From a053a44b874e6005f1de3527aa9602cb8990fd0c Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 26 Jan 2021 10:31:42 +0200 Subject: [PATCH 01/21] 1 --- windows/security/threat-protection/TOC.md | 1 + .../api-release-notes.md | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index de8090f455..3b1c804e62 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -526,6 +526,7 @@ ##### [Microsoft Defender for Endpoint APIs Schema]() ###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md) +###### [Release Notes](microsoft-defender-atp/api-release-notes.md) ###### [Common REST API error codes](microsoft-defender-atp/common-errors.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md new file mode 100644 index 0000000000..4a650a2e4d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -0,0 +1,35 @@ +--- +title: API release notes +description: Release notes for anything that is new in the API. +keywords: apis, mdatp api, updates, notes, release +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Release Notes + +## 2.2.4 + +- test 1 + +## 2.2.3 + +- test2 +- test3 + +## 2.1.58 + +- fix: test4 +- fix: test5 +- add: test6 From e94d376345b81166cd2e35693ba87e2de650bb94 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:09:28 +0200 Subject: [PATCH 02/21] 1 --- .../microsoft-defender-atp/api-release-notes.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 4a650a2e4d..5dd49affed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -23,13 +23,16 @@ ms.technology: mde - test 1 +
## 2.2.3 - test2 - test3 +
## 2.1.58 - fix: test4 - fix: test5 - add: test6 +
\ No newline at end of file From 1849be05e2751c3a377c9b089ac7083d54054b50 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:21:42 +0200 Subject: [PATCH 03/21] 2 --- .../microsoft-defender-atp/api-release-notes.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 5dd49affed..4bd5e626eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -19,15 +19,20 @@ ms.technology: mde # Release Notes -## 2.2.4 +## 25.01.2021 -- test 1 +- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute.
-## 2.2.3 +## 21.01.2021 -- test2 -- test3 +- Added new API: [Find devices by tag](machine-tags.md). +- Added new API: [Import Indicators](import-ti-indicators.md). + +
+## 01.09.2020 + +- Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md)
## 2.1.58 From 9d62730beb65f306f0d14ff0c21010b23dbf3616 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:23:39 +0200 Subject: [PATCH 04/21] 2 --- .../api-release-notes.md | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 4bd5e626eb..a61531bcf0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -19,25 +19,20 @@ ms.technology: mde # Release Notes -## 25.01.2021 +### 25.01.2021 +
+
- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. -
-## 21.01.2021 - +### 21.01.2021 +
+
- Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). -
-## 01.09.2020 +### 01.09.2020 +
+
- Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md) - -
-## 2.1.58 - -- fix: test4 -- fix: test5 -- add: test6 -
\ No newline at end of file From 7cd95e5ac9ede0a5247190187c5d1332ad30e9b0 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:26:48 +0200 Subject: [PATCH 05/21] 1 --- .../microsoft-defender-atp/api-release-notes.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index a61531bcf0..496e4151c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -18,6 +18,8 @@ ms.technology: mde --- # Release Notes +
+
### 25.01.2021
From 05207554978b7ca295186f41d6fcb0ebeb067930 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 18:54:48 +0200 Subject: [PATCH 06/21] 1 --- .../exposed-apis-odata-samples.md | 170 ++++++++++++------ .../get-alert-related-machine-info.md | 47 +++-- .../get-machine-by-id.md | 38 ++-- .../microsoft-defender-atp/get-machines.md | 38 ++-- .../microsoft-defender-atp/machine.md | 4 +- 5 files changed, 197 insertions(+), 100 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index ab3344e02c..589c3508f8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -221,25 +221,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "High", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -260,25 +274,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -299,25 +327,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -384,25 +426,39 @@ json{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "version": "1709", - "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, - "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", + "osProcessor": "x64", + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 60d47669c1..1ee033457d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -90,24 +90,37 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "version": "1709", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 0a6ff20f30..c754604e60 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -93,25 +93,37 @@ Here is an example of the response. ```json { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } - ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index 42a179a64f..a36163fc75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -97,25 +97,39 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - } + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index 896f5ca654..79b6f79c97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -58,17 +58,19 @@ computerDnsName | String | [machine](machine.md) fully qualified name. firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint. lastSeen | DateTimeOffset |Time and date of the last received full device report. A device typically sends a full report every 24 hours. osPlatform | String | Operating system platform. +osProcessor | String | Operating system processor. version | String | Operating system Version. osBuild | Nullable long | Operating system build number. lastIpAddress | String | Last IP on local NIC on the [machine](machine.md). lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name. -rbacGroupId | Int | Machine group unique ID. riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined). machineTags | String collection | Set of [machine](machine.md) tags. exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. +ipAddresses | IpAddress collection | Set of ***IpAddress*** object. See [Get machines API](get-machines.md). + From 374cd8e3891b666e6e350b9626725305f9928331 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:15:21 +0200 Subject: [PATCH 07/21] 3 --- .../microsoft-defender-atp/api-release-notes.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 496e4151c6..94884f8d28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -22,19 +22,21 @@ ms.technology: mde
### 25.01.2021 -
- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. -### 21.01.2021
+
+### 21.01.2021
+ - Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). - -### 01.09.2020
+
+### 01.09.2020
+ - Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md) From 996ed22e654a18d0995a157e5b72eb05b56d973b Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:27:34 +0200 Subject: [PATCH 08/21] 1 --- .../api-release-notes.md | 16 +++++++++++- .../set-device-value.md | 26 +++++++++++++++---- 2 files changed, 36 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 94884f8d28..aef1b00336 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -34,9 +34,23 @@ ms.technology: mde - Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). +
+
+### 15.12.2020 +
+ +- Updated [Device](machine.md) entity with IP Interfaces. See [List devices](get-machines.md). + +
+
+### 04.12.2020 +
+ +- Added new API: [Set device value](set-device-value.md). +

### 01.09.2020
-- Added option to expand the Alert object with its related Evidence. See [List Alerts](get-alerts.md) +- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index 6f1fe23a4a..1164cfc4a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -73,12 +73,28 @@ Content-Type | string | application/json. **Required**. ## Request body -```json -{ - "DeviceValue": "{device value}" -} -``` +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +DeviceValue | Enum | Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**. ## Response If successful, this method returns 200 - Ok response code and the updated Machine in the response body. + +## Example + +**Request** + +Here is an example of a request that adds machine tag. + +``` +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue +``` + +```json +{ + "DeviceValue" : "High" +} +``` \ No newline at end of file From 77288ab9c0827ae9ccca1e1a72fa46d54b374dc3 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:39:53 +0200 Subject: [PATCH 09/21] 1 --- .../microsoft-defender-atp/api-release-notes.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index aef1b00336..5cc2a60d8b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -28,6 +28,7 @@ ms.technology: mde

+ ### 21.01.2021
@@ -36,6 +37,15 @@ ms.technology: mde

+ +### 03.01.2021 +
+ +- Update Alert evidence with + +
+
+ ### 15.12.2020
@@ -43,6 +53,7 @@ ms.technology: mde

+ ### 04.12.2020
@@ -50,6 +61,7 @@ ms.technology: mde

+ ### 01.09.2020
From 70290566344b75cb6e089be8a29df213ed0c672d Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 19:43:39 +0200 Subject: [PATCH 10/21] 1 --- .../microsoft-defender-atp/api-release-notes.md | 2 +- .../threat-protection/microsoft-defender-atp/machine.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 5cc2a60d8b..8200dc8a47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -41,7 +41,7 @@ ms.technology: mde ### 03.01.2021
-- Update Alert evidence with +- Update Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName***.

diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index 79b6f79c97..477cebbeb7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -71,6 +71,6 @@ aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machi machineTags | String collection | Set of [machine](machine.md) tags. exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. -ipAddresses | IpAddress collection | Set of ***IpAddress*** object. See [Get machines API](get-machines.md). +ipAddresses | IpAddress collection | Set of ***IpAddress*** objects. See [Get machines API](get-machines.md). From 2560de795908d3c9b9bad44417d9a2a7ddf7e272 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 20:12:39 +0200 Subject: [PATCH 11/21] 1 --- .../microsoft-defender-atp/alerts.md | 159 +++++++++++++--- .../api-release-notes.md | 8 +- .../exposed-apis-odata-samples.md | 171 +++++++++++------- .../microsoft-defender-atp/get-alerts.md | 171 +++++++++++------- 4 files changed, 349 insertions(+), 160 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index f6b1666c6c..165692fb02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -69,45 +69,146 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib category| String | Category of the alert. detectionSource | String | Detection source. threatFamilyName | String | Threat family. +threatName | String | Threat name. +threatName | String | Threat name. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. computerDnsName | String | [machine](machine.md) fully qualified name. aadTenantId | String | The Azure Active Directory ID. -comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. +detectorId | String | The ID of the detector that triggered the alert. +comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time. +Evidence | List of Alert evidence | Evidence related to the alert. See example below. ### Response example for getting single alert: ``` -GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499 +GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609 ``` ```json { - "id": "da637084217856368682_-292920499", - "incidentId": 66860, - "investigationId": 4416234, - "investigationState": "Running", - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "New", - "classification": "TruePositive", - "determination": null, - "detectionSource": "WindowsDefenderAtp", - "category": "CommandAndControl", - "threatFamilyName": null, - "title": "Network connection to a risky host", - "description": "A network connection was made to a risky host which has exhibited malicious activity.", - "alertCreationTime": "2019-11-03T23:49:45.3823185Z", - "firstEventTime": "2019-11-03T23:47:16.2288822Z", - "lastEventTime": "2019-11-03T23:47:51.2966758Z", - "lastUpdateTime": "2019-11-03T23:55:52.6Z", - "resolvedTime": null, - "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", - "comments": [ - { - "comment": "test comment for docs", - "createdBy": "secop@contoso.com", - "createdTime": "2019-11-05T14:08:37.8404534Z" - } - ] + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, + "assignedTo": null, + "severity": "Low", + "status": "New", + "classification": null, + "determination": null, + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", + "resolvedTime": null, + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], + "relatedUser": { + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], + "evidence": [ + { + "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": null, + "sha256": null, + "fileName": null, + "filePath": null, + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 8200dc8a47..51e3dc8790 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -41,7 +41,8 @@ ms.technology: mde ### 03.01.2021
-- Update Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName***. +- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties. +- Updated [Alert entity](alerts.md): added ***detectorId*** property.

@@ -49,15 +50,16 @@ ms.technology: mde ### 15.12.2020
-- Updated [Device](machine.md) entity with IP Interfaces. See [List devices](get-machines.md). +- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md).

-### 04.12.2020 +### 04.11.2020
- Added new API: [Set device value](set-device-value.md). +- Updated [Device](machine.md) entity: added ***deviceValue*** property.

diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 589c3508f8..504f3e3b49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -57,75 +57,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -135,13 +111,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, @@ -188,6 +225,12 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index eb0067b2ba..47af279049 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -128,6 +128,12 @@ Here is an example of the response. "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" @@ -170,75 +176,51 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -248,13 +230,74 @@ Here is an example of the response. "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, From 599ddc7daa6d8f72b29d51178627286f09df0972 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 20:17:00 +0200 Subject: [PATCH 12/21] 1 --- .../microsoft-defender-atp/api-release-notes.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 51e3dc8790..43a133a98d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -26,7 +26,6 @@ ms.technology: mde - Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. -

### 21.01.2021 @@ -35,7 +34,6 @@ ms.technology: mde - Added new API: [Find devices by tag](machine-tags.md). - Added new API: [Import Indicators](import-ti-indicators.md). -

### 03.01.2021 @@ -44,7 +42,6 @@ ms.technology: mde - Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties. - Updated [Alert entity](alerts.md): added ***detectorId*** property. -

### 15.12.2020 @@ -52,7 +49,6 @@ ms.technology: mde - Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md). -

### 04.11.2020 @@ -61,10 +57,12 @@ ms.technology: mde - Added new API: [Set device value](set-device-value.md). - Updated [Device](machine.md) entity: added ***deviceValue*** property. -

### 01.09.2020
- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md) + +
+
\ No newline at end of file From 8d66bba38052d0c40a29a928203e9df21f6446b9 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 28 Jan 2021 20:28:30 +0200 Subject: [PATCH 13/21] 1 --- .../security/threat-protection/microsoft-defender-atp/alerts.md | 1 - .../microsoft-defender-atp/api-release-notes.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 165692fb02..ffa3cd11ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -70,7 +70,6 @@ category| String | Category of the alert. detectionSource | String | Detection source. threatFamilyName | String | Threat family. threatName | String | Threat name. -threatName | String | Threat name. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. computerDnsName | String | [machine](machine.md) fully qualified name. aadTenantId | String | The Azure Active Directory ID. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 43a133a98d..6689e36c5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -24,7 +24,7 @@ ms.technology: mde ### 25.01.2021
-- Updated rate limitations for [Hunting API](run-advanced-query-api.md) to 45 requests per minute. +- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute.
From 9a3e2c4ab8c33b4a068c3bf22c6ed69cd58d090f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 28 Jan 2021 13:13:23 -0800 Subject: [PATCH 14/21] fix warnings --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- .../microsoft-defender-atp/indicator-file.md | 4 ++-- .../microsoft-defender-atp/indicator-ip-domain.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 44d58c8d1e..c34737f912 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -99,7 +99,7 @@ Example: `OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -`Value: c:\path|e:\path|c:\Whitelisted.exe` +`Value: c:\path|e:\path|c:\Exclusions.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md index be86647e97..78a28933b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md @@ -2,7 +2,7 @@ title: Create indicators for files ms.reviewer: description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. -keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security @@ -39,7 +39,7 @@ There are two ways you can create indicators for files: ### Before you begin It's important to understand the following prerequisites prior to creating indicators for files: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md index f238e1f680..2fd5f9cce1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md @@ -2,7 +2,7 @@ title: Create indicators for IPs and URLs/domains ms.reviewer: description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. -keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security From 28e58d56b3539a1fad719b6cbf73bc373a1e8d9c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 14:56:28 -0800 Subject: [PATCH 15/21] Added label to code block --- .../security/threat-protection/microsoft-defender-atp/alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index ffa3cd11ee..da475d40a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -79,7 +79,7 @@ Evidence | List of Alert evidence | Evidence related to the alert. See example b ### Response example for getting single alert: -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609 ``` From 7520c0930bcd2110d525b5dca6055cc0d768fd3e Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 14:56:56 -0800 Subject: [PATCH 16/21] Added missing period --- .../microsoft-defender-atp/api-release-notes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md index 6689e36c5c..36327643c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -62,7 +62,7 @@ ms.technology: mde ### 01.09.2020
-- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md) +- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md).

\ No newline at end of file From 100c6d9bc9c72ed8b832ea791b1194b550c8d8d7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:01:43 -0800 Subject: [PATCH 17/21] Added end punctuation --- .../exposed-apis-odata-samples.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 504f3e3b49..0d88d39023 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -44,7 +44,7 @@ Not all properties are filterable. ### Example 1 -Get 10 latest Alerts with related Evidence +Get 10 latest Alerts with related Evidence: ```http HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence @@ -189,7 +189,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev ### Example 2 -Get all the alerts last updated after 2019-11-22 00:00:00 +Get all the alerts last updated after 2019-11-22 00:00:00: ```http HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z @@ -251,7 +251,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate ### Example 3 -Get all the devices with 'High' 'RiskScore' +Get all the devices with 'High' 'RiskScore': ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High' @@ -304,7 +304,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor ### Example 4 -Get top 100 devices with 'HealthStatus' not equals to 'Active' +Get top 100 devices with 'HealthStatus' not equals to 'Active': ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 @@ -357,7 +357,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt ### Example 5 -Get all the devices that last seen after 2018-10-20 +Get all the devices that last seen after 2018-10-20: ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z @@ -410,7 +410,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen ### Example 6 -Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint: ```http HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' From 6de7189a3606f704093641de13b30799e47bcd95 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:06:31 -0800 Subject: [PATCH 18/21] Labeled code block --- .../microsoft-defender-atp/get-alert-related-machine-info.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 1ee033457d..4a56186c19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -56,7 +56,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request -``` + +```http GET /api/alerts/{id}/machine ``` From 2524740ebb80195497b5c065a48d2d11786a8af7 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:09:38 -0800 Subject: [PATCH 19/21] Added missing end punctuation. --- .../microsoft-defender-atp/get-machine-by-id.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index c754604e60..76dc993182 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -41,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md). Permission type | Permission | Permission display name :---|:---|:--- From c4dcb999082992535349ecde10c7e51214654f45 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:14:11 -0800 Subject: [PATCH 20/21] Replaced br tags with CR/LF, added end punctuation The block of text looked strange in preview due to the short and wrapped lines. --- .../microsoft-defender-atp/get-machines.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index a36163fc75..44e815ff37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -33,9 +33,12 @@ ms.technology: mde ## API description Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud. -
Supports [OData V4 queries](https://www.odata.org/documentation/). -
The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. -
See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md) + +Supports [OData V4 queries](https://www.odata.org/documentation/). + +The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. + +See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md). ## Limitations @@ -55,8 +58,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information). +>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md). ## HTTP request From ba506d79807f1d7ebfff3553a238d112aeea3039 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 28 Jan 2021 15:15:57 -0800 Subject: [PATCH 21/21] Labeled code block --- .../microsoft-defender-atp/set-device-value.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index 1164cfc4a4..66e0dfcd99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -89,7 +89,7 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue ```