deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'atp-public-preview' of https://cpubwin.visualstudio.com/_git/it-client into atp-public-preview

Browse Source
This commit is contained in:
Joey Caparas 2017-08-29 16:13:58 -07:00
commit 879454e2a4
25 changed files with 171 additions and 1377 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
windows/threat-protection/TOC.md
View File

@ -37,14 +37,16 @@
###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution)
###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)

68
windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md
View File

@ -1,68 +0,0 @@
---
title: Block file API
description: Use this API to create calls related to blocking files from being executed in the organization.
keywords: apis, graph api, supported apis, block file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Block file
Prevent a file from being executed in the organization using Windows Defender Antivirus.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/files/{sha1}/block
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/7327b54fd718525cbca07dacde913b5ac3c85673/block
Content-type: application/json
{
"Comment": "Block file due to alert 32123"
}
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
```

77
windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md
View File

@ -1,77 +0,0 @@
---
title: Collect investigation package API
description: Use this API to create calls related to the collecting an investigation package from a machine.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Collect investigation package
Collect investigation package from a machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/collectInvestigationPackage
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | Text | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
Content-type: application/json
{
"Comment": "Collect forensics due to alert 1234"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "CollectInvestigationPackage",
"status": "InProgress",
"error": "Unknown"
}
```

4
windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Configure non-Windows endpoints in Windows Defender ATP
description: Configure non-Winodws endpoints to see sensor data and get alerts from them
keywords: configure endpoints non-Windows endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
description: Configure non-Winodws endpoints so that they can send sensor data to the Windows Defender ATP service.
keywords: configure endpoints non-Windows endpoints, macos, linux, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

6
windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Configure non-persistent virtual desktop infrastructure (VDI) machines in Windows Defender ATP
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to the service.
keywords: configure virtual desktop infrastructure (VDI) machine, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, vdi
title: Configure non-persistent virtual desktop infrastructure (VDI) machines
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Configure Windows Defender ATP server endpoints
description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: server, configure server endpoints, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints
keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

100
windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md
View File

@ -1,100 +0,0 @@
---
title: Use the Windows Defender Advanced Threat Protection exposed APIs
description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Use the Windows Defender ATP exposed APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, youll need to take the following steps to use the APIs:
- Create an app
- Get an access token
- Run queries on the graph API
### Before you begin
Before using the APIs, youll need to create an app that youll use to authenticate against the graph. Youll need to create a native app to use for the adhoc queries.
## Create an app
1. Log on to [Azure](https://portal.azure.com).
2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
3. In the Create window, enter the following information then click **Create**.
![Image of Create application window](images/atp-azure-create.png)
- **Name:** WinATPGraph
- **Application type:** Native
- **Redirect URI:** `https://localhost`
4. Navigate and select the newly created application.
![Image of new app in Azure](images/atp-azure-atp-app.png)
5. Click **All settings** > **Required permissions** > **Add**.
![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
6. Click **Select an API** > **Microsoft Graph**, then click **Select**.
![Image of API access and API selection](images/atp-azure-api-access.png)
7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
![Image of select permissions](images/atp-azure-select-permissions.png)
You can now use the code snippets in the following sections to query the API using the created app ID.
## Get an access token
1. Get the Client ID from the application you created.
2. Use the **Client ID**. For example:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
```
## Query the graph
Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
```
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
// sample endpoint
string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
## Related topics
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)

74
windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md
View File

@ -1,74 +0,0 @@
---
title: Get FileMachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, filemachineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Get FileMachineAction object
Get MachineAction object.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/filemachineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *FileMachineAction* object.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions/7327b54fd718525cbca07dacde913b5ac3c85673
```
Response
Here is an example of the response.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": " 7327b54fd718525cbca07dacde913b5ac3c85673",
"sha1": "1163788484e3258ab9fcf692f7db7938f72ddfc2",
"type": "StopAndQuarantineFile",
"status": "Succeeded",
"machineId": "970a58d5f61786bb7799dfdb5395ec364ffceace",
"fileInstances": [
{
"filePath": "C:\\Users\\alex\\AppData\\Local\\AppFetch\\Temp\\3324bcb\\AppDownloader\\AnApp.appfetch.zip",
"status": "Succeeded"
}
]
}
```

67
windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md
View File

@ -1,67 +0,0 @@
---
title: Get MachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Get MachineAction object
Get MachineAction object
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/machineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *MachineAction* object.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "UnrestrictExecution",
"status": "Success",
"error": "Unknown"
}
```

67
windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md
View File

@ -1,67 +0,0 @@
---
title: Get package SAS URI API
description: Use this API to get a URI that allows downloading an investigation package.
keywords: apis, graph api, supported apis, get package, sas, uri
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Get package SAS URI
Get a URI that allows downloading an investigation package.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machineactions/{id}/getPackageUri
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testrespver1/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
```

BIN
windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 185 KiB

50
windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Investigate machines in the Windows Defender ATP Machines list
description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list.
keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity
description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health.
keywords: machines, endpoints, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -147,52 +147,6 @@ Expand an event to view associated processes related to the event. Click on the
The details pane enriches the in-context information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
## Manage machine group and tags
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
Machine related properties are being extended to account for:
- Group affiliation
- Dynamic context capturing
### Group machines
Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
Machine group is defined in the following registry key entry of the machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
### Set standard tags on machines
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Manage tags**.
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)
## Related topics

33
windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
View File

@ -24,37 +24,34 @@ ms.date: 09/01/2017
[!include[Prerelease information](prerelease.md)]
# Investigate a user account in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
## Investigate user account entities
Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account.
You can find user account information in the following views:
- Security operations dashboard
- Dashboard
- Alert queue
- Machine details page
A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
When you investigate a user account entity, you'll see:
- User account details, Azure Advanced Threat Protection alerts, and Logged on machines
- User account details and Logged on machines
- Alerts related to this user
- Observed in organization (machines logged on to)
![Image of the user account entity details page](images/atp-user-details-view-tdp.png)
![Image of the user account entity details page](images/atp-user-view-ata.png)
The user account entity details, Azure Advanced Threat Protection alerts, and logged on machines sections display various attributes about the user account.
The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal.
If you have enabled the Azure Advanced Threat Protection feature and there are alerts related to the user, you can click on the link that will take you to the Azure Advanced Threat Protection page where more information about the alerts are provided. The Azure Advanced Threat Protection tile also provides details such as the last AD site, total group memberships, and login failure associated with the user.
You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
>[!NOTE]
>Youll need to enable the integration between Windows Defender ATP and Azure Advanced Threat Protection to use this feature.
For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md).
The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine.
The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
@ -70,8 +67,6 @@ The machine health state is displayed in the machine icon and color as well as i
2. Enter the user account in the **Search** field.
3. Click the search icon or press **Enter**.
[IS THE BEHAVIOUR BELOW STILL TRUE? I TRIED TO SEARCH FOR USERS AND IT DOESN'T SEEM TO DISPLAY A LIST - PLEASE CHECK FOR TECHNICAL ACCURACY. THANKS!]
A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days.
You can filter the results by the following time periods:

83
windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md
View File

@ -1,83 +0,0 @@
---
title: Isolate machine API
description: Use this API to create calls related isolating a machine.
keywords: apis, graph api, supported apis, isolate machine
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Isolate machine
Isolates a machine from accessing external network.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/isolate
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
IsolationType | IsolationType | Full or selective isolation
**IsolationType** controls the type of isolation to perform and can be one of the following:
- Full Full isolation
- Selective Restrict only limited set of applications from accessing the network
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate
Content-type: application/json
{
"Comment": "Isolate machine due to alert 1234",
“IsolationType”: “Full”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "Isolate",
"status": "InProgress",
"error": "Unknown"
}
```

3
windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Create and build Power BI reports using Windows Defender ATP data
description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources.
keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors
keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -122,7 +122,6 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash
8. Add visuals and select fields from the available data sources.
## Related topics
- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)

77
windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md
View File

@ -1,77 +0,0 @@
---
title: Request sample API
description: Use this API to create calls related to requesting a sample from a machine.
keywords: apis, graph api, supported apis, request sample
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Request sample
Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/requestSample
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to upload to the secure storage. **Required**.
## Response
If successful, this method returns 201, Created response code and *FileMachineAction* object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/requestSample
Content-type: application/json
{
“Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "RequestSample",
"status": "InProgress",
"error": "Unknown"
}
```

232
windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Take response actions on a machine in Windows Defender ATP
description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details.
keywords: respond, isolate, isolate machine, collect investigation package, action center
description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution.
keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -30,108 +30,53 @@ Quickly respond to detected attacks by isolating machines or collecting an inves
>[!NOTE]
> These response actions are only available for machines on Windows 10, version 1703.
## Isolate machines from the network
Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
## Manage machine group and tags
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
Machine related properties are being extended to account for:
On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
>[!NOTE]
>Youll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Isolate machine**.
![Image of isolate machine](images/atp-actions-isolate-machine.png)
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
![Image of isolation confirmation](images/atp-confirm-isolate.png)
4. Type a comment and select **Yes, isolate machine** to take action on the machine.
>[!NOTE]
>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
The Action center shows the submission information:
![Image of machine isolation](images/atp-machine-isolation.png)
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.
When the isolation configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
![Image of no network connection](images/atp-notification-isolate.png)
## Release machine from isolation
Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
1. Select a machine that was previously isolated.
2. Open the **Actions** menu and select **Release from isolation**.
![Image of release from isolation](images/atp-actions-release-from-isolation.png)
3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
## Restrict app execution
In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
>[!NOTE]
>Youll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Restrict app execution**.
![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png)
3. Type a comment and select **Yes, restict app execution** to take action on the file.
![Image of app restriction notification](images/atp-notification-restrict.png)
The Action center shows the submission information:
![Image of action center with app restriction](images/atp-action-center-app-restriction.png)
- Group affiliation
- Dynamic context capturing
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions.
When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
### Group machines
Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
Machine group is defined in the following registry key entry of the machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
**Notification on machine user**:</br>
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
### Set standard tags on machines
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
![Image of app restriction](images/atp-app-restriction.png)
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
## Remove app restriction
Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
1. Select the machine where you restricted an application from running from.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Remove app restrictions**.
2. Open the **Actions** menu and select **Manage tags**.
![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png)
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)
3. Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine.
## Collect investigation package from machines
As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
@ -216,6 +161,111 @@ As part of the investigation or response process, you can remotely initiate an a
The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
## Restrict app execution
In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
>[!NOTE]
>Youll be able to reverse the restriction of applications from running at any time.
1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Restrict app execution**.
![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png)
3. Type a comment and select **Yes, restict app execution** to take action on the file.
![Image of app restriction notification](images/atp-notification-restrict.png)
The Action center shows the submission information:
![Image of action center with app restriction](images/atp-action-center-app-restriction.png)
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions.
When the application execution restriction configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br>
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
![Image of app restriction](images/atp-app-restriction.png)
## Remove app restriction
Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated.
1. Select the machine where you restricted an application from running from.
2. Open the **Actions** menu and select **Remove app restrictions**.
![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png)
3. Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine.
## Isolate machines from the network
Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine.
On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity.
>[!NOTE]
>Youll be able to reconnect the machine back to the network at any time.
1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
2. Open the **Actions** menu and select **Isolate machine**.
![Image of isolate machine](images/atp-actions-isolate-machine.png)
3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated.
![Image of isolation confirmation](images/atp-confirm-isolate.png)
4. Type a comment and select **Yes, isolate machine** to take action on the machine.
>[!NOTE]
>The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
The Action center shows the submission information:
![Image of machine isolation](images/atp-machine-isolation.png)
- **Submission time** - Shows when the isolation action was submitted.
- **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication.
When the isolation configuration is applied, a new event is reflected in the machine timeline.
**Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
![Image of no network connection](images/atp-notification-isolate.png)
## Release machine from isolation
Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated.
1. Select a machine that was previously isolated.
2. Open the **Actions** menu and select **Release from isolation**.
![Image of release from isolation](images/atp-actions-release-from-isolation.png)
3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network.
## Check activity details in Action center
The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view the following details:

76
windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md
View File

@ -1,76 +0,0 @@
---
title: Restrict app execution API
description: Use this API to create calls related to restricting an application from executing.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Restrict app execution
Restrict execution of set of predefined applications.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/restrictCodeExecution
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution
Content-type: application/json
{
"Comment": "Restrict code execution due to alert 1234"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "RestrictExecution",
"status": "InProgress",
"error": "Unknown"
}
```

85
windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md
View File

@ -1,85 +0,0 @@
---
title: Run antivirus scan API
description: Use this API to create calls related to running an antivirus scan on a machine.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Run antivirus scan
Initiate Windows Defender Antivirus scan on the machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/runAntiVirusScan
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
ScanType| ScanType | Defines the type of the Scan. **Required**.
**ScanType** controls the type of isolation to perform and can be one of the following:
- **Quick** Perform quick scan on the machine
- **Full** Perform full scan on the machine
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan
Content-type: application/json
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "RunAntiVirusScan",
"status": "InProgress",
"error": "Unknown"
}
```

6
windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: View the Security Analytics dashboard
description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. Use the recommended improvement actions based on the list of machines that need remediation.
keywords: security analytics, dashboard, antivirus recommendations, security control state, security score, score improvement
title: View the Security Analytics dashboard in Windows Defender ATP
description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles.
keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

85
windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md
View File

@ -1,85 +0,0 @@
---
title: Stop and quarantine file API
description: Use this API to create calls related to stopping and quarantining a file.
keywords: apis, graph api, supported apis, stop, quarantine, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Stop and quarantine file
Stop execution of a file on a machine and ensure its not executed again on that machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/stopAndQuarantineFile
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**.
## Response
If successful, this method returns 201, Created response code and _FileMachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 32123",
“Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673”
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "5841901d-6d04-4278-b0b3-8dd6a2acc8a5",
"sha1": “1163788484e3258ab9fcf692f7db7938f72ddfc2”,
"type": "StopAndQuarantineFile",
"status": "Succeeded",
"machineId": "970a58d5f61786bb7799dfdb5395ec364ffceace",
"fileInstances": [
{
"filePath": "C:\\Users\\alex\\AppData\\Local\\AppFetch\\Temp\\3324bcb\\AppDownloader\\AnApp.appfetch.zip",
"status": "Succeeded"
}
]
}
```

125
windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
View File

@ -1,125 +0,0 @@
---
title: Supported Windows Defender Advanced Threat Protection APIs
description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Supported Windows Defender ATP APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
| Entity | Action | Description | Functions | Route |
|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------|
| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} |
| | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts |
| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts |
| | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} |
| | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines |
| | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files |
| | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor |
| | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains |
| | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips |
| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines |
| | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts |
| | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers |
| | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) |
| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines |
| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines |
| | Stats | Retrieves the prevalence for the given domain | | /domains/{id}/stats |
| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines |
| | Stats | Retrieves the prevalence for the given IP | | /ips/{id}/stats |
| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} |
| | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts |
| | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines |
| | Stats | Retrieves the prevalence for the given file | | /files/{id}/machines |
### Example queries
After creating the application, you can run the following queries.
Fetching the top 20 alerts with machine information:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
Response:
```
{
"@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts",
"@odata.count": 20,
"@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20",
"value": [
{
"id": "636341278149188342_1960231459",
"severity": "Medium",
"status": "New",
"description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.",
"recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.",
"alertCreationTime": "2017-06-27T02:36:53.7841015Z",
"category": "Installation",
"title": "Process hollowing detected",
"threatFamilyName": null,
"detectionSource": null,
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2017-06-29T10:11:54.2872094Z",
"firstEventTime": "2017-06-27T02:30:23.9320988Z",
"machine": {
"id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b",
"computerDnsName": null,
"firstSeen": "0001-01-01T00:00:00Z",
"isOnline": false,
"osPlatform": null,
"osVersion": null,
"systemProductName": null,
"lastIpAddress": null,
"lastExternalIpAddress": null,
"agentVersion": null,
"osBuild": null,
"healthStatus": "Active",
"isAadJoined": null
}
},
}….
```
## Related topics
- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)

67
windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md
View File

@ -1,67 +0,0 @@
---
title: Unblock file API
description: Use this API to create calls related to allowing a file to be executed in the organization
keywords: apis, graph api, supported apis, unblock file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Unblock file
Allow a file to be executed in the organization, using Windows Defender.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/files/{sha1}/unblock
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock
Content-type: application/json
{
"Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm",
}
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
```

77
windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md
View File

@ -1,77 +0,0 @@
---
title: Unisolate machine API
description: Use this API to create calls related to removing a machine from isolation.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Unisolate machine
Undo isolation of a machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/unisolate
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate
Content-type: application/json
{
"Comment": "Unisolate machine since it was clean and validated"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "Unisolate",
"status": "InProgress",
"error": "Unknown"
}
```

78
windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md
View File

@ -1,78 +0,0 @@
---
title: Unrestrict code execution API
description: Use this API to create calls related to removing a restriction from applications from executing.
keywords: apis, graph api, supported apis, remove machine from isolation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/01.2017
---
# Unrestrict code execution
Unrestrict execution of set of predefined applications.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/unrestrictCodeExecution
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution
Content-type: application/json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "ac19aae7-4146-4a13-a786-eb43d8557f7c",
"type": "UnrestrictExecution",
"status": "InProgress",
"error": "Unknown"
}
```