deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4008 from MicrosoftDocs/update-api

Browse Source 
Update APIs
This commit is contained in:
Gary Moore 2020-10-14 17:06:29 -07:00 committed by GitHub
commit a2a0b189af
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 59 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
View File

@ -72,6 +72,8 @@ Field numbers match the numbers in the images below.
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection.
| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection.
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |

93
windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
View File

@ -71,7 +71,7 @@ You'll use the access token to access the protected resource, which are detectio
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
```syntax ```http
POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1 POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
Host: login.microsoftonline.com Host: login.microsoftonline.com
@ -124,14 +124,14 @@ CloudCreatedMachineTags | string | Device tags that were created in Microsoft De
### Request example ### Request example
The following example demonstrates how to retrieve all the detections in your organization. The following example demonstrates how to retrieve all the detections in your organization.
```syntax ```http
GET https://wdatp-alertexporter-eu.windows.com/api/alerts GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer <your access token> Authorization: Bearer <your access token>
``` ```
The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00. The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.
```syntax ```http
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000 GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
Authorization: Bearer <your access token> Authorization: Bearer <your access token>
``` ```
@ -142,39 +142,60 @@ The return value is an array of alert objects in JSON format.
Here is an example return value: Here is an example return value:
```json ```json
{"AlertTime":"2017-01-23T07:32:54.1861171Z", [
"ComputerDnsName":"desktop-bvccckk", {
"AlertTitle":"Suspicious PowerShell commandline", "AlertTime": "2020-09-30T14:09:20.35743Z",
"Category":"SuspiciousActivity", "ComputerDnsName": "mymachine1.domain.com",
"Severity":"Medium", "AlertTitle": "Suspicious File Activity",
"AlertId":"636207535742330111_-1114309685", "Category": "Malware",
"Actor":null, "Severity": "High",
"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685", "AlertId": "da637370718981685665_16349121",
"IocName":null, "Actor": "",
"IocValue":null, "LinkToWDATP": "https://securitycenter.windows.com/alert/da637370718981685665_16349121",
"CreatorIocName":null, "IocName": "",
"CreatorIocValue":null, "IocValue": "",
"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9", "CreatorIocName": "",
"FileName":"powershell.exe", "CreatorIocValue": "",
"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", "Sha1": "aabbccddee1122334455aabbccddee1122334455",
"IpAddress":null, "FileName": "cmdParent.exe",
"Url":null, "FilePath": "C:\\WINDOWS\\SysWOW64\\boo3\\qwerty",
"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68", "IpAddress": "",
"UserName":null, "Url": "",
"AlertPart":0, "IoaDefinitionId": "b20af1d2-5990-4672-87f1-acc2a8ff7725",
"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF", "UserName": "",
"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z", "AlertPart": 0,
"ThreatCategory":null, "FullId": "da637370718981685665_16349121:R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=",
"ThreatFamily":null, "LastProcessedTimeUtc": "2020-09-30T14:11:44.0779765Z",
"ThreatName":null, "ThreatCategory": "",
"RemediationAction":null, "ThreatFamily": "",
"RemediationIsSuccess":null, "ThreatName": "",
"Source":"Microsoft Defender ATP", "RemediationAction": "",
"Md5":null, "RemediationIsSuccess": null,
"Sha256":null, "Source": "EDR",
"WasExecutingWhileDetected":null, "Md5": "854b85cbff2752fcb88606bca76f83c6",
"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9", "Sha256": "",
"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"} "WasExecutingWhileDetected": null,
"UserDomain": "",
"LogOnUsers": "",
"MachineDomain": "domain.com",
"MachineName": "mymachine1",
"InternalIPv4List": "",
"InternalIPv6List": "",
"FileHash": "aabbccddee1122334455aabbccddee1122334455",
"DeviceID": "deadbeef000040830ee54503926f556dcaf82bb0",
"MachineGroup": "",
"Description": "Test Alert",
"DeviceCreatedMachineTags": "",
"CloudCreatedMachineTags": "",
"CommandLine": "",
"IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
"ReportID": 1053729833,
"LinkToMTP": "https://security.microsoft.com/alert/da637370718981685665_16349121",
"IncidentLinkToMTP": "https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM",
"ExternalId": "31DD0A845DDA4059FDEDE031014645350AECABD3",
"IocUniqueId": "R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY="
}
]
``` ```
## Code examples ## Code examples