deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update alertdefn and image number label

Browse Source
This commit is contained in:
Joey Caparas
2017-02-13 12:33:16 -08:00
parent 7804f7a7f4
commit a1e0d50890
2 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
View File

@ -77,7 +77,7 @@ An ID is created for that alert definition. Then, create an Indicator Of Comprom
### Create a new alert definition ### Create a new alert definition
```json ```json
POST https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinition HTTP/1.1 POST https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1
Authorization: Bearer <access_token> Authorization: Bearer <access_token>
Content-Type: application/json; Content-Type: application/json;
@ -86,7 +86,7 @@ Content-Type: application/json;
"Name": " The name of the IOA. Does not appear in the portal. Max length: 100 ", "Name": " The name of the IOA. Does not appear in the portal. Max length: 100 ",
"Severity": "Low", "Severity": "Low",
"InternalDescription": "Internal description for the IOA. Does not appear in the portal. Max length: 350", "InternalDescription": "Internal description for the IOA. Does not appear in the portal. Max length: 350",
"ShortUxDescription": "A short, one sentence, description of the IoA. Max length: 120", "Title": "A short, one sentence, description of the IoA. Max length: 120",
"UxDescription": " Max length: 500", "UxDescription": " Max length: 500",
"RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000 ", "RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000 ",
"Category": "Trojan", "Category": "Trojan",
@ -99,7 +99,7 @@ The following values correspond to the alert sections surfaced on the Windows De
Highlighted section | JSON Value Highlighted section | JSON Value
:---:|:--- :---:|:---
1 | ShortUxDescription 1 | Title
2 | Severity 2 | Severity
3 | Category 3 | Category
4 | UX description 4 | UX description
@ -112,7 +112,7 @@ If successful, you should get a 201 CREATED response containing the representati
"Name": "Connection to restricted company IP address", "Name": "Connection to restricted company IP address",
"Severity": "Low", "Severity": "Low",
"InternalDescription": "Unusual connection to restricted IP from production machine", "InternalDescription": "Unusual connection to restricted IP from production machine",
"ShortUxDescription": "Connection to restricted company IP address", "Title": "Connection to restricted company IP address",
"UxDescription": "Any connection to this IP address from a production machine should be suspicious. Only special build machines should access this IP address.", "UxDescription": "Any connection to this IP address from a production machine should be suspicious. Only special build machines should access this IP address.",
"RecommendedAction": "Isolate machine immediately and contact machine owner for awareness.", "RecommendedAction": "Isolate machine immediately and contact machine owner for awareness.",
"Category": "Trojan", "Category": "Trojan",
@ -139,7 +139,7 @@ Content-Length: 194
"Value": "8311e8b377736fb93b18b15372355f3f26c4cd29", "Value": "8311e8b377736fb93b18b15372355f3f26c4cd29",
"DetectionFunction": "Equals", "DetectionFunction": "Equals",
"Enabled": true, "Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinition(1)" "AlertDefinitions@odata.bind": "AlertDefinitions(1)"
} }
``` ```
If successful, you should get a 201 CREATED response containing the representation of the newly created Indicators Of Compromise in the payload. If successful, you should get a 201 CREATED response containing the representation of the newly created Indicators Of Compromise in the payload.
@ -152,7 +152,7 @@ Bulk upload of multiple entities can be done by sending an HTTP POST request to
>- This operation is atomic. The entire can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail. >- This operation is atomic. The entire can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail.
>- If your upload exceeds the IOC quota, the entire operation will fail. Consider limiting your uploads. >- If your upload exceeds the IOC quota, the entire operation will fail. Consider limiting your uploads.
The requests body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertdefinition` and in the case of IOC is `IOCs`. This fields value should contain a list of the desired entities. The requests body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertdefinitions` and in the case of IOC is `IOCs`. This fields value should contain a list of the desired entities.
For example: For example:
Sending an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload Sending an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
@ -166,14 +166,14 @@ JSON Body:
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793", "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"DetectionFunction": "Equals", "DetectionFunction": "Equals",
"Enabled": true, "Enabled": true,
"IndicationOfAttack@odata.bind": "AlertDefinition(1)" "IndicationOfAttack@odata.bind": "AlertDefinitions(1)"
}, },
{ {
"Type": "Sha1", "Type": "Sha1",
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793", "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"DetectionFunction": "Equals", "DetectionFunction": "Equals",
"Enabled": true, "Enabled": true,
"IndicationOfAttack@odata.bind": "AlertDefinition(1)" "IndicationOfAttack@odata.bind": "AlertDefinitions(1)"
} }
] ]
} }
@ -236,7 +236,7 @@ odata.metadata = none
"Name": "Demo alert definition", "Name": "Demo alert definition",
"Severity": "Medium", "Severity": "Medium",
"InternalDescription": "Some description", "InternalDescription": "Some description",
"ShortUxDescription": "Demo short Ux Desc", "Title": "Demo short Ux Desc",
"UxDescription": "Demo ux desc", "UxDescription": "Demo ux desc",
"RecommendedAction": "Actions", "RecommendedAction": "Actions",
"Category": "Malware", "Category": "Malware",
@ -251,7 +251,7 @@ odata.metadata = none
"Name": "Demo alert definition 2", "Name": "Demo alert definition 2",
"Severity": "Low", "Severity": "Low",
"InternalDescription": "Some description", "InternalDescription": "Some description",
"ShortUxDescription": "Demo short UX Desc2", "Title": "Demo short UX Desc2",
"UxDescription": "Demo UX Desc2", "UxDescription": "Demo UX Desc2",
"RecommendedAction": null, "RecommendedAction": null,
"Category": "Malware", "Category": "Malware",

BIN
windows/keep-secure/images/atp-custom-ti-mapping.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 133 KiB

After

Width:  |  Height:  |  Size: 166 KiB