Merge pull request #4008 from MicrosoftDocs/update-api

Update APIs
2025-05-13 22:07:22 +00:00 · 2020-10-14 17:06:29 -07:00 · 2020-10-14 17:06:29 -07:00 · a2a0b189af
commit a2a0b189af
parent 48ed662b21 5a1b98311c
2 changed files with 59 additions and 36 deletions
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
@ -72,6 +72,8 @@ Field numbers match the numbers in the images below.
 > |                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For devices on   Windows 10 version 1607, the domain information will not be available. |
 > |                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |
 > |                  | InternalIPv6List          | No mapping          | fd30:0000:0000:0001:ff4e:003e:0009:000e,   FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces.                                                                                                                                                                               |
+| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
+| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
 > | Internal   field | LastProcessedTimeUtc      | No mapping          | 2017-05-07T01:56:58.9936648Z                                                       | Time when event arrived at the   backend. This field can be used when setting the request parameter for the range of time that detections are retrieved.                         |
 > |                  | Not part of the schema    | deviceVendor        |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft'.                                                                                                                          |
 > |                  | Not part of the schema    | deviceProduct       |                                                                                    | Static value in the ArcSight   mapping - 'Microsoft Defender ATP'.                                                                                                               |
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
@ -71,7 +71,7 @@ You'll use the access token to access the protected resource, which are detectio

 To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:

-```syntax
+```http

 POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
 Host: login.microsoftonline.com
@ -124,14 +124,14 @@ CloudCreatedMachineTags | string | Device tags that were created in Microsoft De
 ### Request example
 The following example demonstrates how to retrieve all the detections in your organization.

-```syntax
+```http
 GET  https://wdatp-alertexporter-eu.windows.com/api/alerts
 Authorization: Bearer <your access token>
 ```

 The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.

-```syntax
+```http
 GET  https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
 Authorization: Bearer <your access token>
 ```
@ -142,39 +142,60 @@ The return value is an array of alert objects in JSON format.
 Here is an example return value:

 ```json 
-{"AlertTime":"2017-01-23T07:32:54.1861171Z",
-"ComputerDnsName":"desktop-bvccckk",
-"AlertTitle":"Suspicious PowerShell commandline",
-"Category":"SuspiciousActivity",
-"Severity":"Medium",
-"AlertId":"636207535742330111_-1114309685",
-"Actor":null,
-"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
-"IocName":null,
-"IocValue":null,
-"CreatorIocName":null,
-"CreatorIocValue":null,
-"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
-"FileName":"powershell.exe",
-"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
-"IpAddress":null,
-"Url":null,
-"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
-"UserName":null,
-"AlertPart":0,
-"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
-"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
-"ThreatCategory":null,
-"ThreatFamily":null,
-"ThreatName":null,
-"RemediationAction":null,
-"RemediationIsSuccess":null,
-"Source":"Microsoft Defender ATP",
-"Md5":null,
-"Sha256":null,
-"WasExecutingWhileDetected":null,
-"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
-"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
+[
+{        
+        "AlertTime": "2020-09-30T14:09:20.35743Z",
+        "ComputerDnsName": "mymachine1.domain.com",
+        "AlertTitle": "Suspicious File Activity",
+        "Category": "Malware",
+        "Severity": "High",
+        "AlertId": "da637370718981685665_16349121",
+        "Actor": "",
+        "LinkToWDATP": "https://securitycenter.windows.com/alert/da637370718981685665_16349121",
+        "IocName": "",
+        "IocValue": "",
+        "CreatorIocName": "",
+        "CreatorIocValue": "",
+        "Sha1": "aabbccddee1122334455aabbccddee1122334455",
+        "FileName": "cmdParent.exe",
+        "FilePath": "C:\\WINDOWS\\SysWOW64\\boo3\\qwerty",
+        "IpAddress": "",
+        "Url": "",
+        "IoaDefinitionId": "b20af1d2-5990-4672-87f1-acc2a8ff7725",
+        "UserName": "",
+        "AlertPart": 0,
+        "FullId": "da637370718981685665_16349121:R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=",
+        "LastProcessedTimeUtc": "2020-09-30T14:11:44.0779765Z",
+        "ThreatCategory": "",
+        "ThreatFamily": "",
+        "ThreatName": "",
+        "RemediationAction": "",
+        "RemediationIsSuccess": null,
+        "Source": "EDR",
+        "Md5": "854b85cbff2752fcb88606bca76f83c6",
+        "Sha256": "",
+        "WasExecutingWhileDetected": null,
+        "UserDomain": "",
+        "LogOnUsers": "",
+        "MachineDomain": "domain.com",
+        "MachineName": "mymachine1",
+        "InternalIPv4List": "",
+        "InternalIPv6List": "",
+        "FileHash": "aabbccddee1122334455aabbccddee1122334455",
+        "DeviceID": "deadbeef000040830ee54503926f556dcaf82bb0",
+        "MachineGroup": "",
+        "Description": "Test Alert",
+        "DeviceCreatedMachineTags": "",
+        "CloudCreatedMachineTags": "",
+        "CommandLine": "",
+        "IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
+        "ReportID": 1053729833,
+        "LinkToMTP": "https://security.microsoft.com/alert/da637370718981685665_16349121",
+        "IncidentLinkToMTP": "https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
+        "ExternalId": "31DD0A845DDA4059FDEDE031014645350AECABD3",
+        "IocUniqueId": "R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY="
+}
+]
 ```

 ## Code examples