Merge pull request #1993 from MicrosoftDocs/atp-api-update-feb20

Add troubleshooting paper
2025-05-15 14:57:23 +00:00 · 2020-02-06 11:55:04 -08:00 · 2020-02-06 11:55:04 -08:00 · a5be7089ad
commit a5be7089ad
parent a53a1ab04c 83fd869dfb
19 changed files with 162 additions and 123 deletions
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -384,6 +384,7 @@
 ##### [Microsoft Defender ATP APIs Schema]()
 ###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
 ###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
 ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
 ###### [Alert]()
@ -461,7 +462,7 @@
 ####### [Score methods and properties](microsoft-defender-atp/score.md)
 ####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
 ####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
-####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
+####### [Get machine secure score](microsoft-defender-atp/get-device-secure-score.md)
 ###### [Software]()
 ####### [Software methods and properties](microsoft-defender-atp/software.md)
@ -473,7 +474,7 @@
 ###### [Vulnerability]()
 ####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
-####### [Get all vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
+####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
 ####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
 ####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
@ -482,8 +483,8 @@
 ####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
 ####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
 ####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
-####### [Get recommendation by machines](microsoft-defender-atp/get-recommendation-machines.md)
+####### [List machines by recommendation](microsoft-defender-atp/get-recommendation-machines.md)
-####### [Get recommendation by vulnerabilities](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
+####### [List vulnerabilities by recommendation](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
 ##### [How to use APIs - Samples]()
 ###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
@ -0,0 +1,83 @@
 ---
 title: Common Microsoft Defender ATP API errors
 description: List of common Microsoft Defender ATP API errors with descriptions.
 keywords: apis, mdatp api, errors, troubleshooting 
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
 ---
 # Common REST API error codes
 * The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs.
 * Note that in addition to the error code, every error response contains an error message which can help resolving the problem.
 * Note that the message is a free text that can be changed.
 * At the bottom of the page you can find response examples.
 Error code |HTTP status code |Message 
 :---|:---|:---
 BadRequest | BadRequest (400) | General Bad Request error message.
 ODataError | BadRequest (400) | Invalid OData URI query (the specific error is specified).
 InvalidInput | BadRequest (400) | Invalid input {the invalid input}.
 InvalidRequestBody | BadRequest (400) | Invalid request body.
 InvalidHashValue | BadRequest (400) | Hash value {the invalid hash} is invalid.
 InvalidDomainName | BadRequest (400) | Domain name {the invalid domain} is invalid.
 InvalidIpAddress | BadRequest (400) | IP address {the invalid IP} is invalid.
 InvalidUrl | BadRequest (400) | URL {the invalid URL} is invalid.
 MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.
 MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing.
 OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action.
 ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above.
 Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header).
 Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action).
 DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
 DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}.
 NotFound | Not Found (404) | General Not Found error message.
 ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
 InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved)
 ## Body parameters are case sensitive
 The submitted body parameters are currently case sensitive.
 <br>If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.
 <br>It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example.
 ## Correlation request ID
 Each error response contains a unique ID parameter for tracking.
 <br>The property name of this parameter is "target".
 <br>When contacting us about an error, attaching this ID will help find the root cause of the problem.
 ## Examples
 ```json
 {
    "error": {
        "code": "ResourceNotFound",
        "message": "Machine 123123123 was not found",
        "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a"
    }
 }
 ```
 ```json
 {
    "error": {
        "code": "InvalidRequestBody",
        "message": "Request body is incorrect",
        "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0"
    }
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/recommendations
 Here is an example of the response.
-```
+```json
 Content-type: json
 {
    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
    "value": [
@ -99,7 +98,8 @@ Content-type: json
            "nonProductivityImpactedAssets": 0,
            "relatedComponent": "Windows 10"
        }
-        ]
+		...
     ]
 }
 ```
 ## Related topics
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
-# Get all vulnerabilities
+# List vulnerabilities
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities
 Here is an example of the response.
-```
+```json
 Content-type: json
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
    "value": [
@ -86,8 +85,9 @@ Content-type: json
            "exploitTypes": [],
            "exploitUris": []
        }
-        ]
+		...
-        {
+    ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@ -1,6 +1,6 @@
 ---
-title: Get Device Secure score
+title: Get Machine Secure score
-description: Retrieves the organizational device secure score.
+description: Retrieves the organizational machine secure score.
 keywords: apis, graph api, supported apis, get, alerts, recent
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
-# Get Device Secure score
+# Get Machine Secure score
 **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -75,8 +75,7 @@ Here is an example of the response.
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
    "time": "2019-12-03T09:15:58.1665846Z",
-    "score": 340,
+    "score": 340
    "rbacGroupId": null
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@ -76,8 +76,7 @@ Here is an example of the response.
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
    "time": "2019-12-03T07:23:53.280499Z",
-    "score": 33.491554051195706,
+    "score": 33.491554051195706
    "rbacGroupId": null
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@ -18,9 +18,9 @@ ms.topic: article
 # List exposure score by machine group
-**Applies to:**
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Prerelease information](../../includes/prerelease.md)]
@ -74,23 +74,14 @@ Here is an example of the response.
        {
            "time": "2019-12-03T09:51:28.214338Z",
            "score": 41.38041766305988,
-            "rbacGroupId": 10
+            "rbacGroupName": "GroupOne"
        },
        {
            "time": "2019-12-03T09:51:28.2143399Z",
            "score": 37.403726933165366,
-            "rbacGroupId": 11
+            "rbacGroupName": "GroupTwo"
        },
        {
            "time": "2019-12-03T09:51:28.2143407Z",
            "score": 26.390921344426033,
            "rbacGroupId": 9
        },
        {
            "time": "2019-12-03T09:51:28.2143414Z",
            "score": 23.58823563070858,
            "rbacGroupId": 5
        }
 		...
    ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@ -24,7 +24,7 @@ ms.topic: article
 [!include[Prerelease information](../../includes/prerelease.md)]
-Retrieve a list of machines that has this software installed.
+Retrieve a list of machine references that has this software installed.
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
@ -75,15 +75,16 @@ Here is an example of the response.
            "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
            "computerDnsName": "dave_desktop",
            "osPlatform": "Windows10",
-            "rbacGroupId": 9
+            "rbacGroupName": "GroupTwo"
        },
        {
            "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
            "computerDnsName": "jane_PC",
            "osPlatform": "Windows10",
-            "rbacGroupId": 9
+            "rbacGroupName": "GroupTwo"
        }
-]
+		...
 	]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@ -66,8 +66,7 @@ GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/mac
 Here is an example of the response.
-```
+```json
 Content-type: json
 {
    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
    "value": [
@ -75,14 +74,15 @@ Content-type: json
            "id": "235a2e6278c63fcf85bab9c370396972c58843de",
            "computerDnsName": "h1mkn_PC",
            "osPlatform": "Windows10",
-            "rbacGroupId": 1268
+            "rbacGroupName": "GroupTwo"
        },
        {
            "id": "afb3f807d1a185ac66668f493af028385bfca184",
            "computerDnsName": "chat_Desk ",
            "osPlatform": "Windows10",
-            "rbacGroupId": 410
+            "rbacGroupName": "GroupTwo"
        }
 		...
    ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr
 Here is an example of the response.
-```
+```json
 Content-type: json
 {
    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
    "id": "va-_-google-_-chrome",
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@ -1,5 +1,5 @@
 ---
-title: Get recommendation by machines
+title: List machines by recommendation
 description: Retrieves a list of machines associated with the security recommendation. 
 keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api 
 search.product: eADQiWindows 10XVcnh
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
-# Get recommendation by machines
+# List machines by recommendation
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -75,7 +75,8 @@ Here is an example of the response.
            "osPlatform": "Windows10",
            "rbacGroupId": 2154
        }
-        ]
+		...
    ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr
 Here is an example of the response.
-```
+```json
 Content-type: json
 {
    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
    "id": "google-_-chrome",
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@ -1,5 +1,5 @@
 ---
-title: Get recommendation by vulnerabilities
+title: List vulnerabilities by recommendation
 description: Retrieves a list of vulnerabilities associated with the security recommendation.
 keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api 
 search.product: eADQiWindows 10XVcnh
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
 ms.topic: article
 ---
-# Get recommendation by vulnerabilities
+# List vulnerabilities by recommendation
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chr
 Here is an example of the response.
-```
+```json
 Content-type: json
 {
    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
    "value": [
@ -85,7 +84,8 @@ Content-type: json
            "exploitTypes": [],
            "exploitUris": []
        }
-        ]
+		...
     ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@ -81,7 +81,8 @@ Here is an example of the response.
            "installations": 750,
            "vulnerabilities": 0
        }
-        ]
+		...
    ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@ -17,10 +17,10 @@ ms.topic: article
 ---
 # List software inventory API
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-[!include[Prerelease information](../../includes/prerelease.md)]
+**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 Retrieves the organization software inventory.
@ -66,20 +66,21 @@ GET https://api.securitycenter.windows.com/api/Software
 Here is an example of the response.
-```
+```json
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
    "value": [
-        {
+			{
-            "id": "microsoft-_-edge",
+				"id": "microsoft-_-edge",
-            "name": "edge",
+				"name": "edge",
-            "vendor": "microsoft",
+				"vendor": "microsoft",
-            "weaknesses": 467,
+				"weaknesses": 467,
-            "publicExploit": true,
+				"publicExploit": true,
-            "activeAlert": false,
+				"activeAlert": false,
-            "exposedMachines": 172,
+				"exposedMachines": 172,
-            "impactScore": 2.39947438
+				"impactScore": 2.39947438
-        }
+			}
 			...
        ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@ -71,21 +71,22 @@ Here is an example of the response.
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
    "value": [
-        {
+			{
-            "id": "CVE-2017-0140",
+				"id": "CVE-2017-0140",
-            "name": "CVE-2017-0140",
+				"name": "CVE-2017-0140",
-            "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+				"description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
-            "severity": "Medium",
+				"severity": "Medium",
-            "cvssV3": 4.2,
+				"cvssV3": 4.2,
-            "exposedMachines": 1,
+				"exposedMachines": 1,
-            "publishedOn": "2017-03-14T00:00:00Z",
+				"publishedOn": "2017-03-14T00:00:00Z",
-            "updatedOn": "2019-10-03T00:03:00Z",
+				"updatedOn": "2019-10-03T00:03:00Z",
-            "publicExploit": false,
+				"publicExploit": false,
-            "exploitVerified": false,
+				"exploitVerified": false,
-            "exploitInKit": false,
+				"exploitInKit": false,
-            "exploitTypes": [],
+				"exploitTypes": [],
-            "exploitUris": []
+				"exploitUris": []
-        }
+			}
 			...
        ]
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@ -65,8 +65,7 @@ GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
 Here is an example of the response.
-```
+```json
 Content-type: json
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
    "id": "CVE-2019-0608",
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@ -345,6 +345,7 @@
 ##### [APIs]()
 ###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
 ###### [Common REST API error codes](common-errors.md)
 ###### [Advanced Hunting](run-advanced-query-api.md)
 ###### [Alert]()
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/score.md
@ -37,41 +37,4 @@ Property |	Type	|	Description
 :---|:---|:---
 Score | Double | The current score.
 Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupId | Nullable Int | RBAC Group ID.
+RbacGroupName | String | The machine group name.
 ### Response example for getting machine groups score:
 ```
 GET https://api.securitycenter.windows.com/api/exposureScore/byMachineGroups
 ```
 ```json
 {
    "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
    "value": [
        {
            "time": "2019-12-03T07:26:49.9376328Z",
            "score": 41.38041766305988,
            "rbacGroupId": 10
        },
        {
            "time": "2019-12-03T07:26:49.9376375Z",
            "score": 23.58823563070858,
            "rbacGroupId": 5
        },
        {
            "time": "2019-12-03T07:26:49.9376382Z",
            "score": 37.403726933165366,
            "rbacGroupId": 11
        },
        {
            "time": "2019-12-03T07:26:49.9376388Z",
            "score": 26.323200116475423,
            "rbacGroupId": 9
        }
    ]
 }
 ```