From a8029198fe96cab90f1226f75e9fb48eee911a6c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 6 Dec 2017 14:56:45 -0800 Subject: [PATCH] api updates --- windows/threat-protection/TOC.md | 5 +- ...ows-defender-advanced-threat-protection.md | 22 ++- ...ows-defender-advanced-threat-protection.md | 12 +- ...ows-defender-advanced-threat-protection.md | 108 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 20 ++- ...ows-defender-advanced-threat-protection.md | 18 ++- ...ows-defender-advanced-threat-protection.md | 146 ++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 5 +- ...ows-defender-advanced-threat-protection.md | 12 +- ...ows-defender-advanced-threat-protection.md | 25 ++- ...ows-defender-advanced-threat-protection.md | 14 +- ...ows-defender-advanced-threat-protection.md | 12 +- ...ows-defender-advanced-threat-protection.md | 33 ++-- ...ows-defender-advanced-threat-protection.md | 19 ++- ...ows-defender-advanced-threat-protection.md | 8 +- ...ows-defender-advanced-threat-protection.md | 14 +- 16 files changed, 415 insertions(+), 58 deletions(-) create mode 100644 windows/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 52ff3c3b66..76585947d3 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -65,7 +65,7 @@ ###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) ###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) ###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Release machine from the isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) +###### [Release machine from isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation) ###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md) ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) @@ -146,6 +146,9 @@ ##### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md) ##### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md) ##### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +##### [Get MachineActions collection API] +##### [Get FileMachineActions collection API] +##### [Get FileActions collection API] ### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md index eab5acb930..b2658dda3d 100644 --- a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Block file @@ -50,12 +50,13 @@ Request Here is an example of the request. ``` -POST https://graph.microsoft.com/testwdatppreview/machines/7327b54fd718525cbca07dacde913b5ac3c85673/block +POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/block Content-type: application/json { "Comment": "Block file due to alert 32123" } + ``` Response @@ -64,5 +65,20 @@ Here is an example of the response. ``` -HTTP/1.1 200 Ok +HTTP/1.1 201 Created +Content-type: application/json +{ + "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", + "fileIdentifierType": "Sha1", + "actionType": "Block", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" +} + ``` diff --git a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index a085e86eef..c208b0df3b 100644 --- a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Collect investigation package @@ -68,10 +68,16 @@ HTTP/1.1 201 Created Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com ", + "requestorComment": " Collect forensics due to alert 1234", "status": "InProgress", - "error": "Unknown" + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2017-12-04T12:09:24.1785079Z" } + ``` diff --git a/windows/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..50f67db18b --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,108 @@ +--- +title: Get FileActions collection API +description: Use this API to create calls related to get fileactions collection +keywords: apis, graph api, supported apis, get, file, information, fileactions collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 10/16/2017 +--- + +# Get FileActions collection +Get FileActions collection API supports OData V4 queries. + +## Permissions +Users need to have Security administrator or Global admin directory roles. + +## HTTP request +``` +GET /testwdatppreview/fileactions +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of FileAction objects. + +>[!NOTE] +>Although Block and Unblock actions are under FileAction category, this API only returns the Block actions on files that are currently blocked. For example, a file that is blocked and then unblocked will not be seen on this API. + + + +## Example + +Request + +Here is an example of the request on an organization that has 3 FileActions. + +``` +GET https://graph.microsoft.com/testwdatppreview/fileactions +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileActions", + "value": [ + { + "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", + "fileIdentifierType": "Sha1", + "actionType": "Block", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" + }, + { + "fileIdentifier": "df708f0107c7cc75ba2e5aaadc88b8bcfa01071d", + "fileIdentifierType": "Sha1", + "actionType": "Block", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-11-05T11:16:19.9209438Z", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "1316", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-11-05T11:16:19.9209438Z" + }, + { + "fileIdentifier": "f5bc0981641c8a1fb3ef03e4bf574d8adf7134cf", + "fileIdentifierType": "Sha1", + "actionType": "Block", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-11-05T10:57:02.2430564Z", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "test 1256 2017.11.05", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-11-05T10:57:02.2430564Z" + } + ] +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md index 043bdf280d..8deac08a55 100644 --- a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Get FileMachineAction object @@ -45,7 +45,7 @@ Request Here is an example of the request. ``` -GET https://graph.microsoft.com/testwdatppreview/filemachineactions/7327b54fd718525cbca07dacde913b5ac3c85673 +GET https://graph.microsoft.com/testwdatppreview/filemachineactions/3dc88ce3-dd0c-40f7-93fc-8bd14317aab6 ``` Response @@ -54,21 +54,27 @@ Here is an example of the response. ``` -HTTP/1.1 201 Created +HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": " 7327b54fd718525cbca07dacde913b5ac3c85673", - "sha1": "1163788484e3258ab9fcf692f7db7938f72ddfc2", + "id": "3dc88ce3-dd0c-40f7-93fc-8bd14317aab6", + "sha1": "8908b4441a2cd7285fe9c82917f69041cd467cf7", "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com ", + "requestorComment": "1104", "status": "Succeeded", - "machineId": "970a58d5f61786bb7799dfdb5395ec364ffceace", + "fileId": "8908b4441a2cd7285fe9c82917f69041cd467cf7", + "machineId": "61a2d326d2190d048950406b54af23416118094a", + "creationDateTimeUtc": "2017-09-06T08:04:06.1994034Z", + "lastUpdateDateTimeUtc": "2017-09-06T08:05:46.9200942Z", "fileInstances": [ { - "filePath": "C:\\Users\\alex\\AppData\\Local\\AppFetch\\Temp\\3324bcb\\AppDownloader\\AnApp.appfetch.zip", + "filePath": "C:\\tools\\PE\\7f06a650-040b-4774-bb39-5264ea9e93fa.exe", "status": "Succeeded" } ] } + ``` diff --git a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md index 0fb3e768d8..2f458f4482 100644 --- a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Get MachineAction object @@ -45,7 +45,7 @@ Request Here is an example of the request. ``` -GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673 +GET https://graph.microsoft.com/testwdatppreview/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` Response @@ -58,10 +58,16 @@ HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "UnrestrictExecution", - "status": "Success", - "error": "Unknown" + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z" } + ``` diff --git a/windows/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..82fafe9653 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,146 @@ +--- +title: Get MachineActions collection API +description: Use this API to create calls related to get machineactions collection +keywords: apis, graph api, supported apis, machineaction collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 12/07/2017 +--- + +# Get MachineActions collection +Get MachineAction collection API supports OData V4 queries. + +## Permissions +Users need to have Security administrator or Global admin directory roles. + +## HTTP request +``` +GET /testwdatppreview/machineactions +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of MachineAction objects since the Retention policy time of the organization. + + +## Example 1 + +Request + +Here is an example of the request on an organization that has 3 MachineActions + +``` +GET https://graph.microsoft.com/testwdatppreview/machineactions +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "test", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z" + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z" + }, + { + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "UnrestrictCodeExecution", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "test", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2017-12-04T12:16:14.2899973Z" + } + ] +} + + +``` + +## Example 2 + +Request + +Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. + +``` +GET https://graph.microsoft.com/testwdatppreview/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 +``` + + + +Response +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z" + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z" + } + ] +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md index 16581192da..012acfa769 100644 --- a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Get package SAS URI @@ -60,8 +60,9 @@ HTTP/1.1 200 Ok Content-type: application/json { - "@odata.context": "https://graph.microsoft.com/testrespver1/$metadata#Edm.String", + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Edm.String", "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" } + ``` diff --git a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md index 9d9afa06e9..20f0d234e8 100644 --- a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/06/2017 --- # Isolate machine @@ -75,9 +75,15 @@ HTTP/1.1 201 Created Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "id": "b89eb834-4578-496c-8be0-03f004061435", "type": "Isolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Isolate machine due to alert 1234", "status": "InProgress", - "error": "Unknown" + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z" } + ``` diff --git a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md index 10b78cb11e..586d6e1094 100644 --- a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Request sample @@ -50,11 +50,13 @@ Request Here is an example of the request. ``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/requestSample +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/requestSample Content-type: application/json { - “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” + "Comment": "Request Sample on machine due to alert 32123", + "Sha1": "8d25682b3a82af25b42dc90291c35ff3293daa68" } + ``` Response @@ -69,9 +71,22 @@ HTTP/1.1 201 Created Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "id": "c083f601-012f-4955-b4cc-fab50fb69d79", + "sha1": "8d25682b3a82af25b42dc90291c35ff3293daa68", "type": "RequestSample", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", "status": "InProgress", - "error": "Unknown" + "fileId": "8d25682b3a82af25b42dc90291c35ff3293daa68", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T13:39:24.9399004Z", + "lastUpdateDateTimeUtc": "2017-12-04T13:39:24.9399004Z", + "fileInstances": [ + { + "filePath": "C:\\Windows\\System32\\conhost.exe", + "status": "InProgress" + } + ] } + ``` diff --git a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index 3377eeb2a0..433beb6eea 100644 --- a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Restrict app execution @@ -68,9 +68,15 @@ HTTP/1.1 201 Created Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "RestrictExecution", + "id": "78d408d1-384c-4c19-8b57-ba39e378011a", + "type": "RestrictCodeExecution", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "Restrict code execution due to alert 1234", "status": "InProgress", - "error": "Unknown" + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2017-12-04T12:15:04.3825985Z" } + ``` diff --git a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index 891097b03a..b7f54c7dc1 100644 --- a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Run antivirus scan @@ -77,9 +77,15 @@ HTTP/1.1 201 Created Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "Check machine for viruses due to alert 3212", "status": "InProgress", - "error": "Unknown" + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:27.1293487Z" } + ``` diff --git a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 588e46220b..d2b64c27f9 100644 --- a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Stop and quarantine file @@ -50,12 +50,13 @@ Request Here is an example of the request. ``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/stopAndQuarantineFile Content-type: application/json { "Comment": "Stop and quarantine file on machine due to alert 32123", - “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” + "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" } + ``` Response @@ -69,17 +70,27 @@ HTTP/1.1 201 Created Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": "5841901d-6d04-4278-b0b3-8dd6a2acc8a5", - "sha1": “1163788484e3258ab9fcf692f7db7938f72ddfc2”, + "id": "6f1d364c-680c-499a-b30c-dd9265ad4c9d", + "sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", "type": "StopAndQuarantineFile", - "status": "Succeeded", - "machineId": "970a58d5f61786bb7799dfdb5395ec364ffceace", + "requestor": "Analyst@contoso.com ", + "requestorComment": " Stop and quarantine file on machine due to alert 32123", + "status": "InProgress", + "fileId": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T13:13:26.2106524Z", + "lastUpdateDateTimeUtc": "2017-12-04T13:13:58.8098277Z", "fileInstances": [ { - "filePath": "C:\\Users\\alex\\AppData\\Local\\AppFetch\\Temp\\3324bcb\\AppDownloader\\AnApp.appfetch.zip", - "status": "Succeeded" - } + "filePath": "C:\\Users\\ testUser \\Downloads\\elma.exe", + "status": "InProgress" + }, + { + "filePath": "C:\\Users\\testUser\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\elma (2).exe.xc9q785.partial", + "status": "InProgress" + }, ] -} + } + ``` diff --git a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md index e558eb80f8..2a14c5bfc5 100644 --- a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Unblock file @@ -63,5 +63,20 @@ Here is an example of the response. ``` -HTTP/1.1 200 Ok +HTTP/1.1 201 Created +Content-type: application/json +{ + "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", + "fileIdentifierType": "Sha1", + "actionType": "UnBlock", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" +} + ``` diff --git a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md index db02510fdf..d8ae71b4f7 100644 --- a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Unisolate machine API -description: Use this API to create calls related to removing a machine from isolation. +title: Release machine from isolation API +description: Use this API to create calls related to release a machine from isolation. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -10,10 +10,10 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- -# Unisolate machine +# Release machine from isolation Undo isolation of a machine. ## Permissions diff --git a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index 2890ee5631..9c21aa1312 100644 --- a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 09/01.2017 +ms.date: 12/07/2017 --- # Unrestrict code execution @@ -69,10 +69,16 @@ HTTP/1.1 201 Created Content-type: application/json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "UnrestrictExecution", + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "UnrestrictCodeExecution", + "requestor": "Analyst@ contoso.com ", + "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", "status": "InProgress", - "error": "Unknown" + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2017-12-04T12:15:40.6052029Z" } + ```