191f30cfc2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -81,24 +81,25 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636692391408655573_2010598859", - "severity": "Low", - "status": "New", - "description": "test alert", - "recommendedAction": "do this and that", - "alertCreationTime": "2018-08-07T11:45:40.0199932Z", - "category": "None", - "title": "test alert", - "threatFamilyName": null, - "detectionSource": "CustomerTI", - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2018-08-03T16:45:21.7115182Z", - "firstEventTime": "2018-08-03T16:45:21.7115182Z", - "actorName": null, - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 5d41431d83..063919c244 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -15,15 +15,15 @@ ms.date: 12/08/2017 # List machines API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. -Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). -The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId" +[!include[Prerelease information](prerelease.md)] + +- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. +- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index 86bbb39785..139d24daf4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -81,44 +81,46 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" }, { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 2", - "recommendedAction": "Some recommended action 2", - "alertCreationTime": "2018-08-04T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 2", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-03T07:02:52.0894451Z", - "firstEventTime": "2018-08-03T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 1ce73605cf..4e69de458e 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -72,10 +72,10 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442 Content-Type: application/json { - "assignedTo": "Our designated secop" + "assignedTo": "secop2@contoso.com" } ``` @@ -86,23 +86,24 @@ Here is an example of the response. ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", - "id": "636688558380765161_2136280442", - "severity": "Medium", - "status": "InProgress", - "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.", - "recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.", - "alertCreationTime": "2018-08-07T10:18:04.2665329Z", - "category": "Installation", - "title": "Possible sensor tampering in memory", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": null, - "determination": null, - "assignedTo": "Our designated secop", - "resolvedTime": null, - "lastEventTime": "2018-08-07T10:14:35.470671Z", - "firstEventTime": "2018-08-07T10:14:35.470671Z", - "actorName": null, - "machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop2@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ``` From 4ace29b0392f1a8c2eef071c1b6d116629f9babf Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 10:23:18 +0200 Subject: [PATCH 3/9] s --- .../windows-defender-atp/exposed-apis-odata-samples.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index 2892815b80..e91e3db930 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -31,7 +31,7 @@ ms.date: 11/15/2018 ### Example 1 -**Get all the machines with the tag 'ExampleTag'** +- Get all the machines with the tag 'ExampleTag' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') From 0d436b7d431ab89b8bba3ff3729c2a42feb68281 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 14:00:54 +0200 Subject: [PATCH 4/9] s --- windows/security/threat-protection/TOC.md | 6 +- .../windows-defender-atp/TOC.md | 6 +- ...defender-advanced-threat-protection-new.md | 42 +++---- .../exposed-apis-odata-samples.md | 118 +++++++++--------- ...defender-advanced-threat-protection-new.md | 37 +++--- ...defender-advanced-threat-protection-new.md | 28 ++--- ...defender-advanced-threat-protection-new.md | 5 +- ...defender-advanced-threat-protection-new.md | 60 +++++---- ...defender-advanced-threat-protection-new.md | 27 ++-- ...defender-advanced-threat-protection-new.md | 20 ++- ...defender-advanced-threat-protection-new.md | 16 +-- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 13 +- ...defender-advanced-threat-protection-new.md | 24 ++-- ...defender-advanced-threat-protection-new.md | 21 ++-- ...defender-advanced-threat-protection-new.md | 17 +-- 16 files changed, 223 insertions(+), 221 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ea1d8e22a6..1c777923ed 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -265,7 +265,7 @@ ######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) ####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) -######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) +######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) ######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) ######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) ######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) @@ -274,8 +274,8 @@ ####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) -######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) ######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) ######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) ######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index f8ba6e6e36..b7634537bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -262,7 +262,7 @@ ####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) ###### [Machine](machine-windows-defender-advanced-threat-protection-new.md) -####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md) +####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md) ####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) ####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) ####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) @@ -270,8 +270,8 @@ ####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) ###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) -####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) ####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) ####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) ####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md index e28bac587b..0fa51e3bfb 100644 --- a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -15,10 +15,12 @@ ms.date: 12/08/2017 # Add or Remove Machine Tags API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + [!include[Prerelease information](prerelease.md)] -**Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Adds or remove tag to a specific machine. ## Permissions @@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag. [!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags Content-type: application/json { - "Value" : "Test Tag", + "Value" : "test Tag 2", "Action": "Add" } @@ -85,26 +87,24 @@ HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity", - "id": "863fed4b174465c703c6e412965a31b5e1884cc4", - "computerDnsName": "mymachine55.contoso.com", - "firstSeen": "2018-07-31T14:20:55.8223496Z", - "lastSeen": "2018-09-27T08:44:05.6228836Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "lastIpAddress": "10.248.240.38", - "lastExternalIpAddress": "167.220.2.166", - "agentVersion": "10.3720.16299.98", - "osBuild": 16299, + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [ - "Test Tag" - ], - "rbacGroupId": 75, - "riskScore": "Medium", - "aadDeviceId": null + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ``` -To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file +- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index e91e3db930..ba26088a19 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -46,25 +46,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba", - "computerDnsName": "examples.dev.corp.Contoso.com", - "firstSeen": "2018-03-07T11:19:11.7234147Z", - "lastSeen": "2018-11-15T11:23:38.3196947Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "lastIpAddress": "123.17.255.241", - "lastExternalIpAddress": "123.220.196.180", - "agentVersion": "10.6400.18282.1001", - "osBuild": 18282, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [ - "ExampleTag" - ], - "rbacGroupId": 5, - "rbacGroupName": "Developers", - "riskScore": "North", - "aadDeviceId": null + "rbacGroupId": 140, + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . @@ -134,23 +131,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "e3a77eeddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.Contoso.com", - "firstSeen": "2016-11-02T23:26:03.7882168Z", - "lastSeen": "2018-11-12T10:27:08.708723Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "lastIpAddress": "123.123.10.33", - "lastExternalIpAddress": "124.124.160.172", - "agentVersion": "10.6300.18279.1001", - "osBuild": 18279, - "healthStatus": "ImpairedCommunication", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 5, - "rbacGroupName": "Developers", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, "riskScore": "High", - "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . @@ -176,23 +172,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "1113333ddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.Contoso.com", - "firstSeen": "2016-11-02T23:26:03.7882168Z", - "lastSeen": "2018-11-12T10:27:08.708723Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "lastIpAddress": "123.123.10.33", - "lastExternalIpAddress": "124.124.160.172", - "agentVersion": "10.6300.18279.1001", - "osBuild": 18279, - "healthStatus": "ImpairedCommunication", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 5, - "rbacGroupName": "Developers", - "riskScore": "Medium", - "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . @@ -206,7 +201,7 @@ Content-type: application/json - Get all the machines that last seen after 2018-10-20 ``` -HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z ``` **Response:** @@ -218,23 +213,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "83113465ffceca4a731234e5dcde3357e026e873", - "computerDnsName": "examples-vm10", - "firstSeen": "2018-11-12T16:07:50.1706168Z", - "lastSeen": "2018-11-12T16:07:50.1706168Z", - "osPlatform": "WindowsServer2019", - "osVersion": null, - "lastIpAddress": "10.123.72.35", - "lastExternalIpAddress": "123.220.2.3", - "agentVersion": "10.6300.18281.1000", - "osBuild": 18281, + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": false, - "machineTags": [], - "rbacGroupId": 5, - "rbacGroupName": "Developers", - "riskScore": "None", - "aadDeviceId": null + "rbacGroupId": 140, + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index 495830551e..fc21244a6e 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -15,11 +15,12 @@ ms.date: 12/08/2017 # Find machines by internal IP API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + - Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp - The given timestamp must be in the past 30 days. @@ -83,22 +84,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "863fed4b174465c703c6e412965a31b5e1884cc4", - "computerDnsName": "mymachine33.contoso.com", - "firstSeen": "2018-07-31T14:20:55.8223496Z", - "lastSeen": null, - "osPlatform": "Windows10", - "osVersion": null, - "lastIpAddress": "10.248.240.38", - "lastExternalIpAddress": "167.220.2.166", - "agentVersion": "10.3720.16299.98", - "osBuild": 16299, - "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 75, - "riskScore": "Medium", - "aadDeviceId": null + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-09-22T08:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "10.248.240.38", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 33075d8e93..cee30245d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -14,12 +14,13 @@ ms.date: 12/08/2017 --- # Get alert related machine information API + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)] -Retrieves machine that is related to a specific alert. +- Retrieves machine that is related to a specific alert. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -77,22 +78,21 @@ HTTP/1.1 200 OK Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity", - "id": "ff0c3800ed8d66738a514971cd6867166809369f", - "computerDnsName": "amazingmachine.contoso.com", - "firstSeen": "2017-12-10T07:47:34.4269783Z", - "lastSeen": "2017-12-10T07:47:34.4269783Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "systemProductName": null, - "lastIpAddress": "172.17.0.0", - "lastExternalIpAddress": "167.220.0.0", - "agentVersion": "10.5830.17732.1001", - "osBuild": 17732, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 75, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9" + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index baf2f17c9a..63051a6de3 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 - Retrieves a collection of Alerts. - Supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". - +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -132,3 +132,6 @@ Here is an example of the response. ] } ``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index f5ac6e74f8..35230abcc7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -80,43 +80,41 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5", - "computerDnsName": "testMachine1", - "firstSeen": "2018-07-30T20:12:00.3708661Z", - "lastSeen": "2018-07-30T20:12:00.3708661Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, - "lastIpAddress": "10.209.67.177", - "lastExternalIpAddress": "167.220.1.210", - "agentVersion": "10.5830.18208.1000", - "osBuild": 18208, - "healthStatus": "Inactive", - "isAadJoined": false, - "machineTags": [], - "rbacGroupId": 75, + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { - "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949", - "computerDnsName": "testMachine2", - "firstSeen": "2018-07-30T19:50:47.3618349Z", - "lastSeen": "2018-07-30T19:50:47.3618349Z", + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, - "lastIpAddress": "10.209.70.231", - "lastExternalIpAddress": "167.220.0.28", - "agentVersion": "10.5830.18208.1000", - "osBuild": 18208, + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": false, - "machineTags": [], - "rbacGroupId": 75, - "riskScore": "None", - "aadDeviceId": null - } + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } ] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index 79aaefa954..75017123a4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,13 +14,14 @@ ms.date: 12/08/2017 --- # Get file related machines API + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)] -Retrieves a collection of machines related to a given file hash. +- Retrieves a collection of machines related to a given file hash. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -83,39 +84,37 @@ Content-type: application/json "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lasttSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", "computerDnsName": "mymachine2.contoso.com", "firstSeen": "2018-07-09T13:22:45.1250071Z", - "lasttSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index 3c68f72daf..f4061af62e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -85,18 +85,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", @@ -104,18 +103,17 @@ Content-type: application/json "firstSeen": "2018-07-09T13:22:45.1250071Z", "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index 4211bbbb1f..e29196545f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,13 @@ ms.date: 12/08/2017 # Get machine by ID API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a machine entity by ID. + +[!include[Prerelease information](prerelease.md)] + +- Retrieves a machine entity by ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -85,18 +86,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 96a4953581..bfda8dcbcd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -14,12 +14,14 @@ ms.date: 12/08/2017 --- # Get machineAction API + **Applies to:** + - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)] -Get action performed on a machine. +- Get action performed on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 5a137cb5a8..018818ec82 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -15,14 +15,16 @@ ms.date: 12/08/2017 # List MachineActions API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - Gets collection of actions done on machines. - Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +[!include[Prerelease information](prerelease.md)] + +- Gets collection of actions done on machines. +- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type" and "CreationDateTimeUtc". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -167,3 +169,6 @@ Content-type: application/json ] } ``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 063919c244..13aadfafc7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -24,6 +24,7 @@ ms.date: 12/08/2017 - Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. - Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions @@ -87,18 +88,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", @@ -106,19 +106,21 @@ Content-type: application/json "firstSeen": "2018-07-09T13:22:45.1250071Z", "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } ``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 9e0f217156..873cd7bfe6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,6 +14,7 @@ ms.date: 12/08/2017 --- # Get user related machines API + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -87,18 +88,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", @@ -106,18 +106,17 @@ Content-type: application/json "firstSeen": "2018-07-09T13:22:45.1250071Z", "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md index 8c70bf4419..4d6a156ac0 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. osPlatform | String | OS platform. osVersion | String | OS Version. -lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). -lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. agentVersion | String | Version of WDATP agent. -osBuild | Int | OS build number. +osBuild | Nullable long | OS build number. healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" -isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. -machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. -rbacGroupId | Int | Group ID. -riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). \ No newline at end of file +rbacGroupId | Int | RBAC Group ID. +rbacGroupName | String | RBAC Group Name. +riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. +aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). +machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. \ No newline at end of file From 9d48a52a98c6c7c91aa172bdd927a53606186cda Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 15:16:12 +0200 Subject: [PATCH 5/9] s --- .../exposed-apis-odata-samples.md | 2 +- ...defender-advanced-threat-protection-new.md | 2 +- ...defender-advanced-threat-protection-new.md | 104 ++++++++++++++++++ 3 files changed, 106 insertions(+), 2 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index ba26088a19..f9f2b40f78 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -27,7 +27,7 @@ ms.date: 11/15/2018 - [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. - [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. -- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type and CreationDateTimeUtc. +- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc. ### Example 1 diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 018818ec82..1e956940fa 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -23,7 +23,7 @@ ms.date: 12/08/2017 - Gets collection of actions done on machines. - Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). -- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type" and "CreationDateTimeUtc". +- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". - See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..08cea6c72e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,104 @@ +--- +title: Stop and quarantine file API +description: Use this API to stop and quarantine file. +keywords: apis, graph api, supported apis, stop and quarantine file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Stop and quarantine file API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +- Stop execution of a file on a machine and delete it. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.StopAndQuarantine | 'Stop And Quarantine' +Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" +} + +``` +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "141408d1-384c-4c19-8b57-ba39e378011a", + "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "relatedFileInfo": { + "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", + "fileIdentifierType": "Sha1" + } +} + +``` + From a76117b42c5503c652ca2088ceb7ae241d8281ca Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 15:26:00 +0200 Subject: [PATCH 6/9] s --- ...et-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 63051a6de3..7cf854cf6f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -83,7 +83,7 @@ Here is an example of the response. >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. -``` +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ From 722bd9136102df382dec2aac5d05bd723e6cc11f Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 15:32:29 +0200 Subject: [PATCH 7/9] s --- windows/security/threat-protection/TOC.md | 1 + windows/security/threat-protection/windows-defender-atp/TOC.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1c777923ed..ff9215a0cb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -284,6 +284,7 @@ ######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) ######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) ######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index b7634537bd..9ecf24c3a5 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -280,7 +280,7 @@ ####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) - +####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) ###### [User](user-windows-defender-advanced-threat-protection-new.md) ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) From 6b9611358bd4f4b3c0aac33884748668f8b1773e Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 17:11:57 +0200 Subject: [PATCH 8/9] s --- ...ne-tags-windows-defender-advanced-threat-protection-new.md | 1 + .../windows-defender-atp/exposed-apis-odata-samples.md | 4 ++++ ...s-by-ip-windows-defender-advanced-threat-protection-new.md | 1 + ...ne-info-windows-defender-advanced-threat-protection-new.md | 1 + ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ ...e-by-id-windows-defender-advanced-threat-protection-new.md | 1 + ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ 9 files changed, 16 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md index 0fa51e3bfb..b9f697e5af 100644 --- a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -99,6 +99,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index f9f2b40f78..37c5a9f1d7 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -58,6 +58,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -143,6 +144,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -184,6 +186,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -225,6 +228,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index fc21244a6e..83d5cedfe0 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -96,6 +96,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index cee30245d6..05bf63bda9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -90,6 +90,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index 35230abcc7..60229ac888 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -92,6 +92,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -110,6 +111,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index f4061af62e..628d8def35 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -93,6 +93,7 @@ Content-type: application/json "healthStatus": "Active", "rbacGroupId": 140, "riskScore": "Low", + "rbacGroupName": "The-A-Team", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] @@ -110,6 +111,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index e29196545f..9c3d3c0eeb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -93,6 +93,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 13aadfafc7..15817d675c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -95,6 +95,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -113,6 +114,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 873cd7bfe6..da315671ca 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -95,6 +95,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -113,6 +114,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, From 9fefd9fd98e9dd6123db0f16794887deb7977e4d Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 17:13:39 +0200 Subject: [PATCH 9/9] s --- ...ntine-file-windows-defender-advanced-threat-protection-new.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md index 08cea6c72e..9b50c9bf1d 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -55,6 +55,7 @@ In the request body, supply a JSON object with the following parameters: Parameter | Type | Description :---|:---|:--- Comment | String | Comment to associate with the action. **Required**. +Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**. ## Response If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.