diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index af35c57f47..de8090f455 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -508,6 +508,8 @@ #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) + ### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md) ## Reference diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index c9987f3a99..2a992e5e4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -90,9 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -```http +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags -Content-type: application/json +``` + +```json { "Value" : "test Tag 2", "Action": "Add" diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index ee50396e37..dea6142742 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -81,9 +81,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json +``` + +```json { "Comment": "Collect forensics due to alert 1234" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index ac6a1ed6be..91a38d3f42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -96,9 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` + ```json { "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md new file mode 100644 index 0000000000..9e49265a2f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -0,0 +1,323 @@ +--- +title: Address false positives/negatives in Microsoft Defender for Endpoint +description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. +keywords: alert, exclusion, defender atp, false positive, false negative +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.technology: mde +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 01/25/2021 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola +ms.custom: FPFN +--- + +# Address false positives/negatives in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + +In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include: + +1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts) +2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions) +3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint) +4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) +6. [Getting help if you still have issues with false positives/negatives](#still-need-help) + +> [!IMPORTANT] +> This article is intended for security operators and administrators. + +## Part 1: Review and classify alerts + +If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. + +Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Determine whether an alert is accurate + +Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Depending on the alert status, take the steps described in the following table:
+ + | Alert status | What to do | + |:---|:---| + | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | + | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).

2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.

3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | + | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | + +### Classify an alert + +Your security team can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert that is a false positive. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) + +> [!TIP] +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. + +### Suppress an alert + +If you have alerts that are either false positives or that are true positives but are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). + +## Part 2: Review remediation actions + +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include: +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Disable a driver +- Remove a scheduled task + +Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone. + +> [!TIP] +> See [Review remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation). + +### Review completed actions + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab. +3. Select an item to view more details about the remediation action that was taken. + +If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo the following remediation actions: +- Isolate device +- Restrict code execution +- Quarantine a file +- Remove a registry key +- Stop a service +- Disable a driver +- Remove a scheduled task + +### Undo an action + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select an action that you want to undo. +3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.) + +### Undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. + +## Part 3: Review or define exclusions for Microsoft Defender for Endpoint + +An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) + +> [!NOTE] +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. + +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well. + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Indicators for Microsoft Defender for Endpoint + +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. + +To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to: + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) + +You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table: + +| Indicator type and considerations | Prerequisites | +|:----|:----| +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**

Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.

The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.

Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**

Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.

There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.

Only single IP addresses are supported (no CIDR blocks or IP ranges)

Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)

Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))

Antimalware client version: 4.18.1906.x or later

Devices are running Windows 10, version 1709 or later

Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**

`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).

The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.

Microsoft signed certificates cannot be blocked.

It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)

Antimalware client version: 4.18.1901.x or later

Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019

Virus and threat protection definitions are up to date | + +> [!TIP] +> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +## Part 4: Submit a file for analysis + +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. When you sign in at the submission site, you can track your submissions. + +### Submit a file for analysis + +If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). + +### Submit a fileless detection for analysis + +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. + +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator. +2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**. + A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`. +3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files. + +### What happens after a file is submitted? + +Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly. + +For submissions that were not already processed, they are prioritized for analysis as follows: + +- Prevalent files with the potential to impact large numbers of computers are given a higher priority. +- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority. +- Submissions flagged as high priority by SAID holders are given immediate attention. + +To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission). + +> [!TIP] +> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions). + +## Part 5: Review and adjust your threat protection settings + +Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular: + +- [Cloud-delivered protection](#cloud-delivered-protection) +- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications) +- [Automated investigation and remediation](#automated-investigation-and-remediation) + +### Cloud-delivered protection + +Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, this is set to **Not configured**, which corresponds to a normal level of protection for most organizations. If your cloud-delivered protection is set to **High**, **High +**, or **Zero tolerance**, you might experience a higher number of false positives. + +> [!TIP] +> To learn more about configuring your cloud-delivered protection, see [Specify the cloud-delivered protection level](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus). + +We recommend using Microsoft Endpoint Manager to edit or set your cloud-delivered protection settings. + +#### Use Microsoft Endpoint Manager to review and edit cloud-delivered protection settings (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-cloud-delivered-protection-settings-for-a-new-policy)). +3. Under **Manage**, select **Properties**. Then, next to **Configuration settings**, choose **Edit**. +4. Expand **Cloud protection**, and review your current setting in the **Cloud-delivered protection level** row. We recommend setting this to **Not configured**, which provides strong protection while reducing the chances of getting false positives. +5. Choose **Review + save**, and then **Save**. + +#### Use Microsoft Endpoint Manager to set cloud-delivered protection settings (for a new policy) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create policy**. +3. For **Platform**, select an option, and then for **Profile**, select **Antivirus** or **Microsoft Defender Antivirus** (the specific option depends on what you selected for **Platform**.) Then choose **Create**. +4. On the **Basics** tab, specify a name and description for the policy. Then choose **Next**. +5. On the **Configuration settings** tab, expand **Cloud protection**, and specify the following settings: + - Set **Turn on cloud-delivered protection** to **Yes**. + - Set **Cloud-delivered protection level** to **Not configured**. (This level provides a strong level of protection by default while reducing the chances of getting false positives.) +6. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Remediation for potentially unwanted applications + +Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA is not considered malware, some kinds of software are PUA based on their behavior and reputation. + +Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If this is happening, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus. + +We recommend using Microsoft Endpoint Manager to edit or set PUA protection settings. + +> [!TIP] +> To learn more about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to edit PUA protection (for existing configuration profiles) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-set-pua-protection-for-a-new-configuration-profile).) +3. Under **Manage**, choose **Properties**, and then, next to **Configuration settings**, choose **Edit**. +4. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +5. Set **Detect potentially unwanted applications** to **Audit**. (You can turn it off, but by using audit mode, you will be able to see detections.) +6. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to set PUA protection (for a new configuration profile) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Devices** > **Configuration profiles** > **+ Create profile**. +3. For the **Platform**, choose **Windows 10 and later**, and for **Profile**, select **Device restrictions**. +4. On the **Basics** tab, specify a name and description for your policy. Then choose **Next**. +5. On the **Configuration settings** tab, scroll down and expand **Microsoft Defender Antivirus**. +6. Set **Detect potentially unwanted applications** to **Audit**, and then choose **Next**. (You can turn off PUA protection, but by using audit mode, you will be able to see detections.) +7. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**. +9. On the **Review + create** tab, review your settings, and, and then choose **Create**. + +### Automated investigation and remediation + +[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. + +Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team. + +- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then +- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation). + + +## Still need help? + +If you have worked through all the steps in this article and still need help, your best bet is to contact technical support. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**. +3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request. + +## See also + +[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md) + +[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index c4921c50f4..127f52cd7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -73,6 +73,6 @@ If Indicator with the specified id was not found - 404 Not Found. Here is an example of the request. -``` +```http DELETE https://api.securitycenter.microsoft.com/api/indicators/995 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 5a461d731b..d9ebb6559c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -80,6 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md index c077f850b8..5bb4e7756f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -32,7 +32,7 @@ ms.topic: article ## API description Find [Machines](machine.md) by [Tag](machine-tags.md). - +
```startswith``` query is supported. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. @@ -56,7 +56,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ## HTTP request ``` -GET /api/machines/findbytag(tag='{tag}') +GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false} ``` ## Request headers @@ -65,6 +65,13 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +tag | String | The tag name. **Required**. +useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**. + ## Request body Empty @@ -77,6 +84,6 @@ If successful - 200 OK with list of the machines in the response body. Here is an example of the request. -``` -GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag') +```http +GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 9347365103..c84308bef0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -77,7 +77,7 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ``` @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 80dfa7de59..015b98dba0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -77,7 +77,7 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index b241dd2b72..602a1fd1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -78,7 +78,7 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips ``` @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index e4850f8d55..60d47669c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -79,7 +79,7 @@ If successful and alert and device exist - 200 OK. If alert not found or device Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine ``` @@ -88,9 +88,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index ea89e7158c..2afbe73739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -78,7 +78,7 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user ``` @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "contoso\\user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 918af17cc7..eb0067b2ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -88,7 +88,7 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts ``` @@ -152,7 +152,7 @@ Here is an example of the response. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index 9be5af6b31..6548493ea9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of security recommendati Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md index 73cc542fda..0126da149d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md @@ -72,7 +72,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index 17f9e97ef1..00ade14700 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index 41df827074..3264cc7d76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -61,18 +61,15 @@ If successful and map exists - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/CveKbMap -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", "@odata.count": 4168, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index b18413a57e..2edded89ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the device secure score data in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/configurationScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 773a35d073..760ce4ddb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -30,8 +30,12 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] +## API description Retrieves a collection of discovered vulnerabilities related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -67,7 +71,7 @@ If successful, this method returns 200 OK with the discovered vulnerability info Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities ``` @@ -75,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index dda241406d..13a3f3f28f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -62,6 +62,11 @@ Header | Value :---|:--- Authorization | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -76,8 +81,8 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. -``` -GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats +```http +GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` **Response** @@ -85,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", "host": "example.com", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index c06627a36f..0288816bb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with the exposure data in the respons Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index 736c3298e2..37b4c39da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -76,7 +76,7 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ``` @@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity", "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index dd23bde922..1ef694df96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 981b5352e4..c0de4442c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 45c0c7f97f..ab8b12267d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -62,6 +62,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -76,8 +81,8 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. -``` -GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats +```http +GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` **Response** @@ -85,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md index 1d74c52f25..9effa5d7a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the installed software informatio Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md index 47662456ae..cca2597b98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/investigations Here is an example of the response: -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index ec0bd5533a..d4f66c71d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -79,6 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index e720d2f338..bc04301ab1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -63,6 +63,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -78,7 +83,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. ```http -GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats +GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48 ``` **Response** @@ -86,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", "ipAddress": "10.209.67.177", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index f108cdfbf6..0eeced010e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -61,18 +61,15 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/KbInfo -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", "@odata.count": 271, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index ceac9cc0ed..0a6ff20f30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index f7ea61feb1..6f54986e33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with a list of exposure score per dev Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index f4730dce02..3e9b901fac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index 35d7343116..9520bd1379 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -77,7 +77,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action] Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42 Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity", "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 11bd89fa3b..d910d3beda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -82,7 +82,7 @@ If successful, this method returns 200, Ok response code with a collection of [m Here is an example of the request on an organization that has three MachineActions. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions ``` @@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index cbcb0e0b06..b2f9da0734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 35a821c812..bf4208cd36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index ad2331e5ab..42a179a64f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -92,9 +92,7 @@ GET https://api.securitycenter.microsoft.com/api/machines Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 9565ba0014..9d1e0ef235 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -60,9 +60,8 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates -Content-type: application/json ``` **Response** @@ -70,9 +69,7 @@ Content-type: application/json Here is an example of the response. Field *id* contains device id and equal to the field *id** in devices info. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", "@odata.count":444, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 9ac01f22cf..d3c13ddae1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -30,7 +30,11 @@ ms.technology: mde [!include[Improve request performance](../../includes/improve-request-performance.md)] -Retrieves missing KBs (security updates) by device ID +## API description +Retrieves missing KBs (security updates) by device ID. + +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. ## HTTP request @@ -58,7 +62,7 @@ If successful, this method returns 200 OK, with the specified device missing kb Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index 4c037b678e..3b53dabe02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the specified software missing k Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index ccd17fea22..2683556f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -73,19 +73,15 @@ If successful, this method returns 200, Ok response code with object that holds Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json - +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index d752962405..5548416186 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 7d46d6e6fe..fa448849b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of devices associated wi Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index 4f144b37e3..0fcdc3e55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the software associated with the Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index 6c606f3bfc..e4a52ff2a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 1d2dfe41dd..2581a14cb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -31,8 +31,12 @@ ms.technology: mde [!include[Prerelease information](../../includes/prerelease.md)] +## API description Retrieves a collection of security recommendations related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -66,7 +70,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations ``` @@ -75,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index da3f09fb2d..43ed0055bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,6 +1,6 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by device group. +description: Retrieves a list of sofware by ID. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: m365-security @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the specified software data in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity", "id": "microsoft-_-edge", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index c707f59ef2..897e0c91a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a list of software distributions Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 95e59d134f..b070207ed0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the software inventory in the bod Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 58cb3f78a5..5a5ea5a354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -78,7 +78,7 @@ If successful, this method returns 200, Ok response code with a collection of [I Here is an example of a request that gets all Indicators -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators ``` @@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ @@ -141,7 +139,7 @@ Content-type: application/json Here is an example of a request that gets all Indicators with 'AlertAndBlock' action -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' ``` @@ -149,9 +147,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index 7a7e85e081..d4d47fa618 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -64,9 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1 -Content-type: application/json ``` **Response** @@ -74,9 +73,7 @@ Content-type: application/json Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 7705c00e4b..341e56d35d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -81,6 +81,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 7cab2321b4..b91c080c8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -82,6 +82,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index c60ff31fdb..762572746a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities ``` @@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulne Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index e8cc9c8257..441ac6bf08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md index 822e0f9985..ae63ad7d4b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -37,7 +37,7 @@ Submits or Updates batch of [Indicator](ti-indicator.md) entities. ## Limitations 1. Rate limitations for this API are 30 calls per minute. 2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. - +3. Maximum batch size for one API call is 500. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) @@ -79,9 +79,10 @@ Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indica Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators/import ``` + ```json { "Indicators": diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index dfb9ea34c6..5617ebcae7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -84,9 +84,12 @@ If successful, this method returns 201 - Created response code and [Investigatio Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation -Content-type: application/json +``` + +```json { - "Comment": "Test investigation", + "Comment": "Test investigation" } +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index 6afbbec900..64b309d544 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -40,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint. Method|Return Type |Description :---|:---|:--- [List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation -[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. +[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity. [Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 00d02c3bfe..15f0c9b691 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -90,13 +90,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -```console +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate -Content-type: application/json +``` + +```json { "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” + "IsolationType": "Full" } ``` -- To unisolate a device, see [Release device from isolation](unisolate-machine.md). +- To release a device from isolation, see [Release device from isolation](unisolate-machine.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index c0cfd906a5..896f5ca654 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -62,7 +62,7 @@ version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. -healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name. rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 8eef870362..df8552d5a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -87,9 +87,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard -Content-type: application/json +``` + +```json { "Comment": "Offboard machine by automation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index c5bedda425..f019e3a9d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -89,9 +89,10 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators ``` + ```json { "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index fb99be0444..a78424ca79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -83,14 +83,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Restrict code execution due to alert 1234" } ``` -- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). - +- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 88fddcc27b..1f52029bfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -35,10 +35,10 @@ ms.technology: mde 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - - API calls: Up to 15 calls per minute - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day + - API calls: Up to 45 calls per minute. + - Execution time: 10 minutes of running time every hour and 3 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. -5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. +5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -82,9 +82,11 @@ Request Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/advancedqueries/run -Content-type: application/json +``` + +```json { "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index dda698fd60..68a10a5e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -91,12 +91,14 @@ If successful, this method returns 201, Created response code and _MachineAction Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan -Content-type: application/json +``` + +```json { "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” + "ScanType": "Full" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 26a77dc157..6ab096b9f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile -Content-type: application/json +``` + +```json { "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 2ddc0fa5f4..9d41281585 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate -Content-type: application/json +``` + +```json { "Comment": "Unisolate machine since it was clean and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index c8b9276441..41934f0380 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -82,9 +82,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Unrestrict code execution since machine was cleaned and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 4f6423b15e..a19d0d51e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -91,10 +91,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in Here is an example of the request. -``` +```http PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442 -Content-Type: application/json +``` +```json { "status": "Resolved", "assignedTo": "secop2@contoso.com", @@ -102,4 +103,4 @@ Content-Type: application/json "determination": "Malware", "comment": "Resolve my alert and assign to secop2" } -``` +``` \ No newline at end of file