From add209943508cda2d5c8ecac0ed3b194c38cea41 Mon Sep 17 00:00:00 2001 From: David Laufer Date: Wed, 24 Oct 2018 16:20:08 +0300 Subject: [PATCH 01/16] [WDATP] Update advanced hunting URL --- ...-windows-defender-advanced-threat-protection-new.md | 2 +- .../exposed-apis-full-sample-powershell.md | 2 +- ...-windows-defender-advanced-threat-protection-new.md | 2 +- .../windows-defender-atp/run-advanced-query-api.md | 4 ++-- .../run-advanced-query-sample-ms-flow.md | 10 +++++----- .../run-advanced-query-sample-power-bi-app-token.md | 2 +- .../run-advanced-query-sample-power-bi-user-token.md | 2 +- .../run-advanced-query-sample-powershell.md | 2 +- .../run-advanced-query-sample-python.md | 2 +- 9 files changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 16b7b0524d..53054cc36b 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -POST /api/CreateAlertByReference +POST https://api.securitycenter.windows.com/api/CreateAlertByReference ``` ## Request headers diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md index 0ff6172338..5c554d4040 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md @@ -101,7 +101,7 @@ $query = "NetworkCommunicationEvents | where RemoteUrl == `"$suspiciousUrl`" | summarize ConnectionsCount = count() by MachineId" -$queryUrl = "https://api.securitycenter.windows.com/advancedqueries/query" +$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run" $queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query } $queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 8f2008c14a..5d41431d83 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -23,7 +23,7 @@ ms.date: 12/08/2017 Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). -The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore" and "RbacGroupId" +The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId" ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index cb0a5624af..4281f9dd00 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -46,7 +46,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' ## HTTP request ``` -POST /advancedqueries/query +POST https://api.securitycenter.windows.com/api/advancedqueries/run ``` ## Request headers @@ -80,7 +80,7 @@ Here is an example of the request. > - api-uk.securitycenter.windows.com ``` -POST https://api.securitycenter.windows.com/advancedqueries/query +POST https://api.securitycenter.windows.com/api/advancedqueries/run Content-type: application/json { "Query":"ProcessCreationEvents diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md index dd62b3ea19..d5e16fbf5a 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md @@ -40,15 +40,15 @@ Use the following basic flow as an example. ![Image of MsFlow choose an action](images/ms-flow-choose-action.png) - Set method to be POST - - Uri is https://api.securitycenter.windows.com/advancedqueries/query or one of the region specific locations - - US: https://api-us.securitycenter.windows.com/advancedqueries/query - - Europe: https://api-eu.securitycenter.windows.com/advancedqueries/query - - United Kingdom: https://api-uk.securitycenter.windows.com/advancedqueries/query + - Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations + - US: https://api-us.securitycenter.windows.com/api/advancedqueries/run + - Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run + - United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run - Add the Header: Content-Type application/json - In the body write your query surrounded by single quotation mark (') - In the Advanced options select Authentication to be Active Directory OAuth - Set the Tenant with proper AAD Tenant Id - - Audience is https://securitycenter.onmicrosoft.com/windowsatpservice + - Audience is https://api.securitycenter.windows.com - Client ID is your application ID - Credential Type should be Secret - Secret is the application secret generated in the Azure Active directory. diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md index 04c224b498..ce6ccb012c 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -59,7 +59,7 @@ If you want to use **user token** instead please refer to [this](run-advanced-qu AccessToken= AuthResponse[access_token], Bearer = Text.Combine({"Bearer", AccessToken}, " "), - AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query", + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run", Response = Json.Document(Web.Contents( AdvancedHuntingUrl, diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md index 333683cda5..202d338c71 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -48,7 +48,7 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md). Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", - AdvancedHuntingUrl = "https://api.securitycenter.windows.com/advancedqueries/query", + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run", Response = Json.Document(Web.Contents( AdvancedHuntingUrl, diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md index ae59b2fe28..76fa741ab6 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md @@ -71,7 +71,7 @@ Run the following query: ``` $query = 'RegistryEvents | limit 10' # Paste your own query here -$url = "https://api.securitycenter.windows.com/advancedqueries/query" +$url = "https://api.securitycenter.windows.com/api/advancedqueries/run" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md index fd546b266a..71784d6ccd 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md @@ -71,7 +71,7 @@ where ``` query = 'RegistryEvents | limit 10' # Paste your own query here -url = "https://api.securitycenter.windows.com/advancedqueries/query" +url = "https://api.securitycenter.windows.com/api/advancedqueries/run" headers = { 'Content-Type' : 'application/json', 'Accept' : 'application/json', From 1831d6f0a89c7c0dc4499d7999c31791ff50fe2a Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 09:06:04 +0300 Subject: [PATCH 02/16] s --- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 109 ++++++++++++++++++ ...defender-advanced-threat-protection-new.md | 41 +++++++ 3 files changed, 152 insertions(+), 2 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 77fcc41c80..5a137cb5a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# List machineActions API +# List MachineActions API [!include[Prerelease information](prerelease.md)] @@ -140,7 +140,7 @@ Here is an example of the response. HTTP/1.1 200 Ok Content-type: application/json { - "@odata.context": "https://api.securitycenter.windows.com/testwdatppreview/$metadata#MachineActions", + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", "value": [ { "id": "69dc3630-1ccc-4342-acf3-35286eec741d", diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a4dc9a8ac3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,109 @@ +--- +title: List TiIndicators API +description: Use this API to create calls related to get TiIndicators collection +keywords: apis, public api, supported apis, TiIndicators collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List TiIndicators API + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + Gets collection of Ti Indicators. + Get TiIndicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti_ReadWrite | 'Read and write Ti Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. + +>[!Note] +> The response will only include Ti Indicators that submitted by the calling Application. + + +## Example + +**Request** + +Here is an example of a request that gets all Ti Indicators + +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators", + "value": [ + { + "indicator": "12.13.14.15", + "indicatorType": "IpAddress", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "test" + }, + { + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e3cc47f323 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,41 @@ +--- +title: TiIndicator resource type +description: TiIndicator entity description. +keywords: apis, supported apis, get, TiIndicator, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# TiIndicator resource type + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Method|Return Type |Description +:---|:---|:--- +[List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | List [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. + +# Properties +Property | Type | Description +:---|:---|:--- +indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" +title | String | Ti indicator title. +creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. +createdBy | String | Identity of the user/application that created the indicator. +expirationTime | DateTimeOffset | The expiration time of the indicator +action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" +description | String | Description of the indicator. +recommendedActions | String | Recommended actions for the indicator. + + From a7ee8fea98aceeb08580073b5f736cb7d2d87fc6 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 09:11:11 +0300 Subject: [PATCH 03/16] s --- windows/security/threat-protection/TOC.md | 4 ++++ .../security/threat-protection/windows-defender-atp/TOC.md | 3 +++ 2 files changed, 7 insertions(+) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 8cb9e6a5b1..212cd5618f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -350,6 +350,10 @@ ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + +####### [Ti Indicator](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [List TiIndicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) + ###### How to use APIs - Samples ####### Advanced Hunting API ######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 71c2a82d6f..fdf3ee51b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -287,6 +287,9 @@ ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) +###### [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) + ##### How to use APIs - Samples ###### Advanced Hunting API ####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) From 0a9bbd5920827b7816e223f069a912a2bf72e144 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 09:52:49 +0300 Subject: [PATCH 04/16] s --- ...defender-advanced-threat-protection-new.md | 113 ++++++++++++++++++ ...defender-advanced-threat-protection-new.md | 2 +- 2 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..7fdf4d6915 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,113 @@ +--- +title: Submit Ti Indicator API +description: Use this API to submit Ti Indicator. +keywords: apis, graph api, supported apis, submit, ti, ti indicator +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Submit Ti Indicator API + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Submits new [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti_ReadWrite | 'Read and write Ti Indicators' + + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +title | String | Ti indicator title. +expirationTime | DateTimeOffset | The expiration time of the indicator. +action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". +description | String | Description of the indicator. +recommendedActions | String | Recommended actions for the indicator. + + +## Response +If successful, this method returns 201 - Created response code and the created [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/tiindicators +Content-type: application/json +{ + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index e3cc47f323..d194ebfcf3 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -31,7 +31,7 @@ indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defende indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" title | String | Ti indicator title. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. -createdBy | String | Identity of the user/application that created the indicator. +createdBy | String | Identity of the user/application that submitted the indicator. expirationTime | DateTimeOffset | The expiration time of the indicator action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" From 8617788970cad13b41f7574fc5e21a9fbd161748 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 10:10:00 +0300 Subject: [PATCH 05/16] s --- windows/security/threat-protection/TOC.md | 1 + .../security/threat-protection/windows-defender-atp/TOC.md | 1 + ...lection-windows-defender-advanced-threat-protection-new.md | 4 ++-- ...dicator-windows-defender-advanced-threat-protection-new.md | 4 +++- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 212cd5618f..5847327d5d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -353,6 +353,7 @@ ####### [Ti Indicator](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) ######## [List TiIndicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +######## [Submit TiIndicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) ###### How to use APIs - Samples ####### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index fdf3ee51b8..dce77004ba 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -289,6 +289,7 @@ ###### [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) ####### [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +####### [Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) ##### How to use APIs - Samples ###### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md index a4dc9a8ac3..ccc20899c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -41,6 +41,8 @@ Application | Ti_ReadWrite | 'Read and write Ti Indicators' GET https://api.securitycenter.windows.com/api/tiindicators ``` +[!include[Improve request performance](improverequestperformance-new.md)] + ## Request headers Name | Type | Description @@ -68,8 +70,6 @@ Here is an example of a request that gets all Ti Indicators GET https://api.securitycenter.windows.com/api/tiindicators ``` -[!include[Improve request performance](improverequestperformance-new.md)] - **Response** Here is an example of the response. diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index d194ebfcf3..ff7490cb45 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -22,7 +22,9 @@ ms.date: 12/08/2017 Method|Return Type |Description :---|:---|:--- -[List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | List [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + # Properties Property | Type | Description From f4e25119980203f620b9afe87e434866a865e6ab Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 10:24:04 +0300 Subject: [PATCH 06/16] s --- windows/security/threat-protection/TOC.md | 1 + .../windows-defender-atp/TOC.md | 1 + ...defender-advanced-threat-protection-new.md | 92 +++++++++++++++++++ ...defender-advanced-threat-protection-new.md | 1 + 4 files changed, 95 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 5847327d5d..0d23d46f02 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -352,6 +352,7 @@ ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) ####### [Ti Indicator](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [Get TiIndicator by ID](windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ######## [List TiIndicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) ######## [Submit TiIndicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index dce77004ba..0f3417f61c 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -289,6 +289,7 @@ ###### [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) ####### [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +####### [Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ####### [Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) ##### How to use APIs - Samples diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5363e99022 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,92 @@ +--- +title: Get Ti Indicator by ID API +description: Retrieves Ti Indicator entity by ID. +keywords: apis, public api, supported apis, get, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get Ti Indicator by ID API + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a Ti Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti_ReadWrite | 'Read and write Ti Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK with the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body. +If Ti Indicator with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index ff7490cb45..9378118bc3 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -23,6 +23,7 @@ ms.date: 12/08/2017 Method|Return Type |Description :---|:---|:--- [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. [Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. From c4be1c7e9a34461800441157a969b70512845266 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 10:27:24 +0300 Subject: [PATCH 07/16] s --- ...dicator-windows-defender-advanced-threat-protection-new.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index 7fdf4d6915..06d719aea1 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -22,9 +22,11 @@ ms.date: 12/08/2017 **Applies to:** + - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Submits new [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +- Submits new [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) From aeb9f1e9605b0480f53a00ade4da0c12e29af1d7 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 10:30:44 +0300 Subject: [PATCH 08/16] s --- ...r-by-id-windows-defender-advanced-threat-protection-new.md | 2 +- ...lection-windows-defender-advanced-threat-protection-new.md | 2 +- ...dicator-windows-defender-advanced-threat-protection-new.md | 4 ++-- ...dicator-windows-defender-advanced-threat-protection-new.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md index 5363e99022..9bccb48149 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -31,7 +31,7 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti_ReadWrite | 'Read and write Ti Indicators' +Application | Ti.ReadWrite | 'Read and write Ti Indicators' ## HTTP request diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md index ccc20899c0..a20702696c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -33,7 +33,7 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti_ReadWrite | 'Read and write Ti Indicators' +Application | Ti.ReadWrite | 'Read and write Ti Indicators' ## HTTP request diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index 06d719aea1..e6ca8b30aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -33,7 +33,7 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti_ReadWrite | 'Read and write Ti Indicators' +Application | Ti.ReadWrite | 'Read and write Ti Indicators' ## HTTP request @@ -58,9 +58,9 @@ Parameter | Type | Description :---|:---|:--- indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** title | String | Ti indicator title. expirationTime | DateTimeOffset | The expiration time of the indicator. -action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". description | String | Description of the indicator. recommendedActions | String | Recommended actions for the indicator. diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index 9378118bc3..3316f2755c 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -36,7 +36,7 @@ title | String | Ti indicator title. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. createdBy | String | Identity of the user/application that submitted the indicator. expirationTime | DateTimeOffset | The expiration time of the indicator -action | Enum | The action that will be taken when the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" description | String | Description of the indicator. recommendedActions | String | Recommended actions for the indicator. From 8c849a40aff9f43742e907ca2dd7b1cba90d6d43 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 11:37:45 +0300 Subject: [PATCH 09/16] s --- windows/security/threat-protection/TOC.md | 1 + .../windows-defender-atp/TOC.md | 1 + ...defender-advanced-threat-protection-new.md | 1 + ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 105 ++++++++++++++++++ 5 files changed, 110 insertions(+), 2 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 0d23d46f02..7bfd43887d 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -355,6 +355,7 @@ ######## [Get TiIndicator by ID](windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ######## [List TiIndicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) ######## [Submit TiIndicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [Update TiIndicator](windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md) ###### How to use APIs - Samples ####### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 0f3417f61c..04c42b236f 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -291,6 +291,7 @@ ####### [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) ####### [Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ####### [Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [Update TiIndicator](update-ti-indicator-windows-defender-advanced-threat-protection-new.md) ##### How to use APIs - Samples ###### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index 3316f2755c..7591eb7ea2 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -25,6 +25,7 @@ Method|Return Type |Description [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. [Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. [Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Update TiIndicator](update-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Updates [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. # Properties diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 37d8b92160..1ce73605cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -49,13 +49,13 @@ Content-Type | String | application/json. **Required**. ## Request body -In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on tchanges to other property values. For best performance you shouldn't include existing values that haven't change. +In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change. Property | Type | Description :---|:---|:--- status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. assignedTo | String | Owner of the alert -classification | String | Speficies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' diff --git a/windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..39402786b5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Update Ti Indicator +description: Updates a specific Ti Indicator +keywords: apis, public api, supported apis, patch, update, ti indicator, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Update TiIndicator + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +- Update the properties of an alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write Ti Indicators' + + +## HTTP request +``` +PATCH https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change. + +Property | Type | Description +:---|:---|:--- +expirationTime | DateTimeOffset | The expiration time of the indicator. +title | String | Ti indicator title. +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" +description | String | Description of the indicator. +recommendedActions | String | Recommended actions for the indicator. + +## Response +If successful, this method returns 200 - OK, and the updated [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +In case of incorrect Body, the return type will be 400 - Bad request, with message that indicates the reason. +If the Ti Indicator is not exist, 404 - Not found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +PATCH https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +Content-Type: application/json +{ + "title": "Ben2", + "severity": "High", + "description": "test2", + "expirationTime": "2020-12-12T00:00:00Z" +} +``` + +**Response** + +Here is an example of the response. + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "Ben2", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "High", + "description": "test", + "recommendedActions": "TEST2" +} +``` From c33f51f67c28e02e5052b3ce9c24be67d21df891 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 12:54:09 +0300 Subject: [PATCH 10/16] s --- windows/security/threat-protection/TOC.md | 6 +- .../windows-defender-atp/TOC.md | 4 +- ...defender-advanced-threat-protection-new.md | 77 +++++++++++++ ...defender-advanced-threat-protection-new.md | 14 +-- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 105 ------------------ 6 files changed, 91 insertions(+), 119 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md delete mode 100644 windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 7bfd43887d..2a3bb8ddea 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -352,10 +352,10 @@ ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) ####### [Ti Indicator](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [Get TiIndicator by ID](windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ######## [List TiIndicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -######## [Submit TiIndicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [Update TiIndicator](windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [Get TiIndicator by ID](windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Submit or Update TiIndicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [Delete TiIndicator](windows-defender-atp/delete-ti-indicator-windows-defender-advanced-threat-protection-new.md) ###### How to use APIs - Samples ####### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 04c42b236f..5776de1442 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -290,8 +290,8 @@ ###### [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) ####### [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) ####### [Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) -####### [Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -####### [Update TiIndicator](update-ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [Submit or Update TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [Delete TiIndicator](delete-ti-indicator-windows-defender-advanced-threat-protection-new.md) ##### How to use APIs - Samples ###### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..bad34080f3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,77 @@ +--- +title: Delete Ti Indicator. +description: Deletes Ti Indicator entity by ID. +keywords: apis, public api, supported apis, delete, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Delete Ti Indicator API + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a Ti Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write Ti Indicators' + + +## HTTP request +``` +Delete https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 204 OK without content. +If Ti Indicator with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +``` +DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 204 NO CONTENT + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index e6ca8b30aa..a947298374 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -1,7 +1,7 @@ --- -title: Submit Ti Indicator API -description: Use this API to submit Ti Indicator. -keywords: apis, graph api, supported apis, submit, ti, ti indicator +title: Submit or Update Ti Indicator API +description: Use this API to submit or Update Ti Indicator. +keywords: apis, graph api, supported apis, submit, ti, ti indicator, update search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Submit Ti Indicator API +# Submit or Update Ti Indicator API [!include[Prerelease information](prerelease.md)] @@ -25,7 +25,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -- Submits new [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +- Submits or Updates new [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. ## Permissions @@ -67,7 +67,7 @@ recommendedActions | String | Recommended actions for the indicator. ## Response -If successful, this method returns 201 - Created response code and the created [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) in the response body. +If successful, this method returns 200 - OK response code and the created / updated [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. ## Example @@ -96,7 +96,7 @@ Content-type: application/json Here is an example of the response. ``` -HTTP/1.1 201 Created +HTTP/1.1 200 OK Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index 7591eb7ea2..36bff33024 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -24,8 +24,8 @@ Method|Return Type |Description :---|:---|:--- [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. [Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -[Submit TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -[Update TiIndicator](update-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Updates [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Submit or Update TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Delete TiIndicator](delete-ti-indicator-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. # Properties diff --git a/windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md deleted file mode 100644 index 39402786b5..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/update-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: Update Ti Indicator -description: Updates a specific Ti Indicator -keywords: apis, public api, supported apis, patch, update, ti indicator, information, id -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 12/08/2017 ---- - -# Update TiIndicator - -[!include[Prerelease information](prerelease.md)] - ->[!Note] -> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) - - -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -- Update the properties of an alert entity. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Ti.ReadWrite | 'Read and write Ti Indicators' - - -## HTTP request -``` -PATCH https://api.securitycenter.windows.com/api/tiindicators/{id} -``` - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. -Content-Type | String | application/json. **Required**. - - -## Request body -In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change. - -Property | Type | Description -:---|:---|:--- -expirationTime | DateTimeOffset | The expiration time of the indicator. -title | String | Ti indicator title. -severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" -description | String | Description of the indicator. -recommendedActions | String | Recommended actions for the indicator. - -## Response -If successful, this method returns 200 - OK, and the updated [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -In case of incorrect Body, the return type will be 400 - Bad request, with message that indicates the reason. -If the Ti Indicator is not exist, 404 - Not found. - - -## Example - -**Request** - -Here is an example of the request. - -[!include[Improve request performance](improverequestperformance-new.md)] - -``` -PATCH https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f -Content-Type: application/json -{ - "title": "Ben2", - "severity": "High", - "description": "test2", - "expirationTime": "2020-12-12T00:00:00Z" -} -``` - -**Response** - -Here is an example of the response. - -``` -{ - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity", - "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", - "indicatorType": "FileSha1", - "title": "Ben2", - "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", - "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c", - "expirationTime": "2020-12-12T00:00:00Z", - "action": "AlertAndBlock", - "severity": "High", - "description": "test", - "recommendedActions": "TEST2" -} -``` From 943b274b622abaaf1193e4fb9440c3f34c6ef85c Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 25 Oct 2018 14:57:53 +0300 Subject: [PATCH 11/16] s --- ...dicator-windows-defender-advanced-threat-protection-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index a947298374..c85c4bbb6f 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -67,8 +67,8 @@ recommendedActions | String | Recommended actions for the indicator. ## Response -If successful, this method returns 200 - OK response code and the created / updated [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. - +- If successful, this method returns 200 - OK response code and the created / updated [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. +- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a Ti Indicator with existing indicator value but with different Indicator type or Action. ## Example From 20d62cdc00f6a21468a8b6e5b3c75c72592367a0 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 28 Oct 2018 08:27:23 +0200 Subject: [PATCH 12/16] s --- windows/security/threat-protection/TOC.md | 10 +++++----- .../threat-protection/windows-defender-atp/TOC.md | 10 +++++----- ...dows-defender-advanced-threat-protection-new.md | 10 +++++----- ...dows-defender-advanced-threat-protection-new.md | 10 +++++----- ...dows-defender-advanced-threat-protection-new.md | 12 ++++++------ ...dows-defender-advanced-threat-protection-new.md | 14 +++++++------- ...dows-defender-advanced-threat-protection-new.md | 12 ++++++------ 7 files changed, 39 insertions(+), 39 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 2a3bb8ddea..b2568ff5d9 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -351,11 +351,11 @@ ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [Ti Indicator](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [List TiIndicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -######## [Get TiIndicator by ID](windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) -######## [Submit or Update TiIndicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [Delete TiIndicator](windows-defender-atp/delete-ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [TI Indicator](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [List TI Indicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get TI Indicator by ID](windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Submit TI Indicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +######## [Delete TI Indicator](windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ###### How to use APIs - Samples ####### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 5776de1442..273cc66efe 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -287,11 +287,11 @@ ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) -###### [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) -####### [List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -####### [Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) -####### [Submit or Update TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -####### [Delete TiIndicator](delete-ti-indicator-windows-defender-advanced-threat-protection-new.md) +###### [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) +####### [Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) +####### [Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) ##### How to use APIs - Samples ###### Advanced Hunting API diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md index bad34080f3..b0d3efb765 100644 --- a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Delete Ti Indicator API +# Delete TI Indicator API [!include[Prerelease information](prerelease.md)] @@ -24,14 +24,14 @@ ms.date: 12/08/2017 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a Ti Indicator entity by ID. +Retrieves a TI Indicator entity by ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti.ReadWrite | 'Read and write Ti Indicators' +Application | Ti.ReadWrite | 'Read and write TI Indicators' ## HTTP request @@ -53,8 +53,8 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machine exists - 204 OK without content. -If Ti Indicator with the specified id was not found - 404 Not Found. +If TI Indicator exist and deleted successfully - 204 OK without content. +If TI Indicator with the specified id was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md index 9bccb48149..ccd438a908 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get Ti Indicator by ID API +# Get TI Indicator by ID API [!include[Prerelease information](prerelease.md)] @@ -24,14 +24,14 @@ ms.date: 12/08/2017 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a Ti Indicator entity by ID. +Retrieves a TI Indicator entity by ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti.ReadWrite | 'Read and write Ti Indicators' +Application | Ti.ReadWrite | 'Read and write TI Indicators' ## HTTP request @@ -53,8 +53,8 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machine exists - 200 OK with the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body. -If Ti Indicator with the specified id was not found - 404 Not Found. +If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body. +If TI Indicator with the specified id was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md index a20702696c..d2c398ee0f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -25,15 +25,15 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - Gets collection of Ti Indicators. - Get TiIndicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). + Gets collection of TI Indicators. + Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti.ReadWrite | 'Read and write Ti Indicators' +Application | Ti.ReadWrite | 'Read and write TI Indicators' ## HTTP request @@ -54,17 +54,17 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200, Ok response code with a collection of [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. >[!Note] -> The response will only include Ti Indicators that submitted by the calling Application. +> The response will only include TI Indicators that submitted by the calling Application. ## Example **Request** -Here is an example of a request that gets all Ti Indicators +Here is an example of a request that gets all TI Indicators ``` GET https://api.securitycenter.windows.com/api/tiindicators diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index c85c4bbb6f..59030b2ebd 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Submit or Update Ti Indicator API +# Submit or Update TI Indicator API [!include[Prerelease information](prerelease.md)] @@ -25,7 +25,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -- Submits or Updates new [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. ## Permissions @@ -33,7 +33,7 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- -Application | Ti.ReadWrite | 'Read and write Ti Indicators' +Application | Ti.ReadWrite | 'Read and write TI Indicators' ## HTTP request @@ -56,10 +56,10 @@ In the request body, supply a JSON object with the following parameters: Parameter | Type | Description :---|:---|:--- -indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** -title | String | Ti indicator title. +title | String | TI indicator title. expirationTime | DateTimeOffset | The expiration time of the indicator. severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". description | String | Description of the indicator. @@ -67,8 +67,8 @@ recommendedActions | String | Recommended actions for the indicator. ## Response -- If successful, this method returns 200 - OK response code and the created / updated [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. -- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a Ti Indicator with existing indicator value but with different Indicator type or Action. +- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. +- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index 36bff33024..3d3df87d11 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# TiIndicator resource type +# TI(threat intelligence) Indicator resource type **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -22,16 +22,16 @@ ms.date: 12/08/2017 Method|Return Type |Description :---|:---|:--- -[List TiIndicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. -[Get TiIndicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -[Submit or Update TiIndicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. -[Delete TiIndicator](delete-ti-indicator-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. # Properties Property | Type | Description :---|:---|:--- -indicator | String | Identity of the [Ti Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" title | String | Ti indicator title. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. From 2cb8a34f95d68b4cf9e53bf9bc9a6e1255d62ba5 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 28 Oct 2018 13:05:15 +0200 Subject: [PATCH 13/16] s --- ...-windows-defender-advanced-threat-protection-new.md | 10 +++++----- ...-windows-defender-advanced-threat-protection-new.md | 4 ++-- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md index 59030b2ebd..1a2575ea36 100644 --- a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -59,11 +59,11 @@ Parameter | Type | Description indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** -title | String | TI indicator title. -expirationTime | DateTimeOffset | The expiration time of the indicator. -severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". -description | String | Description of the indicator. -recommendedActions | String | Recommended actions for the indicator. +title | String | TI indicator alert title. **Optional** +expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** +description | String | Description of the indicator. **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** ## Response diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md index 3d3df87d11..d8693cd298 100644 --- a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -33,13 +33,13 @@ Property | Type | Description :---|:---|:--- indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" -title | String | Ti indicator title. +title | String | Ti indicator alert title. creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. createdBy | String | Identity of the user/application that submitted the indicator. expirationTime | DateTimeOffset | The expiration time of the indicator action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" description | String | Description of the indicator. -recommendedActions | String | Recommended actions for the indicator. +recommendedActions | String | TI indicator alert recommended actions. From 9a1053054c5bd7fc28e6e378a5be95bf4a7a3e8c Mon Sep 17 00:00:00 2001 From: David Laufer Date: Mon, 5 Nov 2018 09:32:35 +0200 Subject: [PATCH 14/16] Fix Advanced Hunting with Power BI --- ...advanced-query-sample-power-bi-user-token.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md index 202d338c71..b065578d98 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -47,15 +47,12 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md). let Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", - - AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run", - - Response = Json.Document(Web.Contents( - AdvancedHuntingUrl, - [ - Query=[#"queryText"=Query] - ] - )), + + FormattedQuery= Uri.EscapeDataString(Query), + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery, + + Response = Json.Document(Web.Contents(AdvancedHuntingUrl)), TypeMap = #table( { "Type", "PowerBiType" }, @@ -83,7 +80,7 @@ You first need to [create an app](exposed-apis-create-app-nativeapp.md). Results = Response[Results], Rows = Table.FromRecords(Results, Schema[Name]), Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) - + in Table ``` From fcc1cac35a4ad1f91f7d35b194fb55393b04c403 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 8 Nov 2018 11:25:05 +0200 Subject: [PATCH 15/16] Hide TI Indicators from the navigation bar --- windows/security/threat-protection/TOC.md | 6 ------ .../security/threat-protection/windows-defender-atp/TOC.md | 6 ------ 2 files changed, 12 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index b2568ff5d9..27b8022e11 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -351,12 +351,6 @@ ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) -####### [TI Indicator](windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [List TI Indicators](windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -######## [Get TI Indicator by ID](windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) -######## [Submit TI Indicator](windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -######## [Delete TI Indicator](windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) - ###### How to use APIs - Samples ####### Advanced Hunting API ######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 273cc66efe..71c2a82d6f 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -287,12 +287,6 @@ ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) -###### [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) -####### [List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) -####### [Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) -####### [Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) -####### [Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) - ##### How to use APIs - Samples ###### Advanced Hunting API ####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) From afd83cf3acc50c1d41d8ea45a688ac8bd454da57 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 8 Nov 2018 14:21:40 +0200 Subject: [PATCH 16/16] remove file name --- .../custom-ti-api-windows-defender-advanced-threat-protection.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 229300b01e..c7717dff75 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -186,7 +186,6 @@ The API currently supports the following IOC types: - Sha1 - Sha256 - Md5 -- FileName - IpAddress - DomainName