diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index a1c9446bfb..94c8bb1161 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -37,14 +37,16 @@ ###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) ###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) ###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) #### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md) #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) +###### [Manage machine group and tags](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) +###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) +###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution) ###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) ###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) -###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) ###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md) ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) diff --git a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index eab5acb930..0000000000 --- a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Block file API -description: Use this API to create calls related to blocking files from being executed in the organization. -keywords: apis, graph api, supported apis, block file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Block file -Prevent a file from being executed in the organization using Windows Defender Antivirus. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/files/{sha1}/block -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/7327b54fd718525cbca07dacde913b5ac3c85673/block -Content-type: application/json -{ - "Comment": "Block file due to alert 32123" -} - -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -``` diff --git a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md deleted file mode 100644 index a085e86eef..0000000000 --- a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Collect investigation package API -description: Use this API to create calls related to the collecting an investigation package from a machine. -keywords: apis, graph api, supported apis, collect investigation package -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Collect investigation package -Collect investigation package from a machine. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/collectInvestigationPackage -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | Text | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json -{ - "Comment": "Collect forensics due to alert 1234" -} -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "CollectInvestigationPackage", - "status": "InProgress", - "error": "Unknown" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 03a3d219a1..77b6604d77 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Configure non-Windows endpoints in Windows Defender ATP -description: Configure non-Winodws endpoints to see sensor data and get alerts from them -keywords: configure endpoints non-Windows endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints +description: Configure non-Winodws endpoints so that they can send sensor data to the Windows Defender ATP service. +keywords: configure endpoints non-Windows endpoints, macos, linux, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index df4f747169..b9d187b3f8 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure non-persistent virtual desktop infrastructure (VDI) machines in Windows Defender ATP -description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to the service. -keywords: configure virtual desktop infrastructure (VDI) machine, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, vdi +title: Configure non-persistent virtual desktop infrastructure (VDI) machines +description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. +keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 1d1794d923..bfab972da9 100644 --- a/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Configure Windows Defender ATP server endpoints description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor. -keywords: server, configure server endpoints, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints +keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 259f35f8eb..0000000000 --- a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: Use the Windows Defender Advanced Threat Protection exposed APIs -description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. -keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Use the Windows Defender ATP exposed APIs - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). - -In general, you’ll need to take the following steps to use the APIs: -- Create an app -- Get an access token -- Run queries on the graph API - -### Before you begin -Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. - -## Create an app - -1. Log on to [Azure](https://portal.azure.com). - -2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. - - ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) - -3. In the Create window, enter the following information then click **Create**. - - ![Image of Create application window](images/atp-azure-create.png) - - - **Name:** WinATPGraph - - **Application type:** Native - - **Redirect URI:** `https://localhost` - - -4. Navigate and select the newly created application. - ![Image of new app in Azure](images/atp-azure-atp-app.png) - -5. Click **All settings** > **Required permissions** > **Add**. - - ![Image of All settings, then required permissions](images/atp-azure-required-permissions.png) - -6. Click **Select an API** > **Microsoft Graph**, then click **Select**. - - ![Image of API access and API selection](images/atp-azure-api-access.png) - - -7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**. - - ![Image of select permissions](images/atp-azure-select-permissions.png) - -You can now use the code snippets in the following sections to query the API using the created app ID. - -## Get an access token -1. Get the Client ID from the application you created. - -2. Use the **Client ID**. For example: - ``` - private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - private const string resourceId = "https://graph.microsoft.com"; - private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; - private const string redirect = "https://localhost"; - HttpClient client = new HttpClient(); - AuthenticationContext auth = new AuthenticationContext(authority); - var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; - client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); - ``` - -## Query the graph -Once the bearer token is retrieved, you can easily invoke the graph APIs. For example: - -``` -client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); -// sample endpoint -string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5"; -HttpResponseMessage response = client.GetAsync(ep).Result; -string resp = response.Content.ReadAsStringAsync().Result; -Console.WriteLine($"response for: {ep} \r\n {resp}"); -``` - - -## Related topics -- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 043bdf280d..0000000000 --- a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Get FileMachineAction object API -description: Use this API to create calls related to get machineaction object -keywords: apis, graph api, supported apis, filemachineaction object -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Get FileMachineAction object -Get MachineAction object. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -GET /testwdatppreview/filemachineactions/{id} -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful, this method returns 200, Ok response code with the *FileMachineAction* object. - - -## Example - -Request - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/filemachineactions/7327b54fd718525cbca07dacde913b5ac3c85673 -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": " 7327b54fd718525cbca07dacde913b5ac3c85673", - "sha1": "1163788484e3258ab9fcf692f7db7938f72ddfc2", - "type": "StopAndQuarantineFile", - "status": "Succeeded", - "machineId": "970a58d5f61786bb7799dfdb5395ec364ffceace", - "fileInstances": [ - { - "filePath": "C:\\Users\\alex\\AppData\\Local\\AppFetch\\Temp\\3324bcb\\AppDownloader\\AnApp.appfetch.zip", - "status": "Succeeded" - } - ] -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 0fb3e768d8..0000000000 --- a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Get MachineAction object API -description: Use this API to create calls related to get machineaction object -keywords: apis, graph api, supported apis, machineaction object -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Get MachineAction object -Get MachineAction object - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -GET /testwdatppreview/machineactions/{id} -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful, this method returns 200, Ok response code with the *MachineAction* object. - - -## Example - -Request - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673 -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "UnrestrictExecution", - "status": "Success", - "error": "Unknown" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 16581192da..0000000000 --- a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Get package SAS URI API -description: Use this API to get a URI that allows downloading an investigation package. -keywords: apis, graph api, supported apis, get package, sas, uri -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Get package SAS URI -Get a URI that allows downloading an investigation package. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machineactions/{id}/getPackageUri -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - - -## Request body -Empty - -## Response -If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage. - - -## Example - -Request - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -Content-type: application/json - -{ - "@odata.context": "https://graph.microsoft.com/testrespver1/$metadata#Edm.String", - "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png new file mode 100644 index 0000000000..b0732653d6 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-user-details-view-tdp.png differ diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 646873ce46..b7b83fd65c 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Investigate machines in the Windows Defender ATP Machines list -description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list. -keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity +description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health. +keywords: machines, endpoints, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -147,52 +147,6 @@ Expand an event to view associated processes related to the event. Click on the The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. -## Manage machine group and tags -Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. - -Machine related properties are being extended to account for: - -- Group affiliation -- Dynamic context capturing - - - -### Group machines -Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. - -Machine group is defined in the following registry key entry of the machine: - -- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` -- Registry key value (string): Group - - -### Set standard tags on machines -Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. - -1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: - - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. - - You can also get to the alert page through the file and IP views. - -2. Open the **Actions** menu and select **Manage tags**. - - ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) - -3. Enter tags on the machine. To add more tags, click the + icon. -4. Click **Save and close**. - - ![Image of adding tags on a machine](images/atp-save-tag.png) - - Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. - -### Manage machine tags -You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. - -![Image of adding tags on a machine](images/atp-tag-management.png) ## Related topics diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index 349606e877..4d15942dc0 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -24,37 +24,34 @@ ms.date: 09/01/2017 [!include[Prerelease information](prerelease.md)] +# Investigate a user account in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + ## Investigate user account entities Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. You can find user account information in the following views: -- Security operations dashboard +- Dashboard - Alert queue - Machine details page A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown. When you investigate a user account entity, you'll see: -- User account details, Azure Advanced Threat Protection alerts, and Logged on machines +- User account details and Logged on machines - Alerts related to this user - Observed in organization (machines logged on to) +![Image of the user account entity details page](images/atp-user-details-view-tdp.png) -![Image of the user account entity details page](images/atp-user-view-ata.png) - -The user account entity details, Azure Advanced Threat Protection alerts, and logged on machines sections display various attributes about the user account. - -The user entity tile provides details about the user such as when the user was first and last seen. Depending on the integration features you enable, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. - -If you have enabled the Azure Advanced Threat Protection feature and there are alerts related to the user, you can click on the link that will take you to the Azure Advanced Threat Protection page where more information about the alerts are provided. The Azure Advanced Threat Protection tile also provides details such as the last AD site, total group memberships, and login failure associated with the user. - -You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. - ->[!NOTE] ->Youll need to enable the integration between Windows Defender ATP and Azure Advanced Threat Protection to use this feature. - - -For more information on how to enable advanced features, see [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md). +The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. @@ -70,8 +67,6 @@ The machine health state is displayed in the machine icon and color as well as i 2. Enter the user account in the **Search** field. 3. Click the search icon or press **Enter**. -[IS THE BEHAVIOUR BELOW STILL TRUE? I TRIED TO SEARCH FOR USERS AND IT DOESN'T SEEM TO DISPLAY A LIST - PLEASE CHECK FOR TECHNICAL ACCURACY. THANKS!] - A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days. You can filter the results by the following time periods: diff --git a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 9d9afa06e9..0000000000 --- a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Isolate machine API -description: Use this API to create calls related isolating a machine. -keywords: apis, graph api, supported apis, isolate machine -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Isolate machine -Isolates a machine from accessing external network. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/isolate -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -IsolationType | IsolationType | Full or selective isolation - -**IsolationType** controls the type of isolation to perform and can be one of the following: -- Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network - - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate -Content-type: application/json -{ - "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” -} - -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "Isolate", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index effc64d145..b876ad565a 100644 --- a/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Create and build Power BI reports using Windows Defender ATP data description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. -keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors +keywords: preferences setup, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -122,7 +122,6 @@ You can use Power BI Desktop to analyse data from Windows Defender ATP and mash 8. Add visuals and select fields from the available data sources. ## Related topics -- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) - [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) - [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) - [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 10b78cb11e..0000000000 --- a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Request sample API -description: Use this API to create calls related to requesting a sample from a machine. -keywords: apis, graph api, supported apis, request sample -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Request sample -Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/requestSample -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -Sha1 | String | Sha1 of the file to upload to the secure storage. **Required**. - -## Response -If successful, this method returns 201, Created response code and *FileMachineAction* object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/requestSample -Content-type: application/json -{ - “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” -} -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "RequestSample", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index ad39326774..b64bb11ed0 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Take response actions on a machine in Windows Defender ATP -description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details. -keywords: respond, isolate, isolate machine, collect investigation package, action center +description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. +keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -30,108 +30,53 @@ Quickly respond to detected attacks by isolating machines or collecting an inves >[!NOTE] > These response actions are only available for machines on Windows 10, version 1703. -## Isolate machines from the network -Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +## Manage machine group and tags +Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident. -This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. +Machine related properties are being extended to account for: -On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. - ->[!NOTE] ->You’ll be able to reconnect the machine back to the network at any time. - -1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views: - - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. - -2. Open the **Actions** menu and select **Isolate machine**. - - ![Image of isolate machine](images/atp-actions-isolate-machine.png) - -3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. - - ![Image of isolation confirmation](images/atp-confirm-isolate.png) - -4. Type a comment and select **Yes, isolate machine** to take action on the machine. - - >[!NOTE] - >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. - - The Action center shows the submission information: - ![Image of machine isolation](images/atp-machine-isolation.png) - - - **Submission time** - Shows when the isolation action was submitted. - - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication. - -When the isolation configuration is applied, a new event is reflected in the machine timeline. - -**Notification on machine user**:
-When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: - -![Image of no network connection](images/atp-notification-isolate.png) - -## Release machine from isolation -Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated. - -1. Select a machine that was previously isolated. - -2. Open the **Actions** menu and select **Release from isolation**. - - ![Image of release from isolation](images/atp-actions-release-from-isolation.png) - -3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network. - -## Restrict app execution -In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. - -The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. - ->[!NOTE] ->You’ll be able to reverse the restriction of applications from running at any time. - -1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views: - - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. - -2. Open the **Actions** menu and select **Restrict app execution**. - - ![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png) - -3. Type a comment and select **Yes, restict app execution** to take action on the file. - - ![Image of app restriction notification](images/atp-notification-restrict.png) - - The Action center shows the submission information: - ![Image of action center with app restriction](images/atp-action-center-app-restriction.png) +- Group affiliation +- Dynamic context capturing - - **Submission time** - Shows when the isolation action was submitted. - - **Status** - Indicates any pending actions or the results of completed actions. -When the application execution restriction configuration is applied, a new event is reflected in the machine timeline. +### Group machines +Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar attributes can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines. + +Machine group is defined in the following registry key entry of the machine: + +- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` +- Registry key value (string): Group -**Notification on machine user**:
-When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: +### Set standard tags on machines +Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag. -![Image of app restriction](images/atp-app-restriction.png) +1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: -## Remove app restriction -Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated. + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. -1. Select the machine where you restricted an application from running from. + You can also get to the alert page through the file and IP views. -2. Open the **Actions** menu and select **Remove app restrictions**. +2. Open the **Actions** menu and select **Manage tags**. - ![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png) + ![Image of taking action to manage tags on a machine](images/atp-manage-tags.png) + +3. Enter tags on the machine. To add more tags, click the + icon. +4. Click **Save and close**. + + ![Image of adding tags on a machine](images/atp-save-tag.png) + + Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines. + +### Manage machine tags +You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel. + +![Image of adding tags on a machine](images/atp-tag-management.png) -3. Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. @@ -216,6 +161,111 @@ As part of the investigation or response process, you can remotely initiate an a The machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan. +## Restrict app execution +In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. + +The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. + +>[!NOTE] +>You’ll be able to reverse the restriction of applications from running at any time. + +1. Select the machine where you'd like to restrict an application from running from. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + +2. Open the **Actions** menu and select **Restrict app execution**. + + ![Image of restrict app execution action](images/atp-actions-restrict-app-execution.png) + +3. Type a comment and select **Yes, restict app execution** to take action on the file. + + ![Image of app restriction notification](images/atp-notification-restrict.png) + + The Action center shows the submission information: + ![Image of action center with app restriction](images/atp-action-center-app-restriction.png) + + + - **Submission time** - Shows when the isolation action was submitted. + - **Status** - Indicates any pending actions or the results of completed actions. + +When the application execution restriction configuration is applied, a new event is reflected in the machine timeline. + + +**Notification on machine user**:
+When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: + +![Image of app restriction](images/atp-app-restriction.png) + +## Remove app restriction +Depending on the severity of the attack and the state of the machine, you can choose to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated. + +1. Select the machine where you restricted an application from running from. + +2. Open the **Actions** menu and select **Remove app restrictions**. + + ![Image of remove app restrictions](images/atp-actions-remove-app-restrictions.png) + +3. Type a comment and select **Yes, remove restriction** to take action on the application. The machine application restriction will no longer apply on the machine. + + +## Isolate machines from the network +Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. + +This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. + +On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. + +>[!NOTE] +>You’ll be able to reconnect the machine back to the network at any time. + +1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views: + + - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + +2. Open the **Actions** menu and select **Isolate machine**. + + ![Image of isolate machine](images/atp-actions-isolate-machine.png) + +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. + + ![Image of isolation confirmation](images/atp-confirm-isolate.png) + +4. Type a comment and select **Yes, isolate machine** to take action on the machine. + + >[!NOTE] + >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. + + The Action center shows the submission information: + ![Image of machine isolation](images/atp-machine-isolation.png) + + - **Submission time** - Shows when the isolation action was submitted. + - **Status** - Indicates any pending actions or the results of completed actions. Additional indications will be provided if you've enabled Outlook and Skype for Business communication. + +When the isolation configuration is applied, a new event is reflected in the machine timeline. + +**Notification on machine user**:
+When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: + +![Image of no network connection](images/atp-notification-isolate.png) + +## Release machine from isolation +Depending on the severity of the attack and the state of the machine you can choose to release the machine from isolation after you have verified that the compromised machine has been remediated. + +1. Select a machine that was previously isolated. + +2. Open the **Actions** menu and select **Release from isolation**. + + ![Image of release from isolation](images/atp-actions-release-from-isolation.png) + +3. Type a comment and select **Yes, release machine** to take action on the machine. The machine will be reconnected to the network. + + ## Check activity details in Action center The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details: diff --git a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 3377eeb2a0..0000000000 --- a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Restrict app execution API -description: Use this API to create calls related to restricting an application from executing. -keywords: apis, graph api, supported apis, collect investigation package -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Restrict app execution -Restrict execution of set of predefined applications. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/restrictCodeExecution -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution -Content-type: application/json -{ - "Comment": "Restrict code execution due to alert 1234" -} - -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "RestrictExecution", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 891097b03a..0000000000 --- a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Run antivirus scan API -description: Use this API to create calls related to running an antivirus scan on a machine. -keywords: apis, graph api, supported apis, remove machine from isolation -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Run antivirus scan -Initiate Windows Defender Antivirus scan on the machine. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/runAntiVirusScan -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -ScanType| ScanType | Defines the type of the Scan. **Required**. - -**ScanType** controls the type of isolation to perform and can be one of the following: - -- **Quick** – Perform quick scan on the machine -- **Full** – Perform full scan on the machine - - - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan -Content-type: application/json -{ - "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” -} -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "RunAntiVirusScan", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index 85bc4cc7e7..9046f25b16 100644 --- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: View the Security Analytics dashboard -description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. Use the recommended improvement actions based on the list of machines that need remediation. -keywords: security analytics, dashboard, antivirus recommendations, security control state, security score, score improvement +title: View the Security Analytics dashboard in Windows Defender ATP +description: Use the Security Analytics dashboard to assess and improve the security state of your organization by analyzing various security control tiles. +keywords: security analytics, dashboard, security recommendations, security control state, security score, score improvement, organizational security score, security coverate, security control, improvement opportunities, edr, antivirus, av, os security updates search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 588e46220b..0000000000 --- a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Stop and quarantine file API -description: Use this API to create calls related to stopping and quarantining a file. -keywords: apis, graph api, supported apis, stop, quarantine, file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Stop and quarantine file -Stop execution of a file on a machine and ensure it’s not executed again on that machine. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/stopAndQuarantineFile -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**. - -## Response -If successful, this method returns 201, Created response code and _FileMachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution -Content-type: application/json -{ - "Comment": "Stop and quarantine file on machine due to alert 32123", - “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” -} -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": "5841901d-6d04-4278-b0b3-8dd6a2acc8a5", - "sha1": “1163788484e3258ab9fcf692f7db7938f72ddfc2”, - "type": "StopAndQuarantineFile", - "status": "Succeeded", - "machineId": "970a58d5f61786bb7799dfdb5395ec364ffceace", - "fileInstances": [ - { - "filePath": "C:\\Users\\alex\\AppData\\Local\\AppFetch\\Temp\\3324bcb\\AppDownloader\\AnApp.appfetch.zip", - "status": "Succeeded" - } - ] -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 8522966f5b..0000000000 --- a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,125 +0,0 @@ ---- -title: Supported Windows Defender Advanced Threat Protection APIs -description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. -keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Supported Windows Defender ATP APIs - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - -| Entity | Action | Description | Functions | Route | -|---------|---------------|--------------------------------------------------------------------------|--------------------------------------------|-------------------------------------------| -| Actor | Get | Retrieves an actor report from the CMS. | $top, $select, $count | /actor/{id} | -| | GetAlerts | Retrieves all alerts related to a given actor. | $expand, $top, $select, $count | /actor/{id}/alerts | -| Alerts | Get | Retrieves top recent alerts | $top, $select, $count, $skip, $expand | /alerts | -| | Get | Retrieves an alert by its ID | $top, $select, $count, $expand | /alerts/{id} | -| | GetMachines | Retrieves all machines related to a specific alert | $top, $select, $count | /alerts/{id}/machines | -| | GetFiles | Retrieves all files related to a specific alert | $top, $select, $count | /alerts/{id}/files | -| | GetActor | Retrieves the actor related to the specific alert | $top, $select, $count | /alerts/{id}/actor | -| | GetDomains | Retrieves all domains related to a specific alert | $top, $select, $count | /alerts/{id}/domains | -| | GetIPs | Retrieves all IPs related to a specific alert | $top, $select, $count | /alerts/{id}/ips | -| Machine | Get | Retrieves a collection of recently seen machines | $top, $select, $count, $skip | /machines | -| | Get | Retrieves a machine entity by ID | $top, $select, $count | /machines/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given machine ID | $top, $select, $count, $expand | /machines/{id}/alerts | -| | GetLogOnUsers | Retrieves a collection of logged on users related to a given machine ID | $top, $select, $count | /machines/{id}/logonusers | -| | Find | Find a machine entity around a specific timestamp by FQDN or internal IP | $top, $select, $count, $expand(logonusers) | /machines/find(key={id},timestamp={time}) | -| User | Get | Retrieve a User entity by key (user name or domain\user) | $top, $select, $count | /users/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given user ID | $top, $select, $count, $expand | /users/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given user ID | $top, $select, $count | /users/{id}/machines | -| Domain | Get | Retrieves a domain entity | $top, $select, $count | /domains/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given domain address | $top, $select, $count, $expand | /domains/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given domain address | $top, $select, $count | /domains/{id}/machines | -| | Stats | Retrieves the prevalence for the given domain | | /domains/{id}/stats | -| IP | Get | Retrieves an IP entity | $top, $select, $count | /ips/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given IP address | $top, $select, $count, $expand | /ips/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given IP address | $top, $select, $count | /ips/{id}/machines | -| | Stats | Retrieves the prevalence for the given IP | | /ips/{id}/stats | -| File | Get | Retrieves a file by identifier(Sha1, Sha256, MD5) | $top, $select, $count | /files/{id} | -| | GetAlerts | Retrieves a collection of alerts related to a given file hash | $top, $select, $count, $expand | /files/{id}/alerts | -| | GetMachines | Retrieves a collection of machines related to a given file hash | $top, $select, $count | /files{id}/machines | -| | Stats | Retrieves the prevalence for the given file | | /files/{id}/machines | - -### Example queries -After creating the application, you can run the following queries. - -Fetching the top 20 alerts with machine information: -``` -private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; -private const string resourceId = "https://graph.microsoft.com"; -private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; -private const string redirect = "https://localhost"; -HttpClient client = new HttpClient(); -AuthenticationContext auth = new AuthenticationContext(authority); -var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; -client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); -var ep = $"{resourceId}/{apiVersion}/alerts?$top=20&$expand=machine"; // the query itself in yellow -HttpResponseMessage response = client.GetAsync(ep).Result; -string resp = response.Content.ReadAsStringAsync().Result; -Console.WriteLine($"response for: {ep} \r\n {resp}"); -``` - -Response: -``` -{ - "@odata.context": "https://graph.microsoft-ppe.com/testwdatp/$metadata#Alerts", - "@odata.count": 20, - "@odata.nextLink": "https://graph.microsoft-ppe.com/testwdatp/alerts?$top=20&$expand=machine&$skip=20", - "value": [ - { - "id": "636341278149188342_1960231459", - "severity": "Medium", - "status": "New", - "description": "A process has injected code into another process using process hollowing technique, indicating suspicious code being run in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.", - "recommendedAction": "1. Investigate the machine's timeline for any other indicators around the time of this alert \n2. Validate contextual information about the relevant components such as file prevalence, other machines it was observed on etc. \n3. Contact the machine's user to verify whether they received an email with a suspicious attachment or link around the time of the alert.\n4. Run a full malware scan on the machine, this may reveal additional related components. \n5. Consider submitting the relevant file(s) for deep analysis for detailed behavioral information. \n6. If initial investigation confirms suspicions, contact your incident response team for forensic analysis.", - "alertCreationTime": "2017-06-27T02:36:53.7841015Z", - "category": "Installation", - "title": "Process hollowing detected", - "threatFamilyName": null, - "detectionSource": null, - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2017-06-29T10:11:54.2872094Z", - "firstEventTime": "2017-06-27T02:30:23.9320988Z", - "machine": { - "id": "67e5ef2c2eab150cc8638e21dba19c1b0a41ad0b", - "computerDnsName": null, - "firstSeen": "0001-01-01T00:00:00Z", - "isOnline": false, - "osPlatform": null, - "osVersion": null, - "systemProductName": null, - "lastIpAddress": null, - "lastExternalIpAddress": null, - "agentVersion": null, - "osBuild": null, - "healthStatus": "Active", - "isAadJoined": null - } - }, -}…. - -``` - -## Related topics -- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) - diff --git a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 8e0b3e45cc..0000000000 --- a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Unblock file API -description: Use this API to create calls related to allowing a file to be executed in the organization -keywords: apis, graph api, supported apis, unblock file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Unblock file -Allow a file to be executed in the organization, using Windows Defender. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/files/{sha1}/unblock -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock -Content-type: application/json -{ - "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", -} -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -``` diff --git a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md deleted file mode 100644 index db02510fdf..0000000000 --- a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Unisolate machine API -description: Use this API to create calls related to removing a machine from isolation. -keywords: apis, graph api, supported apis, remove machine from isolation -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Unisolate machine -Undo isolation of a machine. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/unisolate -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate -Content-type: application/json -{ - "Comment": "Unisolate machine since it was clean and validated" -} - -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "Unisolate", - "status": "InProgress", - "error": "Unknown" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 2890ee5631..0000000000 --- a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Unrestrict code execution API -description: Use this API to create calls related to removing a restriction from applications from executing. -keywords: apis, graph api, supported apis, remove machine from isolation -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Unrestrict code execution -Unrestrict execution of set of predefined applications. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/unrestrictCodeExecution -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution -Content-type: application/json -{ - "Comment": "Unrestrict code execution since machine was cleaned and validated" -} - -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "UnrestrictExecution", - "status": "InProgress", - "error": "Unknown" -} - -```