deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 22:33:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

55

Browse Source
This commit is contained in:
Ben Alfasi
2020-01-06 23:20:22 +02:00
parent 2e60553f9e
commit 7b6ac9b24d
2 changed files with 110 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
View File

@ -55,17 +55,19 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z", "firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10", "osPlatform": "Windows10",
"osVersion": "10.0.0.0", "version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209", "lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71", "lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209, "osBuild": 18209,
"healthStatus": "Active", "healthStatus": "Active",
"rbacGroupId": 140, "rbacGroupId": 140,
"rbacGroupName": "The-A-Team", "rbacGroupName": "The-A-Team",
"riskScore": "High", "riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] "machineTags": [ "test tag 1", "ExampleTag" ]
}, },
. .
. .
@ -79,7 +81,7 @@ Content-type: application/json
- Get all the alerts that created after 2018-10-20 00:00:00 - Get all the alerts that created after 2018-10-20 00:00:00
``` ```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
``` ```
**Response:** **Response:**
@ -91,24 +93,33 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [ "value": [
{ {
"id": "121688558380765161_2136280442", "id": "da637084217856368682_-292920499",
"incidentId": 7696, "incidentId": 66860,
"investigationId": 4416234,
"investigationState": "Running",
"assignedTo": "secop@contoso.com", "assignedTo": "secop@contoso.com",
"severity": "High", "severity": "Low",
"status": "New", "status": "New",
"classification": "TruePositive", "classification": "TruePositive",
"determination": "Malware", "determination": null,
"investigationState": "Running", "detectionSource": "WindowsDefenderAtp",
"category": "MalwareDownload", "category": "CommandAndControl",
"detectionSource": "WindowsDefenderAv", "threatFamilyName": null,
"threatFamilyName": "Mikatz", "title": "Network connection to a risky host",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware", "description": "A network connection was made to a risky host which has exhibited malicious activity.",
"description": "Some description", "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z", "firstEventTime": "2019-11-03T23:47:16.2288822Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z", "lastEventTime": "2019-11-03T23:47:51.2966758Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z", "lastUpdateTime": "2019-11-03T23:55:52.6Z",
"resolvedTime": null, "resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop@contoso.com",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
]
}, },
. .
. .
@ -122,7 +133,7 @@ Content-type: application/json
- Get all the machines with 'High' 'RiskScore' - Get all the machines with 'High' 'RiskScore'
``` ```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High' HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
``` ```
**Response:** **Response:**
@ -139,17 +150,19 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z", "firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10", "osPlatform": "Windows10",
"osVersion": "10.0.0.0", "version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209", "lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71", "lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209, "osBuild": 18209,
"healthStatus": "Active", "healthStatus": "Active",
"rbacGroupId": 140, "rbacGroupId": 140,
"rbacGroupName": "The-A-Team", "rbacGroupName": "The-A-Team",
"riskScore": "High", "riskScore": "High",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] "machineTags": [ "test tag 1", "ExampleTag" ]
}, },
. .
. .
@ -163,7 +176,7 @@ Content-type: application/json
- Get top 100 machines with 'HealthStatus' not equals to 'Active' - Get top 100 machines with 'HealthStatus' not equals to 'Active'
``` ```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100 HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
``` ```
**Response:** **Response:**
@ -180,17 +193,19 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z", "firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10", "osPlatform": "Windows10",
"osVersion": "10.0.0.0", "version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209", "lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71", "lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209, "osBuild": 18209,
"healthStatus": "Active", "healthStatus": "ImpairedCommunication",
"rbacGroupId": 140, "rbacGroupId": 140,
"rbacGroupName": "The-A-Team", "rbacGroupName": "The-A-Team",
"riskScore": "High", "riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] "machineTags": [ "test tag 1", "ExampleTag" ]
}, },
. .
. .
@ -221,17 +236,19 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z", "firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10", "osPlatform": "Windows10",
"osVersion": "10.0.0.0", "version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209", "lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71", "lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209, "osBuild": 18209,
"healthStatus": "Active", "healthStatus": "ImpairedCommunication",
"rbacGroupId": 140, "rbacGroupId": 140,
"rbacGroupName": "The-A-Team", "rbacGroupName": "The-A-Team",
"riskScore": "High", "riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] "machineTags": [ "test tag 1", "ExampleTag" ]
}, },
. .
. .
@ -245,7 +262,7 @@ Content-type: application/json
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP - Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
``` ```
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
``` ```
**Response:** **Response:**
@ -257,14 +274,16 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [ "value": [
{ {
"id": "5c3e3322-d993-1234-1111-dfb136ebc8c5", "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan", "type": "RunAntiVirusScan",
"requestor": "Analyst@examples.onmicrosoft.com", "scope": "Full",
"requestorComment": "1533", "requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded", "status": "Succeeded",
"machineId": "123321c10e44a82877af76b1d0161a17843f688a", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z", "computerDnsName": "desktop-39g9tgl",
"lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z", "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null "relatedFileInfo": null
}, },
. .

4
windows/security/threat-protection/microsoft-defender-atp/investigation.md
View File

@ -28,8 +28,8 @@ Represent an Automated Investigation entity in Microsoft Defender ATP.
## Methods ## Methods
Method|Return Type |Description Method|Return Type |Description
:---|:---|:--- :---|:---|:---
[List Investigations](.md) | Investigation collection | Get a collection of Investigation [List Investigations](.md) | Investigation collection | Get collection of Investigation
[Get single Investigation](.md) | Investigation entity | Gets a single Investigation entity. [Get single Investigation](.md) | Investigation entity | Gets single Investigation entity.
[Start Investigation](.md) | Investigation entity | Starts Investigation on a machine. [Start Investigation](.md) | Investigation entity | Starts Investigation on a machine.