From c5a2e0f2dc0a3a53aaa3859d7b94386a9dcfe6d7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 5 Sep 2017 11:58:19 -0700 Subject: [PATCH] add apis --- ...ows-defender-advanced-threat-protection.md | 100 ++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 67 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 77 ++++++++++++++ ...ows-defender-advanced-threat-protection.md | 73 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 69 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 71 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 73 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 73 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 68 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 71 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 75 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 74 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 72 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 69 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 70 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 74 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 72 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 73 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 74 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 72 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 69 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 72 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 71 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 73 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 76 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 70 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 74 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 72 +++++++++++++ ...ows-defender-advanced-threat-protection.md | 66 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 66 ++++++++++++ ...ows-defender-advanced-threat-protection.md | 38 +++++++ 31 files changed, 2214 insertions(+) create mode 100644 windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md create mode 100644 windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..259f35f8eb --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -0,0 +1,100 @@ +--- +title: Use the Windows Defender Advanced Threat Protection exposed APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Use the Windows Defender ATP exposed APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Run queries on the graph API + +### Before you begin +Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/atp-azure-create.png) + + - **Name:** WinATPGraph + - **Application type:** Native + - **Redirect URI:** `https://localhost` + + +4. Navigate and select the newly created application. + ![Image of new app in Azure](images/atp-azure-atp-app.png) + +5. Click **All settings** > **Required permissions** > **Add**. + + ![Image of All settings, then required permissions](images/atp-azure-required-permissions.png) + +6. Click **Select an API** > **Microsoft Graph**, then click **Select**. + + ![Image of API access and API selection](images/atp-azure-api-access.png) + + +7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**. + + ![Image of select permissions](images/atp-azure-select-permissions.png) + +You can now use the code snippets in the following sections to query the API using the created app ID. + +## Get an access token +1. Get the Client ID from the application you created. + +2. Use the **Client ID**. For example: + ``` + private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; + private const string resourceId = "https://graph.microsoft.com"; + private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; + private const string redirect = "https://localhost"; + HttpClient client = new HttpClient(); + AuthenticationContext auth = new AuthenticationContext(authority); + var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; + client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); + ``` + +## Query the graph +Once the bearer token is retrieved, you can easily invoke the graph APIs. For example: + +``` +client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); +// sample endpoint +string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5"; +HttpResponseMessage response = client.GetAsync(ep).Result; +string resp = response.Content.ReadAsStringAsync().Result; +Console.WriteLine($"response for: {ep} \r\n {resp}"); +``` + + +## Related topics +- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..fbb753c8ba --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -0,0 +1,67 @@ +--- +title: Get actor information API +description: Retrieves an actor information report. +keywords: apis, graph api, supported apis, get, actor, information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get actor information +Retrieves an actor information report. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/actor/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and actor exists - 200 OK. +If actor does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/actors/zinc +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity", + "id": "zinc", + "linkToReport": "link-to-pdf" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..58cb856ab2 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Get actor related alerts API +description: Retrieves all alerts related to a given actor. +keywords: apis, graph api, supported apis, get, actor, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get actor related alerts +Retrieves all alerts related to a given actor. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/actor/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert exists - 200 OK. +If actor does not exist or no related alerts - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 3, + "value": [ + { + "id": "636390437845006321_-1646055784", + "severity": "Medium", + "status": "Resolved", + "description": "Malware associated with ZINC has been detected.", + "recommendedAction": "1.\tContact your incident response team.", + "alertCreationTime": "2017-08-23T00:09:43.9057955Z", + "category": "Malware", + "title": "Malware associated with the activity group ZINC was discovered", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8374af1bce --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alert information by ID +Retrieves an alert by its ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert exists - 200 OK. +If alert not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity", + "id": "636396039176847743_89954699", + "severity": "Informational", + "status": "New", + "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs", + "recommendedAction": "Collect artifacts and determine scope.", + "alertCreationTime": "2017-08-29T11:45:17.5754165Z", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..cdbc81e938 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,69 @@ +--- +title: Get alert related actor information API +description: Retrieves the actor information related to the specific alert. +keywords: apis, graph api, supported apis, get, alert, actor, information, related +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alert related actor information +Retrieves the actor information related to the specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/actor +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and actor exist - 200 OK. +If alert not found or actor not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor +Content-type: application/json + +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity", + "id": "zinc", + "linkToReport": "link-to-pdf" +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..ff30810620 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,71 @@ +--- +title: Get alert related domain information +description: Retrieves all domains related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related domain +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alert related domain information +Retrieves all domains related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/domains +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and domain exist - 200 OK. +If alert not found or domain not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains", + "value": [ + { + "host": "www.walla.co.il" + } + ] +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bb79e35e16 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get alert related files information +description: Retrieves all files related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related files +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alert related files information +Retrieves all files related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/files +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and files exist - 200 OK. +If alert not found or files not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files", + "value": [ + { + "sha1": "121c7060dada38275d7082a4b9dc62641b255c36", + "sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94", + "md5": "776c970dfd92397b3c7d74401c85cd40", + "globalPrevalence": null, + "globalFirstObserved": null, +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..febd450fe4 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get alert related IP information +description: Retrieves all IPs related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alert related domain information +Retrieves all IPs related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/ips +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and an IP exist - 200 OK. +If alert not found or IPs not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips", +"value": [ + { + "id": "104.80.104.128" + }, + { + "id": "23.203.232.228 +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f151158bf1 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,68 @@ +--- +title: Get alert related machine information +description: Retrieves all machines related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alert related machine information +Retrieves all machines related to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/machine +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and machine exist - 200 OK. +If alert not found or machine not found - 404 Not Found. + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity", + "id": "207575116e44741d2b22b6a81429b3ca4fd34608", + "computerDnsName": "minint-8qke471.europe.corp.microsoft.com", + "firstSeen": "2015-12-01T11:31:53.7016691Z", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..e2c7783f2d --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -0,0 +1,71 @@ +--- +title: Get alert related user information +description: Retrieves the user associated to a specific alert. +keywords: apis, graph api, supported apis, get, alert, information, related, user +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alert related user information +Retrieves the user associated to a specific alert. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts/{id}/user +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alert and a user exists - 200 OK. +If alert not found or user not found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity", + "id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868", + "accountSid": null, + "accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868", + "accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c4d17938a9 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,75 @@ +--- +title: Get alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get alerts +Retrieves top recent alerts. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and alerts exists - 200 OK. +If no recent alerts found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 5000, + "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000", + "value": [ + { + "id": "636396039176847743_89954699", + "severity": "Informational", + "status": "New", + "description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs", + "recommendedAction": "Collect artifacts and determine scope", + "alertCreationTime": "2017-08-29T11:45:17.5754165Z", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f0808ce1f0 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get domain related alerts API +description: Retrieves a collection of alerts related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get domain related alerts +Retrieves a collection of alerts related to a given domain address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain and alert exists - 200 OK. +If domain or alert does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2b74e8b78d --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get domain related machines API +description: Retrieves a collection of machines related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get domain related machines +Retrieves a collection of machines related to a given domain address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain and machine exists - 200 OK. +If domain or machines do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..09c6b1770d --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -0,0 +1,69 @@ +--- +title: Get domain statistics API +description: Retrieves the prevalence for the given domain. +keywords: apis, graph api, supported apis, get, domain, domain related machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get domain statistics +Retrieves the prevalence for the given domain. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. +If domain does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats", + "host": "walla.com", + "orgPrevalence": "4070", + "orgFirstSeen": "2017-07-30T13:23:48Z", + "orgLastSeen": "2017-08-29T13:09:05Z" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..0efeaf7edc --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -0,0 +1,70 @@ +--- +title: Get file information API +description: Retrieves a file by identifier Sha1, Sha256, or MD5. +keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get file information +Retrieves a file by identifier Sha1, Sha256, or MD5. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK. +If file does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity", + "sha1": "adae3732709d2178c8895c9be39c445b5e76d587", + "sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a", + "md5": "d387a06cd4bf5fcc1b50c3882f41a44e", + "globalPrevalence": 40790196, +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8c11e80219 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get file related alerts API +description: Retrieves a collection of alerts related to a given file hash. +keywords: apis, graph api, supported apis, get, file, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get file related alerts +Retrieves a collection of alerts related to a given file hash. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file and alert exists - 200 OK. +If file or alerts do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c99c8dee48 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get file related machines API +description: Retrieves a collection of machines related to a given file hash. +keywords: apis, graph api, supported apis, get, machines, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get file related machines +Retrieves a collection of machines related to a given file hash. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file and machines exists - 200 OK. +If file or machines do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..798ab9ad51 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get file statistics API +description: Retrieves the prevalence for the given file. +keywords: apis, graph api, supported apis, get, file, statistics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get file statistics +Retrieves the prevalence for the given file. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/files/{id}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK. +If file do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", + "sha1": "adae3732709d2178c8895c9be39c445b5e76d587", + "orgPrevalence": "106398", + "orgFirstSeen": "2017-07-30T13:29:50Z", + "orgLastSeen": "2017-08-29T13:29:31Z", + "topFileNames": [ + "chrome.exe", + "old_chrome.exe" + ] +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..935601055e --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get IP related alerts API +description: Retrieves a collection of alerts related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get IP related alerts +Retrieves a collection of alerts related to a given IP address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP and alert exists - 200 OK. +If IP and alerts do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..730061f869 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get IP related machines API +description: Retrieves a collection of machines related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get IP related machines +Retrieves a collection of alerts related to a given IP address. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP and machines exists - 200 OK. +If IP or machines do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..4d64774eaa --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -0,0 +1,69 @@ +--- +title: Get IP statistics API +description: Retrieves the prevalence for the given IP. +keywords: apis, graph api, supported apis, get, ip, statistics, prevalence +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get IP statistics +Retrieves the prevalence for the given IP. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP and domain exists - 200 OK. +If domain does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", + "ipAddress": "192.168.1.1", + "orgPrevalence": "63515", + "orgFirstSeen": "2017-07-30T13:36:06Z", + "orgLastSeen": "2017-08-29T13:32:59Z" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..037ec3e78c --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get machine by ID API +description: Retrieves a machine entity by ID. +keywords: apis, graph api, supported apis, get, machines, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get machines +Retrieves a machine entity by ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines/{id} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK. +If no machine found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity", + "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9", + "computerDnsName": "", + "firstSeen": "2015-03-15T00:18:20.6588778Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5313528e46 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -0,0 +1,71 @@ +--- +title: Get machine log on users API +description: Retrieves a collection of logged on users. +keywords: apis, graph api, supported apis, get, machine, log on, users +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get machine log on users +Retrieves a collection of logged on users. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines/{id}/logonusers +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machine and user exist - 200 OK. +If no machine found or no users found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users", + "value": [ + { + "id": "m", + "accountSid": null, + "accountName": "", + "accountDomainName": "northamerica", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..edde75a9ff --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,73 @@ +--- +title: Get machine related alerts API +description: Retrieves a collection of alerts related to a given machine ID. +keywords: apis, graph api, supported apis, get, machines, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get machine related alerts +Retrieves a collection of alerts related to a given machine ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machine and alert exists - 200 OK. +If no machine or no alerts found - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 1, + "value": [ + { + "id": "636396066728379047_-395412459", + "severity": "Medium", + "status": "New", + "description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1a68e33aa9 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,76 @@ +--- +title: Get machines API +description: Retrieves a collection of recently seen machines. +keywords: apis, graph api, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get machines +Retrieves a collection of recently seen machines. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK. +If no recent machines - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "@odata.count": 5000, + "@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000", + "value": [ + { + "id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9", + "computerDnsName": "", + "firstSeen": "2015-03-15T00:18:20.6588778Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", +… +} + +``` diff --git a/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2191eee3e7 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -0,0 +1,70 @@ +--- +title: Get user information API +description: Retrieve a User entity by key such as user name or domain. +keywords: apis, graph api, supported apis, get, user, user information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get user information +Retrieve a User entity by key (user name or domain\user). + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/users/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK. +If user does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/users/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity", + "id": "", + "accountSid": null, + "accountName": "", + "accountDomainName": "", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..096a66184c --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,74 @@ +--- +title: Get user related alerts API +description: Retrieves a collection of alerts related to a given user ID. +keywords: apis, graph api, supported apis, get, user, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get user related alerts +Retrieves a collection of alerts related to a given user ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/users/{id}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and user and alert exists - 200 OK. +If user does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts", + "@odata.count": 9, + "value": [ + { + "id": "636396023170943366_-36088267", + "severity": "Medium", + "status": "New", + "description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.", + "recommendedAction": "Update AV signatures and run a full scan.", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..ba0e463538 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -0,0 +1,72 @@ +--- +title: Get user related machines API +description: Retrieves a collection of alerts related to a given user ID. +keywords: apis, graph api, supported apis, get, user, user related alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Get user related alerts +Retrieves a collection of alerts related to a given user ID. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/users/{id}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and user and machine exists - 200 OK. +If user or machine does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ +"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "0a3250e0693a109f1affc9217be9459028aa8426", + "computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631", + "firstSeen": "2017-07-05T08:21:00.0572159Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..e39a15c52c --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -0,0 +1,66 @@ +--- +title: Is domain seen in org API +description: Use this API to create calls related to checking whether a domain was seen in the organization. +keywords: apis, graph api, supported apis, domain, domain seen +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Is domain seen in org +Answers whether a domain was seen in the organization. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/domains/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. +If domain does not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/domains/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains/$entity", + "host": "walla.com" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1402d45ccc --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -0,0 +1,66 @@ +--- +title: Is IP seen in org API +description: Answers whether an IP was seen in the organization. +keywords: apis, graph api, supported apis, is, ip, seen, org, organization +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/01.2017 +--- + +# Is IP seen in org +Answers whether an IP was seen in the organization. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/ips/{id}/ +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK. +If IP do not exist - 404 Not Found. + + +## Example + +Request + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/ips/{id} +Content-type: application/json +``` + +Response + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips/$entity", + "id": "192.168.1.1" +} +``` diff --git a/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..24e948dfe2 --- /dev/null +++ b/windows/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -0,0 +1,38 @@ +--- +title: Supported Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 09/05/2017 +--- + +# Supported Windows Defender ATP APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. + +## In this section +Topic | Description +:---|:--- +Actor | Run API calls such as get actor information and get actor related alerts. +Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. +Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization. +File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. +IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. +Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. +User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. +