diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 7fd2c3cd5a..3c5cf80686 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -3256,7 +3256,7 @@ The following list shows the supported values:
> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
+> This policy is *only* recommended for managing mobile devices. If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 1d4d3a7e86..310b0192c6 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -17,7 +17,7 @@ ms.date: 02/23/2018
The Update configuration service provider enables IT administrators to manage and control the rollout of new updates.
> [!Note]
-> All aspects of the Update CSP aside from Rollback are not recommended for managing desktop devices. To manage desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation. Rollback can be used for desktop devices on 1803 and above.
+> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
The following diagram shows the Update configuration service provider in tree format.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
index ab95bacbee..16abf999ea 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
@@ -35,6 +35,12 @@ The following Windows Autopilot scenarios are described in this guide:
| Pre-provision a device with up-to-date applications, policies and settings.| [White glove](white-glove.md) |
| Deploy Windows 10 on an existing Windows 7 or 8.1 device | [Windows Autopilot for existing devices](existing-devices.md) |
+These scenarios are summarized in the following video.
+
+
+
+> [!video https://www.microsoft.com/videoplayer/embed/RE4Ci1b?autoplay=false]
+
## Windows Autopilot capabilities
### Windows Autopilot is self-updating during OOBE
diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md
index cf333e1a55..16e1781d6e 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot.md
@@ -25,9 +25,13 @@ ms.topic: article
Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices. This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple.
-Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following diagram:
+Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. See the following video and diagram:
- 
+
+
+> [!video https://www.microsoft.com/videoplayer/embed/RE4C7G9?autoplay=false]
+
+
When initially deploying new Windows devices, Windows Autopilot leverages the OEM-optimized version of Windows 10 that is preinstalled on the device, saving organizations the effort of having to maintain custom images and drivers for every model of device being used. Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state, applying settings and policies, installing apps, and even changing the edition of Windows 10 being used (e.g. from Windows 10 Pro to Windows 10 Enterprise) to support advanced features.
@@ -40,16 +44,6 @@ Windows Autopilot enables you to:
* Create and auto-assign devices to configuration groups based on a device's profile.
* Customize OOBE content specific to the organization.
-## Windows Autopilot walkthrough
-
-The following video shows the process of setting up Windows Autopilot:
-
-
-
-
-
-This video is also available [here](https://www.microsoft.com/videoplayer/embed/RE4ATOx).
-
## Benefits of Windows Autopilot
Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach.
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 0b032dbbdc..6a70672f7a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -99,7 +99,9 @@ Windows Hello for Business with a key does not support RDP. RDP does not support
## Learn more
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/implementing-windows-hello-for-business-at-microsoft)
+[Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business)
+
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 0a946cec7c..ad435fd8ad 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -95,7 +95,7 @@ Microsoft Defender Application Guard accesses files from a VHD mounted on the ho
### Why do the Network Isolation policies in Group Policy and CSP look different?
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatary network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
@@ -107,3 +107,7 @@ Windows Defender Application Guard accesses files from a VHD mounted on the host
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
+
+Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
index e8811269cd..820026e626 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@@ -49,9 +49,9 @@ lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that
firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert.
-investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert.
-investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
+incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
+investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
+investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
assignedTo | String | Owner of the alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
@@ -61,6 +61,8 @@ category| String | Category of the alert.
detectionSource | String | Detection source.
threatFamilyName | String | Threat family.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
+computerDnsName | String | [machine](machine.md) fully qualified name.
+aadTenantId | String | The Azure Active Directory ID.
comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
### Response example for getting single alert:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
index 908028109d..37e873ced5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
@@ -29,98 +29,172 @@ Not all properties are filterable.
## Properties that supports $filter:
-- [Alert](alerts.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
-- [Machine](machine.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
-- [MachineAction](machineaction.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
+- [Alert](alerts.md): ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category```.
+- [Machine](machine.md): ```ComputerDnsName```, ```LastSeen```, ```HealthStatus```, ```OsPlatform```, ```RiskScore``` and ```RbacGroupId```.
+- [MachineAction](machineaction.md): ```Status```, ```MachineId```, ```Type```, ```Requestor``` and ```CreationDateTimeUtc```.
+- [Indicator](ti-indicator.md): ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```severity ``` and ```action ```.
### Example 1
-Get all the devices with the tag 'ExampleTag'
+Get 10 latest Alerts with related Evidence
```
-HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
+HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
- {
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "ExampleTag" ]
- },
- ...
- ]
+ {
+ "id": "da637306396589640224_1753239473",
+ "incidentId": 875832,
+ "investigationId": 478434,
+ "assignedTo": null,
+ "severity": "Low",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "PendingApproval",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "UnwantedSoftware",
+ "threatFamilyName": "InstallCore",
+ "title": "An active 'InstallCore' unwanted software was detected",
+ "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+ "firstEventTime": "2020-07-18T03:25:39.6124549Z",
+ "lastEventTime": "2020-07-18T03:26:18.4362304Z",
+ "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "resolvedTime": null,
+ "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+ "computerDnsName": "temp2.redmond.corp.microsoft.com",
+ "rbacGroupName": "Ring0",
+ "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "relatedUser": {
+ "userName": "temp2",
+ "domainName": "REDMOND"
+ },
+ "comments": [],
+ "evidence": [
+ {
+ "entityType": "File",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "Process",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": 24348,
+ "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+ "processCreationTime": "2020-07-18T03:25:38.5269993Z",
+ "parentProcessId": 16840,
+ "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "User",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": "temp2",
+ "domainName": "REDMOND",
+ "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+ "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+ "userPrincipalName": "temp2@microsoft.com"
+ }
+ ]
+ },
+ ...
+ ]
}
```
### Example 2
-Get all the alerts that created after 2018-10-20 00:00:00
+Get all the alerts last updated after 2019-10-20 00:00:00
```
-HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
+HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z
```
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "investigationState": "Running",
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+ "id": "da637308392288907382_-880718168",
+ "incidentId": 7587,
+ "investigationId": 723156,
+ "assignedTo": "secop123@contoso.com",
+ "severity": "Low",
+ "status": "New",
+ "classification": "TruePositive",
+ "determination": null,
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "SuspiciousActivity",
+ "threatFamilyName": "Meterpreter",
+ "title": "Suspicious 'Meterpreter' behavior was detected",
+ "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
+ "firstEventTime": "2020-07-20T10:52:17.6654369Z",
+ "lastEventTime": "2020-07-20T10:52:18.1362905Z",
+ "lastUpdateTime": "2020-07-20T10:53:50.19Z",
+ "resolvedTime": null,
+ "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "MiddleEast",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "relatedUser": {
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
"comments": [
{
"comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2020-07-21T01:00:37.8404534Z"
}
- ]
- },
- ...
- ]
+ ],
+ "evidence": []
+ }
+ ...
+ ]
}
```
@@ -134,9 +208,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
@@ -175,9 +247,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStat
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
@@ -216,9 +286,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
@@ -257,10 +325,8 @@ HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requ
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
+```json
+json{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
@@ -291,10 +357,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415
**Response:**
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-
+```json
4
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index dc8f29bd61..b86855ce76 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -26,7 +26,11 @@ ms.topic: article
## API description
Retrieves a collection of Alerts.
Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+ OData supported operators:
+ ```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+ ```$top``` with max value of 10,000
+ ```$skip```
+ ```$expand``` of ```evidence```
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
@@ -70,14 +74,14 @@ Empty
If successful, this method returns 200 OK, and a list of [alert](alerts.md) objects in the response body.
-## Example
+## Example 1 - Default
**Request**
Here is an example of the request.
```
-GET https://api.securitycenter.windows.com/api/alerts
+GET https://api.securitycenter.microsoft.com/api/alerts
```
[!include[Improve request performance](../../includes/improve-request-performance.md)]
@@ -93,41 +97,167 @@ Here is an example of the response.
```json
{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "investigationState": "Running",
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
+ "id": "da637308392288907382_-880718168",
+ "incidentId": 7587,
+ "investigationId": 723156,
+ "assignedTo": "secop123@contoso.com",
+ "severity": "Low",
+ "status": "New",
+ "classification": "TruePositive",
+ "determination": null,
+ "investigationState": "Queued",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "SuspiciousActivity",
+ "threatFamilyName": "Meterpreter",
+ "title": "Suspicious 'Meterpreter' behavior was detected",
+ "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
+ "firstEventTime": "2020-07-20T10:52:17.6654369Z",
+ "lastEventTime": "2020-07-20T10:52:18.1362905Z",
+ "lastUpdateTime": "2020-07-20T10:53:50.19Z",
+ "resolvedTime": null,
+ "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
+ "computerDnsName": "temp123.middleeast.corp.microsoft.com",
+ "rbacGroupName": "MiddleEast",
+ "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
+ "relatedUser": {
+ "userName": "temp123",
+ "domainName": "MIDDLEEAST"
+ },
"comments": [
{
"comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
+ "createdBy": "secop123@contoso.com",
+ "createdTime": "2020-07-21T01:00:37.8404534Z"
}
- ]
+ ],
+ "evidence": []
}
...
]
}
```
+## Example 2 - Get 10 latest Alerts with related Evidence
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
+```
+
+
+**Response**
+
+Here is an example of the response.
+
+>[!NOTE]
+>The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
+
+
+```json
+{
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
+ "value": [
+ {
+ "id": "da637306396589640224_1753239473",
+ "incidentId": 875832,
+ "investigationId": 478434,
+ "assignedTo": null,
+ "severity": "Low",
+ "status": "New",
+ "classification": null,
+ "determination": null,
+ "investigationState": "PendingApproval",
+ "detectionSource": "WindowsDefenderAv",
+ "category": "UnwantedSoftware",
+ "threatFamilyName": "InstallCore",
+ "title": "An active 'InstallCore' unwanted software was detected",
+ "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
+ "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
+ "firstEventTime": "2020-07-18T03:25:39.6124549Z",
+ "lastEventTime": "2020-07-18T03:26:18.4362304Z",
+ "lastUpdateTime": "2020-07-18T03:28:19.76Z",
+ "resolvedTime": null,
+ "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
+ "computerDnsName": "temp2.redmond.corp.microsoft.com",
+ "rbacGroupName": "Ring0",
+ "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
+ "relatedUser": {
+ "userName": "temp2",
+ "domainName": "REDMOND"
+ },
+ "comments": [],
+ "evidence": [
+ {
+ "entityType": "File",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "Process",
+ "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
+ "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
+ "fileName": "Your File Is Ready To Download_1911150169.exe",
+ "filePath": "C:\\Users\\temp2\\Downloads",
+ "processId": 24348,
+ "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
+ "processCreationTime": "2020-07-18T03:25:38.5269993Z",
+ "parentProcessId": 16840,
+ "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
+ "ipAddress": null,
+ "url": null,
+ "accountName": null,
+ "domainName": null,
+ "userSid": null,
+ "aadUserId": null,
+ "userPrincipalName": null
+ },
+ {
+ "entityType": "User",
+ "sha1": null,
+ "sha256": null,
+ "fileName": null,
+ "filePath": null,
+ "processId": null,
+ "processCommandLine": null,
+ "processCreationTime": null,
+ "parentProcessId": null,
+ "parentProcessCreationTime": null,
+ "ipAddress": null,
+ "url": null,
+ "accountName": "temp2",
+ "domainName": "REDMOND",
+ "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
+ "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
+ "userPrincipalName": "temp2@microsoft.com"
+ }
+ ]
+ },
+ ...
+ ]
+}
+```
+
+
## Related topics
- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
index de0e5c2508..3ec0c82630 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@@ -1,5 +1,5 @@
---
-title: Get all vulnerabilities by Machine and Software
+title: Get all vulnerabilities by machine and software
description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
search.product: eADQiWindows 10XVcnh
@@ -16,13 +16,14 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# List vulnerabilities by Machine and Software
+# List vulnerabilities by machine and software
+
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Retrieves a list of all the vulnerabilities affecting the organization per [Machine](machine.md) and [Software](software.md).
- If the vulnerability has a fixing KB, it will appear in the response.
- Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData ```$filter``` is supported on all properties.
+Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
+- If the vulnerability has a fixing KB, it will appear in the response.
+- Supports [OData V4 queries](https://www.odata.org/documentation/).
+- The OData ```$filter``` is supported on all properties.
>[!Tip]
>This is great API for [Power BI integration](api-power-bi.md).
@@ -100,5 +101,6 @@ Here is an example of the response.
```
## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
+
+- [Risk-based threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index e46fe6e5cd..74c8253d5d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -26,7 +26,7 @@ ms.topic: article
## API description
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud on the last 30 days.
Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```lastIpAddress```, ```healthStatus```, ```osPlatform```, ```riskScore```, ```rbacGroupId``` and ```machineTags``` properties.
+ The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```healthStatus```, ```osPlatform```, ```riskScore``` and ```rbacGroupId```.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
index 05fb5adc3b..0f1e02ecd1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
@@ -110,6 +110,7 @@ See the following topics for related APIs:
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
+- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
## Related topics