deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into device-control-intune

Browse Source
This commit is contained in:
Justin Hall 2018-11-28 10:22:45 -08:00
commit a610c67cd0
39 changed files with 726 additions and 551 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
devices/hololens/hololens-encryption.md
View File

@ -19,11 +19,11 @@ You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/
## Enable device encryption using MDM
You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.)
You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP.
[See instructions for enabling device encryption using Microsoft Intune.](https://docs.microsoft.com/intune/compliance-policy-create-windows#windows-holographic-for-business)
For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryptionn, use the following configuration:
For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryption, use the following configuration:
- **Name**: a name of your choice
- **Description**: optional
@ -35,7 +35,7 @@ For other MDM tools, see your MDM provider's documentation for instructions. If
Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device.
### Create a provisioning package that upgrades the Windows Holographic edition
### Create a provisioning package that upgrades the Windows Holographic edition and enables encryption
1. [Create a provisioning package for HoloLens.](hololens-provisioning.md)

4
store-for-business/work-with-partner-microsoft-store-business.md
View File

@ -59,8 +59,10 @@ The solution provider will get in touch with you. You'll have a chance to learn
Once you've found a solution provider and decided to work with them, they'll send you an invitation to work together from Partner Center. In Microsoft Store for Business or Education, you'll need to accept the invitation. After that, you can manage their permissions.
**To accept a solution provider invitation**
1. **Follow email link** - You'll receive an email with a link accept the solution provider invitation from your solution provider. The link will take you to Microsoft Store for Business or Education.
1. **Follow email link** - You'll receive an email with a link to accept the solution provider invitation from your solution provider. The link will take you to Microsoft Store for Business or Education.
2. **Accept invitation** - On **Accept Partner Invitation**, select **Authorize** to accept the invitation, accept terms of the Microsoft Cloud Agreement, and start working with the solution provider.
![Image shows accepting an invitation from a solution provider in Microsoft Store for Business.](images/msft-accept-partner.png)
## Delegate admin privileges

1
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -86,6 +86,7 @@ If you enable this policy setting, Windows is allowed to install or update any d
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).

2
windows/client-management/troubleshoot-windows-freeze.md
View File

@ -99,7 +99,7 @@ If the computer is no longer frozen and now is running in a good state, use the
> [!Note]
> For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD):
><br**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled**
>**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled**
4. Select **Overwrite any existing file**.

46
windows/deployment/windows-autopilot/intune-connector.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greg-lindsay
ms.date: 11/13/2018
ms.date: 11/26/2018
---
@ -23,44 +23,30 @@ In this preview version of the Intune Connector, you might receive an error mess
**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.**
See the following example:
![Connector error](images/connector-fail.png)
An [example](#example) of the error message is displayed at the bottom of this topic.
This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout:
en-US<br>
cs-CZ<br>
da-DK<br>
de-DE<br>
el-GR<br>
es-ES<br>
fi-FI<br>
fr-FR<br>
hu-HU<br>
it-IT<br>
ja-JP<br>
ko-KR<br>
nb-NO<br>
nl-NL<br>
pl-PL<br>
pt-BR<br>
ro-RO<br>
ru-RU<br>
sv-SE<br>
tr-TR<br>
zh-CN<br>
zh-TW
| | | | | | | | | | | |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| en-US | cs-CZ | da-DK | de-DE | el-GR | es-ES | fi-FI | fr-FR | hu-HU | it-IT | ja-JP |
| ko-KR | nb-NO | nl-NL | pl-PL | pt-BR | ro-RO | ru-RU | sv-SE | tr-TR | zh-CN | zh-TW |
This solution is a workaround and will be fully resolved in a future release of the Intune Connector.
>[!NOTE]
>After installing the Intune Connector, you can restore the keyboard layout to its previous settings.<br>
>This solution is a workaround and will be fully resolved in a future release of the Intune Connector.
To change the default keyboard layout:
1. Click **Settings > Time & language > Region and language**
2. Select one of the languages listed above and choose **Set as default**.
Note: If the language you need isn't listed, you can add additional languages by selecting **Add a language**.
If the language you need isn't listed, you can add additional languages by selecting **Add a language**.
## Example
The following is an example of the error message that can be displayed if one of the listed languages is not used during setup:
![Connector error](images/connector-fail.png)

10
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
author: justinha
ms.localizationpriority: medium
ms.date: 10/12/2018
ms.date: 11/28/2018
---
# How Windows Information Protection protects files with a sensitivity label
@ -27,13 +27,15 @@ Microsoft information protection technologies work together as an integrated sol
Microsoft information protection technologies include:
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use.
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP.
- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps.
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
![Sensitivity labels](images/sensitivity-labels.png)
End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
![Sensitivity labels](images/sensitivity-labels.png)
## Default WIP behaviors for a sensitivity label

7
windows/security/threat-protection/TOC.md
View File

@ -265,7 +265,7 @@
######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -274,8 +274,8 @@
####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md)
######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md)
@ -284,6 +284,7 @@
######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

4
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: sagaudre
author: brianlic-msft
ms.date: 06/25/2018
ms.date: 11/26/2018
---
# Microsoft Security Compliance Toolkit 1.0
@ -22,6 +22,7 @@ The SCT enables administrators to effectively manage their enterprises Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
- Windows 10 Version 1703 (Creators Update)
@ -30,6 +31,7 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 1507
- Windows Server security baselines
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2

7
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 05/03/2018
ms.date: 11/28/2018
---
# Windows Defender Application Control
@ -17,6 +17,7 @@ ms.date: 05/03/2018
- Windows 10
- Windows Server 2016
- Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative.
@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
## WDAC System Requirements
WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016.
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016.
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune.
Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016.
Group Policy or Intune can be used to distribute WDAC policies.
## New and changed functionality

4
windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
View File

@ -8,14 +8,14 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 09/07/2018
ms.date: 11/27/2018
---
# Windows Defender Application Guard overview
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete.
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

8
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -262,7 +262,7 @@
####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -270,8 +270,8 @@
####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md)
###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md)
####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md)
####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md)
####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md)
####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md)
####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md)
@ -280,7 +280,7 @@
####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
###### [User](user-windows-defender-advanced-threat-protection-new.md)
####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

43
windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
View File

@ -15,10 +15,12 @@ ms.date: 12/08/2017
# Add or Remove Machine Tags API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- Adds or remove tag to a specific machine.
## Permissions
@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "Test Tag",
"Value" : "test Tag 2",
"Action": "Add"
}
@ -85,26 +87,25 @@ HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine55.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": "2018-09-27T08:44:05.6228836Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [
"Test Tag"
],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

67
windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -17,7 +17,7 @@ ms.date: 12/08/2017
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
[!include[Prerelease information](prerelease.md)]
Represents an alert entity in WDATP.
@ -37,45 +37,48 @@ Method|Return Type |Description
# Properties
Property | Type | Description
:---|:---|:---
id | String | Alert ID
severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
id | String | Alert ID.
incidentId | String | The [Incident](incidents-queue.md) ID of the Alert.
assignedTo | String | Owner of the alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
description | String | Description of the threat, identified by the alert.
recommendedAction | String | Action recommended for handling the suspected threat.
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
title | string | Alert title
threatFamilyName | string | Threat family
detectionSource | string | Detection source
assignedTo | String | Owner of the alert
classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
# JSON representation
```json
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

4
windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
View File

@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
## HTTP request
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
```
## Request headers
@ -77,7 +77,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json
{

183
windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
View File

@ -21,12 +21,17 @@ ms.date: 11/15/2018
- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.
- Not all properties are filterable.
### Properties that supports $filter:
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
### Example 1
**Get all the machines with the tag 'ExampleTag'**
- Get all the machines with the tag 'ExampleTag'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@ -41,25 +46,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2018-03-07T11:19:11.7234147Z",
"lastSeen": "2018-11-15T11:23:38.3196947Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.17.255.241",
"lastExternalIpAddress": "123.220.196.180",
"agentVersion": "10.6400.18282.1001",
"osBuild": 18282,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [
"ExampleTag"
],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "North",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -70,6 +73,50 @@ Content-type: application/json
### Example 2
- Get all the alerts that created after 2018-10-20 00:00:00
```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
```
**Response:**
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
.
.
.
]
}
```
### Example 3
- Get all the machines with 'High' 'RiskScore'
```
@ -85,23 +132,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "e3a77eeddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -110,7 +157,7 @@ Content-type: application/json
}
```
### Example 3
### Example 4
- Get top 100 machines with 'HealthStatus' not equals to 'Active'
@ -127,23 +174,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1113333ddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "Medium",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -152,12 +199,12 @@ Content-type: application/json
}
```
### Example 4
### Example 5
- Get all the machines that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
**Response:**
@ -169,23 +216,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "83113465ffceca4a731234e5dcde3357e026e873",
"computerDnsName": "examples-vm10",
"firstSeen": "2018-11-12T16:07:50.1706168Z",
"lastSeen": "2018-11-12T16:07:50.1706168Z",
"osPlatform": "WindowsServer2019",
"osVersion": null,
"lastIpAddress": "10.123.72.35",
"lastExternalIpAddress": "123.220.2.3",
"agentVersion": "10.6300.18281.1000",
"osBuild": 18281,
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "None",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -194,7 +241,7 @@ Content-type: application/json
}
```
### Example 5
### Example 6
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP

38
windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
View File

@ -15,11 +15,12 @@ ms.date: 12/08/2017
# Find machines by internal IP API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
- The given timestamp must be in the past 30 days.
@ -83,22 +84,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine33.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": null,
"osPlatform": "Windows10",
"osVersion": null,
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
]
}

39
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -64,7 +64,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
```
**Response**
@ -75,24 +75,25 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

29
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,13 @@ ms.date: 12/08/2017
---
# Get alert related machine information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves machine that is related to a specific alert.
- Retrieves machine that is related to a specific alert.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -77,22 +78,22 @@ HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "ff0c3800ed8d66738a514971cd6867166809369f",
"computerDnsName": "amazingmachine.contoso.com",
"firstSeen": "2017-12-10T07:47:34.4269783Z",
"lastSeen": "2017-12-10T07:47:34.4269783Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"systemProductName": null,
"lastIpAddress": "172.17.0.0",
"lastExternalIpAddress": "167.220.0.0",
"agentVersion": "10.5830.17732.1001",
"osBuild": 17732,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

85
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -21,8 +21,10 @@ ms.date: 12/08/2017
[!include[Prerelease information](prerelease.md)]
Retrieves top recent alerts.
- Retrieves a collection of Alerts.
- Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -81,50 +83,55 @@ Here is an example of the response.
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

74
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -84,44 +84,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

62
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -80,43 +80,43 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
"computerDnsName": "testMachine1",
"firstSeen": "2018-07-30T20:12:00.3708661Z",
"lastSeen": "2018-07-30T20:12:00.3708661Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.67.177",
"lastExternalIpAddress": "167.220.1.210",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"healthStatus": "Inactive",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
"computerDnsName": "testMachine2",
"firstSeen": "2018-07-30T19:50:47.3618349Z",
"lastSeen": "2018-07-30T19:50:47.3618349Z",
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.70.231",
"lastExternalIpAddress": "167.220.0.28",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "None",
"aadDeviceId": null
}
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```

37
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -82,24 +82,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

27
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,14 @@ ms.date: 12/08/2017
---
# Get file related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of machines related to a given file hash.
- Retrieves a collection of machines related to a given file hash.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -83,39 +84,37 @@ Content-type: application/json
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

37
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

22
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -85,18 +85,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"rbacGroupName": "The-A-Team",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -104,18 +104,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

17
windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -15,12 +15,13 @@ ms.date: 12/08/2017
# Get machine by ID API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a machine entity by ID.
[!include[Prerelease information](prerelease.md)]
- Retrieves a machine entity by ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -85,18 +86,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

37
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

4
windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,14 @@ ms.date: 12/08/2017
---
# Get machineAction API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Get action performed on a machine.
- Get action performed on a machine.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

13
windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
View File

@ -15,14 +15,16 @@ ms.date: 12/08/2017
# List MachineActions API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Gets collection of actions done on machines.
Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
[!include[Prerelease information](prerelease.md)]
- Gets collection of actions done on machines.
- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -167,3 +169,6 @@ Content-type: application/json
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

36
windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -15,15 +15,16 @@ ms.date: 12/08/2017
# List machines API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
[!include[Prerelease information](prerelease.md)]
- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,19 +107,22 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

74
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,44 +81,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

23
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,6 +14,7 @@ ms.date: 12/08/2017
---
# Get user related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,18 +107,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

17
windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
View File

@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win
lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
osPlatform | String | OS platform.
osVersion | String | OS Version.
lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
agentVersion | String | Version of WDATP agent.
osBuild | Int | OS build number.
osBuild | Nullable long | OS build number.
healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
rbacGroupId | Int | Group ID.
riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
rbacGroupId | Int | RBAC Group ID.
rbacGroupName | String | RBAC Group Name.
riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.

6
windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.sitesec: library
ms.pagetype: security
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/19/2018
ms.date: 11/26/2018
---
@ -20,6 +20,10 @@ ms.date: 10/19/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
[!include[Prerelease information](prerelease.md)]
>![TIP]
>Go to **Advanced features** in the **Settings** page to turn on the preview features.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)

4
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -58,5 +58,9 @@ Onboard supported versions of Windows machines so that they can send sensor data
- Windows 8.1 Pro
- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink)

105
windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Stop and quarantine file API
description: Use this API to stop and quarantine file.
keywords: apis, graph api, supported apis, stop and quarantine file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 12/08/2017
---
# Stop and quarantine file API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
- Stop execution of a file on a machine and delete it.
[!include[Machine actions note](machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Machine.StopAndQuarantine | 'Stop And Quarantine'
Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
## HTTP request
```
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
Content-Type | string | application/json. **Required**.
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**.
## Response
If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
```
**Response**
Here is an example of the response.
[!include[Improve request performance](improverequestperformance-new.md)]
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "141408d1-384c-4c19-8b57-ba39e378011a",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"relatedFileInfo": {
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1"
}
}
```

41
windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
View File

@ -72,10 +72,10 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "Our designated secop"
"assignedTo": "secop2@contoso.com"
}
```
@ -86,23 +86,24 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "636688558380765161_2136280442",
"severity": "Medium",
"status": "InProgress",
"description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.",
"recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",
"alertCreationTime": "2018-08-07T10:18:04.2665329Z",
"category": "Installation",
"title": "Possible sensor tampering in memory",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": null,
"determination": null,
"assignedTo": "Our designated secop",
"resolvedTime": null,
"lastEventTime": "2018-08-07T10:14:35.470671Z",
"firstEventTime": "2018-08-07T10:14:35.470671Z",
"actorName": null,
"machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857"
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop2@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

14
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/19/2018
ms.date: 11/27/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -64,9 +64,6 @@ This rule blocks the following file types from being run or launched from an ema
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block all Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
@ -88,18 +85,12 @@ Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block JavaScript or VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
@ -132,9 +123,6 @@ This rule provides an extra layer of protection against ransomware. Executable f
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.

40
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/17/2018
ms.date: 11/27/2018
---
# Customize attack surface reduction rules
@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
This could potentially allow unsafe files to run and infect your devices.
@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
Exclusions apply to all attack surface reduction rules.
>[!IMPORTANT]
>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table).
Rule description | Rule honors exclusions | GUID
Rule description | GUID
-|:-:|-
Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.