Merged PR 13009: update alert and machine schema

update alert and machine schema

windows/security/threat-protection/TOC.md

@@ -265,7 +265,7 @@
 ######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
 ####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
-######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
+######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
 ######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
 ######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
 ######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@@ -284,6 +284,7 @@
 ######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
 ######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
+######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
 
 ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
 ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -262,7 +262,7 @@
 ####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
 
 ###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
-####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
+####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
 ####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@@ -280,7 +280,7 @@
 ####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
 ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
 ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
-
+####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
 
 ###### [User](user-windows-defender-advanced-threat-protection-new.md)
 ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md

@@ -15,10 +15,12 @@ ms.date: 12/08/2017
 
 # Add or Remove Machine Tags API
 
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
 [!include[Prerelease information](prerelease.md)]
 
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 - Adds or remove tag to a specific machine.
 
 ## Permissions
@@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
 Content-type: application/json
 {
-  "Value" : "Test Tag",
+  "Value" : "test Tag 2",
   "Action": "Add"
 }
 
@@ -85,26 +87,25 @@ HTTP/1.1 200 Ok
 Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
-    "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "computerDnsName": "mymachine55.contoso.com",
+    "computerDnsName": "mymachine1.contoso.com",
-    "firstSeen": "2018-07-31T14:20:55.8223496Z",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
-    "lastSeen": "2018-09-27T08:44:05.6228836Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
     "osPlatform": "Windows10",
-    "osVersion": null,
+    "osVersion": "10.0.0.0",
-    "lastIpAddress": "10.248.240.38",
+    "lastIpAddress": "172.17.230.209",
-    "lastExternalIpAddress": "167.220.2.166",
+    "lastExternalIpAddress": "167.220.196.71",
-    "agentVersion": "10.3720.16299.98",
+    "agentVersion": "10.5830.18209.1001",
-    "osBuild": 16299,
+    "osBuild": 18209,
     "healthStatus": "Active",
+    "rbacGroupId": 140,
+	"rbacGroupName": "The-A-Team",
+    "riskScore": "Low",
 	"isAadJoined": true,
-    "machineTags": [
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-        "Test Tag"
+	"machineTags": [ "test tag 1", "test tag 2" ]
-    ],
-    "rbacGroupId": 75,
-    "riskScore": "Medium",
-    "aadDeviceId": null
 }
 
 ```
 
-To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
+- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md

@@ -17,7 +17,7 @@ ms.date: 12/08/2017
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-[!include[Prerelease information](prerelease.md)]
+[!include[Prerelease<EFBFBD>information](prerelease.md)]
 
 Represents an alert entity in WDATP.
 
@@ -37,45 +37,48 @@ Method|Return Type |Description
 # Properties
 Property |	Type	|	Description
 :---|:---|:---
-id | String | Alert ID
+id | String | Alert ID.
-severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
+incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. 
-status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
+assignedTo | String | Owner of the alert.
+severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
+status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
+investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
+classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
+determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
+category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General' .
+detectionSource | string | Detection source.
+threatFamilyName | string | Threat family.
+title | string | Alert title.
 description | String | Description of the threat, identified by the alert.
 recommendedAction | String | Action recommended for handling the suspected threat.
 alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
-category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and	'General'.
+lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
-title | string | Alert title
+firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
-threatFamilyName | string | Threat family
-detectionSource | string | Detection source 
-assignedTo | String | Owner of the alert
-classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
-determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
 resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
-firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
 machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
 
 # JSON representation
-```json
+```
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "id": "636688558380765161_2136280442",
+    "id": "121688558380765161_2136280442",
-    "severity": "Informational",
+	"incidentId": 7696,
-    "status": "InProgress",
+	"assignedTo": "secop@contoso.com",
-    "description": "Some alert description 1",
+	"severity": "High",
-    "recommendedAction": "Some recommended action 1",
+	"status": "New",
-    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
-    "category": "General",
-    "title": "Some alert title 1",
-    "threatFamilyName": null,
-    "detectionSource": "WindowsDefenderAtp",
 	"classification": "TruePositive",
-    "determination": null,
+	"determination": "Malware",
-    "assignedTo": "best secop ever",
+	"investigationState": "Running",
+	"category": "MalwareDownload",
+	"detectionSource": "WindowsDefenderAv",
+	"threatFamilyName": "Mikatz",
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+	"description": "Some description"
+	"recommendedAction": "Some recommended action"
+	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+	"lastEventTime": "2018-11-26T16:18:01.809871Z",
 	"resolvedTime": null,
-    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
-    "actorName": null,
-    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
 }
 ```

windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md

@@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 
 ## HTTP request
 ```
-POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
 ```
 
 ## Request headers
@@ -77,7 +77,7 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-POST https://api.securitycenter.windows.com/api/CreateAlertByReference
+POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
 Content-Length: application/json
 
 {

windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md

@@ -21,12 +21,17 @@ ms.date: 11/15/2018
 
 - If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
 
--  Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. 
+- Not all properties are filterable.
--  [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. 
+
+### Properties that supports $filter:
+
+- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
+- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
+- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
 
 ### Example 1
 
-**Get all the machines with the tag 'ExampleTag'**
+- Get all the machines with the tag 'ExampleTag'
 
 ```
 HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@@ -41,25 +46,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples.dev.corp.Contoso.com",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-03-07T11:19:11.7234147Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-15T11:23:38.3196947Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
-            "lastIpAddress": "123.17.255.241",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "123.220.196.180",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6400.18282.1001",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18282,
+            "osBuild": 18209,
             "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "High",
 			"isAadJoined": true,
-            "machineTags": [
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-                "ExampleTag"
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
-            ],
-            "rbacGroupId": 5,
-            "rbacGroupName": "Developers",
-            "riskScore": "North",
-            "aadDeviceId": null
         },
 		.
 		.
@@ -70,6 +73,50 @@ Content-type: application/json
 
 ### Example 2
 
+- Get all the alerts that created after 2018-10-20 00:00:00
+
+```
+HTTP GET  https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
+```
+
+**Response:**
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+    "value": [
+        {
+            "id": "121688558380765161_2136280442",
+			"incidentId": 7696,
+			"assignedTo": "secop@contoso.com",
+			"severity": "High",
+			"status": "New",
+			"classification": "TruePositive",
+			"determination": "Malware",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
+			"resolvedTime": null,
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
+        },
+		.
+		.
+		.
+    ]
+}
+```
+
+### Example 3
+
 - Get all the machines with 'High' 'RiskScore'
 
 ```
@@ -85,23 +132,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "e3a77eeddb83d581238792387b1239b01286b2f",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples.dev.corp.Contoso.com",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-12T10:27:08.708723Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
-            "lastIpAddress": "123.123.10.33",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "124.124.160.172",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6300.18279.1001",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18279,
+            "osBuild": 18209,
-            "healthStatus": "ImpairedCommunication",
+            "healthStatus": "Active",
-            "isAadJoined": true,
+            "rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 5,
-            "rbacGroupName": "Developers",
             "riskScore": "High",
-            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
 		.
 		.
@@ -110,7 +157,7 @@ Content-type: application/json
 }
 ```
 
-### Example 3
+### Example 4
 
 - Get top 100 machines with 'HealthStatus' not equals to 'Active'
 
@@ -127,23 +174,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "1113333ddb83d581238792387b1239b01286b2f",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples.dev.corp.Contoso.com",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2016-11-02T23:26:03.7882168Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-12T10:27:08.708723Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
             "osVersion": "10.0.0.0",
-            "lastIpAddress": "123.123.10.33",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "124.124.160.172",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6300.18279.1001",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18279,
+            "osBuild": 18209,
-            "healthStatus": "ImpairedCommunication",
+            "healthStatus": "Active",
+            "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "High",
 			"isAadJoined": true,
-            "machineTags": [],
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "rbacGroupId": 5,
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
-            "rbacGroupName": "Developers",
-            "riskScore": "Medium",
-            "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
         },
 		.
 		.
@@ -152,12 +199,12 @@ Content-type: application/json
 }
 ```
 
-### Example 4
+### Example 5
 
 - Get all the machines that last seen after 2018-10-20
 
 ```
-HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
+HTTP GET  https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
 ```
 
 **Response:**
@@ -169,23 +216,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "83113465ffceca4a731234e5dcde3357e026e873",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "examples-vm10",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-11-12T16:07:50.1706168Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": "2018-11-12T16:07:50.1706168Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
-            "osPlatform": "WindowsServer2019",
+            "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "lastIpAddress": "10.123.72.35",
+            "lastIpAddress": "172.17.230.209",
-            "lastExternalIpAddress": "123.220.2.3",
+            "lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.6300.18281.1000",
+            "agentVersion": "10.5830.18209.1001",
-            "osBuild": 18281,
+            "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": false,
+            "rbacGroupId": 140,
-            "machineTags": [],
+			"rbacGroupName": "The-A-Team",
-            "rbacGroupId": 5,
+            "riskScore": "High",
-            "rbacGroupName": "Developers",
+			"isAadJoined": true,
-            "riskScore": "None",
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "aadDeviceId": null
+			"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
         },
 		.
 		.
@@ -194,7 +241,7 @@ Content-type: application/json
 }
 ```
 
-### Example 5
+### Example 6
 
 - Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP
 

windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md

@@ -15,11 +15,12 @@ ms.date: 12/08/2017
 
 # Find machines by internal IP API
 
-[!include[Prerelease<73>information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease<73>information](prerelease.md)]
+
 - Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp 
 - The given timestamp must be in the past 30 days.
 
@@ -83,22 +84,23 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "863fed4b174465c703c6e412965a31b5e1884cc4",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "mymachine33.contoso.com",
+			"computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-07-31T14:20:55.8223496Z",
+			"firstSeen": "2018-08-02T14:55:03.7791856Z",
-            "lastSeen": null,
+			"lastSeen": "2018-09-22T08:55:03.7791856Z",
 			"osPlatform": "Windows10",
-            "osVersion": null,
+			"osVersion": "10.0.0.0",
 			"lastIpAddress": "10.248.240.38",
-            "lastExternalIpAddress": "167.220.2.166",
+			"lastExternalIpAddress": "167.220.196.71",
-            "agentVersion": "10.3720.16299.98",
+			"agentVersion": "10.5830.18209.1001",
-            "osBuild": 16299,
+			"osBuild": 18209,
 			"healthStatus": "Active",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+			"riskScore": "Low",
 			"isAadJoined": true,
-            "machineTags": [],
+			"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
-            "rbacGroupId": 75,
+			"machineTags": [ "test tag 1", "test tag 2" ]
-            "riskScore": "Medium",
-            "aadDeviceId": null
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md

@@ -64,7 +64,7 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
 ```
 
 **Response**
@@ -75,24 +75,25 @@ Here is an example of the response.
 ```
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
-    "id": "636688558380765161_2136280442",
+    "id": "441688558380765161_2136280442",
-    "severity": "Informational",
+	"incidentId": 8633,
+	"assignedTo": "secop@contoso.com",
+	"severity": "Low",
 	"status": "InProgress",
-    "description": "Some alert description 1",
-    "recommendedAction": "Some recommended action 1",
-    "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
-    "category": "General",
-    "title": "Some alert title 1",
-    "threatFamilyName": null,
-    "detectionSource": "WindowsDefenderAtp",
 	"classification": "TruePositive",
-    "determination": null,
+	"determination": "Malware",
-    "assignedTo": "best secop ever",
+	"investigationState": "Running",
+	"category": "MalwareDownload",
+	"detectionSource": "WindowsDefenderAv",
+	"threatFamilyName": "Mikatz",
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+	"description": "Some description"
+	"recommendedAction": "Some recommended action"
+	"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+	"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+	"lastEventTime": "2018-11-25T16:18:01.809871Z",
 	"resolvedTime": null,
-    "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-    "firstEventTime": "2018-08-02T07:02:52.0894451Z",
-    "actorName": null,
-    "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
 }
 
 ```

windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md

@@ -14,12 +14,13 @@ ms.date: 12/08/2017
 ---
 
 # Get alert related machine information API
+
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease<73>information](prerelease.md)]
 
-Retrieves machine that is related to a specific alert.
+- Retrieves machine that is related to a specific alert.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -77,22 +78,22 @@ HTTP/1.1 200 OK
 Content-type: application/json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
-    "id": "ff0c3800ed8d66738a514971cd6867166809369f",
+    "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-    "computerDnsName": "amazingmachine.contoso.com",
+    "computerDnsName": "mymachine1.contoso.com",
-    "firstSeen": "2017-12-10T07:47:34.4269783Z",
+    "firstSeen": "2018-08-02T14:55:03.7791856Z",
-	"lastSeen": "2017-12-10T07:47:34.4269783Z",
+	"lastSeen": "2018-08-02T14:55:03.7791856Z",
     "osPlatform": "Windows10",
     "osVersion": "10.0.0.0",
-    "systemProductName": null,
+    "lastIpAddress": "172.17.230.209",
-    "lastIpAddress": "172.17.0.0",
+    "lastExternalIpAddress": "167.220.196.71",
-    "lastExternalIpAddress": "167.220.0.0",
+    "agentVersion": "10.5830.18209.1001",
-    "agentVersion": "10.5830.17732.1001",
+    "osBuild": 18209,
-    "osBuild": 17732,
     "healthStatus": "Active",
-    "isAadJoined": true,
+    "rbacGroupId": 140,
-    "machineTags": [],
+	"rbacGroupName": "The-A-Team",
-    "rbacGroupId": 75,
     "riskScore": "Low",
-    "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
 }
 ```

windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md

@@ -21,8 +21,10 @@ ms.date: 12/08/2017
 [!include[Prerelease<73>information](prerelease.md)]
 
 
-Retrieves top recent alerts.
+- Retrieves a collection of Alerts.
-
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -81,50 +83,55 @@ Here is an example of the response.
 >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
 
 
-```
+```json
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636688558380765161_2136280442",
+            "id": "121688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 7696,
-            "status": "InProgress",
+			"assignedTo": "secop@contoso.com",
-            "description": "Some alert description 1",
+			"severity": "High",
-            "recommendedAction": "Some recommended action 1",
+			"status": "New",
-            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
-            "category": "General",
-            "title": "Some alert title 1",
-            "threatFamilyName": null,
-            "detectionSource": "WindowsDefenderAtp",
 			"classification": "TruePositive",
-            "determination": null,
+			"determination": "Malware",
-            "assignedTo": "best secop ever",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
-            "actorName": null,
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
         },
         {
-            "id": "636688558380765161_2136280442",
+            "id": "441688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
 			"status": "InProgress",
-            "description": "Some alert description 2",
-            "recommendedAction": "Some recommended action 2",
-            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
-            "category": "General",
-            "title": "Some alert title 2",
-            "threatFamilyName": null,
-            "detectionSource": "WindowsDefenderAtp",
 			"classification": "TruePositive",
-            "determination": null,
+			"determination": "Malware",
-            "assignedTo": "best secop ever",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
-            "actorName": null,
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
         }
 	]
 }
 ```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -84,44 +84,46 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "636688558380765161_2136280442",
+            "id": "441688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
 			"status": "InProgress",
-            "description": "Some alert description 1",
-            "recommendedAction": "Some recommended action 1",
-            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
-            "category": "General",
-            "title": "Some alert title 1",
-            "threatFamilyName": null,
-            "detectionSource": "WindowsDefenderAtp",
 			"classification": "TruePositive",
-            "determination": null,
+			"determination": "Malware",
-            "assignedTo": "best secop ever",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
-            "actorName": null,
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
         },
         {
-            "id": "636688558380765161_2136280442",
+            "id": "121688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 4123,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
 			"status": "InProgress",
-            "description": "Some alert description 2",
-            "recommendedAction": "Some recommended action 2",
-            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
-            "category": "General",
-            "title": "Some alert title 2",
-            "threatFamilyName": null,
-            "detectionSource": "WindowsDefenderAtp",
 			"classification": "TruePositive",
-            "determination": null,
+			"determination": "Malware",
-            "assignedTo": "best secop ever",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-24T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
-            "actorName": null,
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
         }
 	]
 }

windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -80,42 +80,42 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
     "value": [
         {
-            "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
+            "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
-            "computerDnsName": "testMachine1",
+            "computerDnsName": "mymachine1.contoso.com",
-            "firstSeen": "2018-07-30T20:12:00.3708661Z",
+            "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lastSeen": "2018-07-30T20:12:00.3708661Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
+            "lastIpAddress": "172.17.230.209",
-            "lastIpAddress": "10.209.67.177",
+            "lastExternalIpAddress": "167.220.196.71",
-            "lastExternalIpAddress": "167.220.1.210",
+            "agentVersion": "10.5830.18209.1001",
-            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 18209,
-            "osBuild": 18208,
+            "healthStatus": "Active",
-            "healthStatus": "Inactive",
+            "rbacGroupId": 140,
-            "isAadJoined": false,
+			"rbacGroupName": "The-A-Team",
-            "machineTags": [],
-            "rbacGroupId": 75,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
-            "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
+            "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
-            "computerDnsName": "testMachine2",
+            "computerDnsName": "mymachine2.contoso.com",
-            "firstSeen": "2018-07-30T19:50:47.3618349Z",
+            "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lastSeen": "2018-07-30T19:50:47.3618349Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
+            "lastIpAddress": "192.168.12.225",
-            "lastIpAddress": "10.209.70.231",
+            "lastExternalIpAddress": "79.183.65.82",
-            "lastExternalIpAddress": "167.220.0.28",
+            "agentVersion": "10.5820.17724.1000",
-            "agentVersion": "10.5830.18208.1000",
+            "osBuild": 17724,
-            "osBuild": 18208,
             "healthStatus": "Inactive",
+			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
+            "riskScore": "Low",
 			"isAadJoined": false,
-            "machineTags": [],
+            "aadDeviceId": null,
-            "rbacGroupId": 75,
+			"machineTags": [ "test tag 1" ]
-            "riskScore": "None",
-            "aadDeviceId": null
         }
 	]
 }

windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -82,24 +82,25 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636692391408655573_2010598859",
+            "id": "121688558380765161_2136280442",
-            "severity": "Low",
+			"incidentId": 7696,
+			"assignedTo": "secop@contoso.com",
+			"severity": "High",
 			"status": "New",
-            "description": "test alert",
+			"classification": "TruePositive",
-            "recommendedAction": "do this and that",
+			"determination": "Malware",
-            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+			"investigationState": "Running",
-            "category": "None",
+			"category": "MalwareDownload",
-            "title": "test alert",
+			"detectionSource": "WindowsDefenderAv",
-            "threatFamilyName": null,
+			"threatFamilyName": "Mikatz",
-            "detectionSource": "CustomerTI",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "classification": null,
+			"description": "Some description"
-            "determination": null,
+			"recommendedAction": "Some recommended action"
-            "assignedTo": null,
+			"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-26T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
-            "actorName": null,
-            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -14,13 +14,14 @@ ms.date: 12/08/2017
 ---
 
 # Get file related machines API
+
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease<73>information](prerelease.md)]
 
-Retrieves a collection of machines related to a given file hash.
+- Retrieves a collection of machines related to a given file hash.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -83,39 +84,37 @@ Content-type: application/json
             "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
             "computerDnsName": "mymachine1.contoso.com",
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
-			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
             "computerDnsName": "mymachine2.contoso.com",
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
-			"lasttSeen": "2018-07-09T13:22:45.1250071Z",
+			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
-            "machineTags": [],
 			"rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -81,24 +81,25 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636692391408655573_2010598859",
+            "id": "441688558380765161_2136280442",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
 			"severity": "Low",
-            "status": "New",
+			"status": "InProgress",
-            "description": "test alert",
+			"classification": "TruePositive",
-            "recommendedAction": "do this and that",
+			"determination": "Malware",
-            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+			"investigationState": "Running",
-            "category": "None",
+			"category": "MalwareDownload",
-            "title": "test alert",
+			"detectionSource": "WindowsDefenderAv",
-            "threatFamilyName": null,
+			"threatFamilyName": "Mikatz",
-            "detectionSource": "CustomerTI",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "classification": null,
+			"description": "Some description"
-            "determination": null,
+			"recommendedAction": "Some recommended action"
-            "assignedTo": null,
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
-            "actorName": null,
-            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -85,18 +85,18 @@ Content-type: application/json
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
 			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
             "riskScore": "Low",
-            "aadDeviceId": null
+			"rbacGroupName": "The-A-Team",
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@@ -104,18 +104,18 @@ Content-type: application/json
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
 			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
-            "machineTags": [],
 			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md

@@ -15,12 +15,13 @@ ms.date: 12/08/2017
 
 # Get machine by ID API
 
-[!include[Prerelease<73>information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Retrieves a machine entity by ID.
+
+[!include[Prerelease<73>information](prerelease.md)]
+
+- Retrieves a machine entity by ID.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -85,18 +86,18 @@ Content-type: application/json
     "firstSeen": "2018-08-02T14:55:03.7791856Z",
 	"lastSeen": "2018-08-02T14:55:03.7791856Z",
     "osPlatform": "Windows10",
-    "osVersion": null,
+    "osVersion": "10.0.0.0",
-    "systemProductName": null,
     "lastIpAddress": "172.17.230.209",
     "lastExternalIpAddress": "167.220.196.71",
     "agentVersion": "10.5830.18209.1001",
     "osBuild": 18209,
     "healthStatus": "Active",
-    "isAadJoined": true,
-    "machineTags": [],
     "rbacGroupId": 140,
+	"rbacGroupName": "The-A-Team",
     "riskScore": "Low",
-    "aadDeviceId": null
+	"isAadJoined": true,
+    "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+	"machineTags": [ "test tag 1", "test tag 2" ]
 }
 
 ```

windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -81,24 +81,25 @@ Content-type: application/json
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636692391408655573_2010598859",
+            "id": "441688558380765161_2136280442",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
 			"severity": "Low",
-            "status": "New",
+			"status": "InProgress",
-            "description": "test alert",
+			"classification": "TruePositive",
-            "recommendedAction": "do this and that",
+			"determination": "Malware",
-            "alertCreationTime": "2018-08-07T11:45:40.0199932Z",
+			"investigationState": "Running",
-            "category": "None",
+			"category": "MalwareDownload",
-            "title": "test alert",
+			"detectionSource": "WindowsDefenderAv",
-            "threatFamilyName": null,
+			"threatFamilyName": "Mikatz",
-            "detectionSource": "CustomerTI",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-            "classification": null,
+			"description": "Some description"
-            "determination": null,
+			"recommendedAction": "Some recommended action"
-            "assignedTo": null,
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-03T16:45:21.7115182Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-03T16:45:21.7115182Z",
-            "actorName": null,
-            "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md

@@ -14,12 +14,14 @@ ms.date: 12/08/2017
 ---
 
 # Get machineAction API
+
 **Applies to:**
+
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease<73>information](prerelease.md)]
 
-Get action performed on a machine.
+- Get action performed on a machine.
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md

@@ -15,14 +15,16 @@ ms.date: 12/08/2017
 
 # List MachineActions API
 
-[!include[Prerelease<73>information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
- Gets collection of actions done on machines. 
+[!include[Prerelease<73>information](prerelease.md)]
- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
+- Gets collection of actions done on machines. 
+- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@@ -167,3 +169,6 @@ Content-type: application/json
     ]
 }
 ```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md

@@ -15,15 +15,16 @@ ms.date: 12/08/2017
 
 # List machines API
 
-[!include[Prerelease<73>information](prerelease.md)]
-
 **Applies to:**
 
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+[!include[Prerelease<73>information](prerelease.md)]
-Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+
-The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
+- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
+- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
+- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
 
 ## Permissions
 
@@ -87,18 +88,18 @@ Content-type: application/json
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
 			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@@ -106,19 +107,22 @@ Content-type: application/json
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
 			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
-            "machineTags": [],
 			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }
 ```
+
+## Related topics
+- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md

@@ -81,44 +81,46 @@ Content-type: application/json
 	"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
     "value": [
         {
-            "id": "636688558380765161_2136280442",
+            "id": "441688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 8633,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
 			"status": "InProgress",
-            "description": "Some alert description 1",
-            "recommendedAction": "Some recommended action 1",
-            "alertCreationTime": "2018-08-03T01:17:17.9516179Z",
-            "category": "General",
-            "title": "Some alert title 1",
-            "threatFamilyName": null,
-            "detectionSource": "WindowsDefenderAtp",
 			"classification": "TruePositive",
-            "determination": null,
+			"determination": "Malware",
-            "assignedTo": "best secop ever",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-25T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-25T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-02T07:02:52.0894451Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-02T07:02:52.0894451Z",
-            "actorName": null,
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
         },
         {
-            "id": "636688558380765161_2136280442",
+            "id": "121688558380765161_2136280442",
-            "severity": "Informational",
+			"incidentId": 4123,
+			"assignedTo": "secop@contoso.com",
+			"severity": "Low",
 			"status": "InProgress",
-            "description": "Some alert description 2",
-            "recommendedAction": "Some recommended action 2",
-            "alertCreationTime": "2018-08-04T01:17:17.9516179Z",
-            "category": "General",
-            "title": "Some alert title 2",
-            "threatFamilyName": null,
-            "detectionSource": "WindowsDefenderAtp",
 			"classification": "TruePositive",
-            "determination": null,
+			"determination": "Malware",
-            "assignedTo": "best secop ever",
+			"investigationState": "Running",
+			"category": "MalwareDownload",
+			"detectionSource": "WindowsDefenderAv",
+			"threatFamilyName": "Mikatz",
+			"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
+			"description": "Some description"
+			"recommendedAction": "Some recommended action"
+			"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
+			"firstEventTime": "2018-11-24T16:17:50.0948658Z",
+			"lastEventTime": "2018-11-24T16:18:01.809871Z",
 			"resolvedTime": null,
-            "lastEventTime": "2018-08-03T07:02:52.0894451Z",
+			"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-            "firstEventTime": "2018-08-03T07:02:52.0894451Z",
-            "actorName": null,
-            "machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
         }
 	]
 }

windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md

@@ -14,6 +14,7 @@ ms.date: 12/08/2017
 ---
 
 # Get user related machines API
+
 **Applies to:**
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
@@ -87,18 +88,18 @@ Content-type: application/json
             "firstSeen": "2018-08-02T14:55:03.7791856Z",
 			"lastSeen": "2018-08-02T14:55:03.7791856Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "172.17.230.209",
             "lastExternalIpAddress": "167.220.196.71",
             "agentVersion": "10.5830.18209.1001",
             "osBuild": 18209,
             "healthStatus": "Active",
-            "isAadJoined": true,
-            "machineTags": [],
             "rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": true,
+            "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+			"machineTags": [ "test tag 1", "test tag 2" ]
         },
         {
             "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@@ -106,18 +107,18 @@ Content-type: application/json
             "firstSeen": "2018-07-09T13:22:45.1250071Z",
 			"lastSeen": "2018-07-09T13:22:45.1250071Z",
             "osPlatform": "Windows10",
-            "osVersion": null,
+            "osVersion": "10.0.0.0",
-            "systemProductName": null,
             "lastIpAddress": "192.168.12.225",
             "lastExternalIpAddress": "79.183.65.82",
             "agentVersion": "10.5820.17724.1000",
             "osBuild": 17724,
             "healthStatus": "Inactive",
-            "isAadJoined": true,
-            "machineTags": [],
 			"rbacGroupId": 140,
+			"rbacGroupName": "The-A-Team",
             "riskScore": "Low",
-            "aadDeviceId": null
+			"isAadJoined": false,
+            "aadDeviceId": null,
+			"machineTags": [ "test tag 1" ]
         }
     ]
 }

windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md

@@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win
 lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
 osPlatform | String | OS platform.
 osVersion | String | OS Version.
-lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
+lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
-lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
+lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
 agentVersion | String | Version of WDATP agent.
-osBuild | Int | OS build number.
+osBuild | Nullable long | OS build number.
 healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
-isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
+rbacGroupId | Int | RBAC Group ID.
+rbacGroupName | String | RBAC Group Name.
+riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
+aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
 machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
-rbacGroupId | Int | Group ID.
-riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).

windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md

@@ -0,0 +1,105 @@
+---
+title: Stop and quarantine file API
+description: Use this API to stop and quarantine file.
+keywords: apis, graph api, supported apis, stop and quarantine file
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 12/08/2017
+---
+
+# Stop and quarantine file API
+
+**Applies to:**
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease<73>information](prerelease.md)]
+
+- Stop execution of a file on a machine and delete it.
+
+[!include[Machine actions note](machineactionsnote.md)]
+
+## Permissions
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
+
+Permission type |	Permission	|	Permission display name
+:---|:---|:---
+Application |	Machine.StopAndQuarantine |	'Stop And Quarantine'
+Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
+
+>[!Note]
+> When obtaining a token using user credentials:
+>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
+>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
+
+## HTTP request
+```
+POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
+```
+
+## Request headers
+
+Name | Type | Description
+:---|:---|:---
+Authorization | String | Bearer {token}. **Required**.
+Content-Type | string | application/json. **Required**.
+
+## Request body
+In the request body, supply a JSON object with the following parameters:
+
+Parameter |	Type	| Description
+:---|:---|:---
+Comment |	String |	Comment to associate with the action. **Required**.
+Sha1 |	String	 | Sha1 of the file to stop and quarantine on the machine. **Required**.
+
+## Response
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
+
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile 
+Content-type: application/json
+{
+  "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
+  "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
+}
+
+```
+**Response**
+
+Here is an example of the response.
+
+[!include[Improve request performance](improverequestperformance-new.md)]
+
+```
+HTTP/1.1 201 Created
+Content-type: application/json
+{
+    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
+    "id": "141408d1-384c-4c19-8b57-ba39e378011a",
+    "type": "StopAndQuarantineFile",
+    "requestor": "Analyst@contoso.com ",
+    "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
+    "status": "InProgress",
+    "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+    "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+    "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
+	"relatedFileInfo": {
+        "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
+        "fileIdentifierType": "Sha1"
+	}
+}
+
+```
+

windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md

@@ -72,10 +72,10 @@ Here is an example of the request.
 [!include[Improve request performance](improverequestperformance-new.md)]
 
 ```
-PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
+PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
 Content-Type: application/json
 {
-	"assignedTo": "Our designated secop"
+	"assignedTo": "secop2@contoso.com"
 }
 ```
 
@@ -86,23 +86,24 @@ Here is an example of the response.
 ```
 {
     "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
-    "id": "636688558380765161_2136280442",
+    "id": "121688558380765161_2136280442",
-    "severity": "Medium",
+	"incidentId": 7696,
-    "status": "InProgress",
+	"assignedTo": "secop2@contoso.com",
-    "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.",
+	"severity": "High",
-    "recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",
+	"status": "New",
-    "alertCreationTime": "2018-08-07T10:18:04.2665329Z",
+	"classification": "TruePositive",
-    "category": "Installation",
+	"determination": "Malware",
-    "title": "Possible sensor tampering in memory",
+	"investigationState": "Running",
-    "threatFamilyName": null,
+	"category": "MalwareDownload",
-    "detectionSource": "WindowsDefenderAtp",
+	"detectionSource": "WindowsDefenderAv",
-    "classification": null,
+	"threatFamilyName": "Mikatz",
-    "determination": null,
+	"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
-    "assignedTo": "Our designated secop",
+	"description": "Some description"
+	"recommendedAction": "Some recommended action"
+	"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
+	"firstEventTime": "2018-11-26T16:17:50.0948658Z",
+	"lastEventTime": "2018-11-26T16:18:01.809871Z",
 	"resolvedTime": null,
-    "lastEventTime": "2018-08-07T10:14:35.470671Z",
+	"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
-    "firstEventTime": "2018-08-07T10:14:35.470671Z",
-    "actorName": null,
-    "machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857"
 }
 ```