From 49b181d3e058467b9abc8302cab991da4f3510e8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 30 Sep 2020 12:39:36 -0700 Subject: [PATCH 1/2] add new example, add to table --- .../api-portal-mapping.md | 2 + .../pull-alerts-using-rest-api.md | 87 ++++++++++++------- 2 files changed, 56 insertions(+), 33 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 19a2f46e0c..b8454c4935 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -72,6 +72,8 @@ Field numbers match the numbers in the images below. > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | +| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection. +| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 38400901cd..0eedcf9bad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -142,39 +142,60 @@ The return value is an array of alert objects in JSON format. Here is an example return value: ```json -{"AlertTime":"2017-01-23T07:32:54.1861171Z", -"ComputerDnsName":"desktop-bvccckk", -"AlertTitle":"Suspicious PowerShell commandline", -"Category":"SuspiciousActivity", -"Severity":"Medium", -"AlertId":"636207535742330111_-1114309685", -"Actor":null, -"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685", -"IocName":null, -"IocValue":null, -"CreatorIocName":null, -"CreatorIocValue":null, -"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9", -"FileName":"powershell.exe", -"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", -"IpAddress":null, -"Url":null, -"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68", -"UserName":null, -"AlertPart":0, -"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF", -"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z", -"ThreatCategory":null, -"ThreatFamily":null, -"ThreatName":null, -"RemediationAction":null, -"RemediationIsSuccess":null, -"Source":"Microsoft Defender ATP", -"Md5":null, -"Sha256":null, -"WasExecutingWhileDetected":null, -"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9", -"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"} +[ +{ + "AlertTime": "2020-09-30T14:09:20.35743Z", + "ComputerDnsName": "mymachine1.domain.com", + "AlertTitle": "Suspicious File Activity", + "Category": "Malware", + "Severity": "High", + "AlertId": "da637370718981685665_16349121", + "Actor": "", + "LinkToWDATP": "https://securitycenter.windows.com/alert/da637370718981685665_16349121", + "IocName": "", + "IocValue": "", + "CreatorIocName": "", + "CreatorIocValue": "", + "Sha1": "aabbccddee1122334455aabbccddee1122334455", + "FileName": "cmdParent.exe", + "FilePath": "C:\\WINDOWS\\SysWOW64\\boo3\\qwerty", + "IpAddress": "", + "Url": "", + "IoaDefinitionId": "b20af1d2-5990-4672-87f1-acc2a8ff7725", + "UserName": "", + "AlertPart": 0, + "FullId": "da637370718981685665_16349121:R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=", + "LastProcessedTimeUtc": "2020-09-30T14:11:44.0779765Z", + "ThreatCategory": "", + "ThreatFamily": "", + "ThreatName": "", + "RemediationAction": "", + "RemediationIsSuccess": null, + "Source": "EDR", + "Md5": "854b85cbff2752fcb88606bca76f83c6", + "Sha256": "", + "WasExecutingWhileDetected": null, + "UserDomain": "", + "LogOnUsers": "", + "MachineDomain": "domain.com", + "MachineName": "mymachine1", + "InternalIPv4List": "", + "InternalIPv6List": "", + "FileHash": "aabbccddee1122334455aabbccddee1122334455", + "DeviceID": "deadbeef000040830ee54503926f556dcaf82bb0", + "MachineGroup": "", + "Description": "Test Alert", + "DeviceCreatedMachineTags": "", + "CloudCreatedMachineTags": "", + "CommandLine": "", + "IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM", + "ReportID": 1053729833, + "LinkToMTP": "https://security.microsoft.com/alert/da637370718981685665_16349121", + "IncidentLinkToMTP": "https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM", + "ExternalId": "31DD0A845DDA4059FDEDE031014645350AECABD3", + "IocUniqueId": "R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=" +} +] ``` ## Code examples From 5a1b98311cf63c8fa031ab08b8356b2565db3a7c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 14 Oct 2020 16:30:58 -0700 Subject: [PATCH 2/2] Applied valid types to code blocks Valid content types are listed here: https://docsmetadatatool.azurewebsites.net/allowlists/devlang# --- .../microsoft-defender-atp/pull-alerts-using-rest-api.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 0eedcf9bad..078b9f44ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -71,7 +71,7 @@ You'll use the access token to access the protected resource, which are detectio To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: -```syntax +```http POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1 Host: login.microsoftonline.com @@ -124,14 +124,14 @@ CloudCreatedMachineTags | string | Device tags that were created in Microsoft De ### Request example The following example demonstrates how to retrieve all the detections in your organization. -```syntax +```http GET https://wdatp-alertexporter-eu.windows.com/api/alerts Authorization: Bearer ``` The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00. -```syntax +```http GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000 Authorization: Bearer ```