deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 13:23:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 13009: update alert and machine schema

Browse Source 
update alert and machine schema
This commit is contained in:
Ben Alfasi
2018-11-27 20:46:21 +00:00
committed by Joey Caparas
parent a47ff7df4f 9fefd9fd98
commit 723fbe3608
26 changed files with 659 additions and 470 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
windows/security/threat-protection/TOC.md
View File

@ -265,7 +265,7 @@
######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -274,8 +274,8 @@
####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
@ -284,6 +284,7 @@
######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

8
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -262,7 +262,7 @@
####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -270,8 +270,8 @@
####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
@ -280,7 +280,7 @@
####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
###### [User](user-windows-defender-advanced-threat-protection-new.md)
####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

43
windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
View File

@ -15,10 +15,12 @@ ms.date: 12/08/2017
# Add or Remove Machine Tags API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- Adds or remove tag to a specific machine.
## Permissions
@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "Test Tag",
"Value" : "test Tag 2",
"Action": "Add"
}
@ -85,26 +87,25 @@ HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine55.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": "2018-09-27T08:44:05.6228836Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [
"Test Tag"
],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

67
windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -17,7 +17,7 @@ ms.date: 12/08/2017
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
[!include[Prerelease<EFBFBD>information](prerelease.md)]
Represents an alert entity in WDATP.
@ -37,45 +37,48 @@ Method|Return Type |Description
# Properties
Property | Type | Description
:---|:---|:---
id | String | Alert ID
severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
id | String | Alert ID.
incidentId | String | The [Incident](incidents-queue.md) ID of the Alert.
assignedTo | String | Owner of the alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
description | String | Description of the threat, identified by the alert.
recommendedAction | String | Action recommended for handling the suspected threat.
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
title | string | Alert title
threatFamilyName | string | Threat family
detectionSource | string | Detection source
assignedTo | String | Owner of the alert
classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
# JSON representation
```json
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

4
windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
View File

@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
## HTTP request
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
```
## Request headers
@ -77,7 +77,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json
{

183
windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
View File

@ -21,12 +21,17 @@ ms.date: 11/15/2018
- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.
- Not all properties are filterable.
### Properties that supports $filter:
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
### Example 1
**Get all the machines with the tag 'ExampleTag'**
- Get all the machines with the tag 'ExampleTag'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@ -41,25 +46,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2018-03-07T11:19:11.7234147Z",
"lastSeen": "2018-11-15T11:23:38.3196947Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.17.255.241",
"lastExternalIpAddress": "123.220.196.180",
"agentVersion": "10.6400.18282.1001",
"osBuild": 18282,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [
"ExampleTag"
],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "North",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -70,6 +73,50 @@ Content-type: application/json
### Example 2
- Get all the alerts that created after 2018-10-20 00:00:00
```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
```
**Response:**
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
.
.
.
]
}
```
### Example 3
- Get all the machines with 'High' 'RiskScore'
```
@ -85,23 +132,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "e3a77eeddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -110,7 +157,7 @@ Content-type: application/json
}
```
### Example 3
### Example 4
- Get top 100 machines with 'HealthStatus' not equals to 'Active'
@ -127,23 +174,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1113333ddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "Medium",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -152,12 +199,12 @@ Content-type: application/json
}
```
### Example 4
### Example 5
- Get all the machines that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
**Response:**
@ -169,23 +216,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "83113465ffceca4a731234e5dcde3357e026e873",
"computerDnsName": "examples-vm10",
"firstSeen": "2018-11-12T16:07:50.1706168Z",
"lastSeen": "2018-11-12T16:07:50.1706168Z",
"osPlatform": "WindowsServer2019",
"osVersion": null,
"lastIpAddress": "10.123.72.35",
"lastExternalIpAddress": "123.220.2.3",
"agentVersion": "10.6300.18281.1000",
"osBuild": 18281,
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "None",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -194,7 +241,7 @@ Content-type: application/json
}
```
### Example 5
### Example 6
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP

38
windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
View File

@ -15,11 +15,12 @@ ms.date: 12/08/2017
# Find machines by internal IP API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
- The given timestamp must be in the past 30 days.
@ -83,22 +84,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine33.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": null,
"osPlatform": "Windows10",
"osVersion": null,
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
]
}

39
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -64,7 +64,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
```
**Response**
@ -75,24 +75,25 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

29
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,13 @@ ms.date: 12/08/2017
---
# Get alert related machine information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves machine that is related to a specific alert.
- Retrieves machine that is related to a specific alert.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -77,22 +78,22 @@ HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "ff0c3800ed8d66738a514971cd6867166809369f",
"computerDnsName": "amazingmachine.contoso.com",
"firstSeen": "2017-12-10T07:47:34.4269783Z",
"lastSeen": "2017-12-10T07:47:34.4269783Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"systemProductName": null,
"lastIpAddress": "172.17.0.0",
"lastExternalIpAddress": "167.220.0.0",
"agentVersion": "10.5830.17732.1001",
"osBuild": 17732,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

85
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -21,8 +21,10 @@ ms.date: 12/08/2017
[!include[Prerelease<73>information](prerelease.md)]
Retrieves top recent alerts.
- Retrieves a collection of Alerts.
- Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -81,50 +83,55 @@ Here is an example of the response.
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

74
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -84,44 +84,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

62
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -80,43 +80,43 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
"computerDnsName": "testMachine1",
"firstSeen": "2018-07-30T20:12:00.3708661Z",
"lastSeen": "2018-07-30T20:12:00.3708661Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.67.177",
"lastExternalIpAddress": "167.220.1.210",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"healthStatus": "Inactive",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
"computerDnsName": "testMachine2",
"firstSeen": "2018-07-30T19:50:47.3618349Z",
"lastSeen": "2018-07-30T19:50:47.3618349Z",
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.70.231",
"lastExternalIpAddress": "167.220.0.28",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "None",
"aadDeviceId": null
}
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```

37
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -82,24 +82,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

27
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,14 @@ ms.date: 12/08/2017
---
# Get file related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Retrieves a collection of machines related to a given file hash.
- Retrieves a collection of machines related to a given file hash.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -83,39 +84,37 @@ Content-type: application/json
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

37
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

22
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -85,18 +85,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"rbacGroupName": "The-A-Team",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -104,18 +104,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

17
windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -15,12 +15,13 @@ ms.date: 12/08/2017
# Get machine by ID API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a machine entity by ID.
[!include[Prerelease<73>information](prerelease.md)]
- Retrieves a machine entity by ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -85,18 +86,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

37
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

4
windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,14 @@ ms.date: 12/08/2017
---
# Get machineAction API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
Get action performed on a machine.
- Get action performed on a machine.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

13
windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
View File

@ -15,14 +15,16 @@ ms.date: 12/08/2017
# List MachineActions API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Gets collection of actions done on machines.
Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
[!include[Prerelease<73>information](prerelease.md)]
- Gets collection of actions done on machines.
- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -167,3 +169,6 @@ Content-type: application/json
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

36
windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -15,15 +15,16 @@ ms.date: 12/08/2017
# List machines API
[!include[Prerelease<73>information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
[!include[Prerelease<73>information](prerelease.md)]
- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,19 +107,22 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

74
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,44 +81,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

23
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,6 +14,7 @@ ms.date: 12/08/2017
---
# Get user related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,18 +107,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

17
windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
View File

@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win
lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
osPlatform | String | OS platform.
osVersion | String | OS Version.
lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
agentVersion | String | Version of WDATP agent.
osBuild | Int | OS build number.
osBuild | Nullable long | OS build number.
healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
rbacGroupId | Int | Group ID.
riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
rbacGroupId | Int | RBAC Group ID.
rbacGroupName | String | RBAC Group Name.
riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.

105
windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Stop and quarantine file API
description: Use this API to stop and quarantine file.
keywords: apis, graph api, supported apis, stop and quarantine file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 12/08/2017
---
# Stop and quarantine file API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease<73>information](prerelease.md)]
- Stop execution of a file on a machine and delete it.
[!include[Machine actions note](machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Machine.StopAndQuarantine | 'Stop And Quarantine'
Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
## HTTP request
```
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
Content-Type | string | application/json. **Required**.
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**.
## Response
If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
```
**Response**
Here is an example of the response.
[!include[Improve request performance](improverequestperformance-new.md)]
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "141408d1-384c-4c19-8b57-ba39e378011a",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"relatedFileInfo": {
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1"
}
}
```

41
windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
View File

@ -72,10 +72,10 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "Our designated secop"
"assignedTo": "secop2@contoso.com"
}
```
@ -86,23 +86,24 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "636688558380765161_2136280442",
"severity": "Medium",
"status": "InProgress",
"description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.",
"recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",
"alertCreationTime": "2018-08-07T10:18:04.2665329Z",
"category": "Installation",
"title": "Possible sensor tampering in memory",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": null,
"determination": null,
"assignedTo": "Our designated secop",
"resolvedTime": null,
"lastEventTime": "2018-08-07T10:14:35.470671Z",
"firstEventTime": "2018-08-07T10:14:35.470671Z",
"actorName": null,
"machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop2@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```