From cfc9e9774a3b31a42c791e97a136cdff7adf9bd3 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Sun, 5 Jan 2020 22:25:43 +0200 Subject: [PATCH] 1 --- .../microsoft-defender-atp/alerts.md | 32 ++----------------- .../microsoft-defender-atp/get-alerts.md | 21 ++++++------ 2 files changed, 12 insertions(+), 41 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 3bf7ffba39..62a32da91b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -27,6 +27,7 @@ Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. +[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md). [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert. [List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md). @@ -59,19 +60,8 @@ detectionSource | String | Detection source. threatFamilyName | String | Threat family. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. -alertFiles | List of Alert Files | **This list will be populated on $expand option, see example below** Alert File is an object that contains: sha1, sha256, filePath and fileName. -alertIPs | List of Alert IPs | **This list will be populated on $expand option, see example below** Alert IP is an object that contains: ipAddress string field. -alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field. - -## JSON representation: - -- When querying for alert list the regular way (without expand option, e.g. /api/alerts) the expandable properties will not get populated (empty lists) -- To expand expandable properties use $expand option (e.g. to expand all send /api/alerts?$expand=files,ips,domains). -- When querying single alert all expandable properties will be expanded. -- Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. - ### Response example for getting single alert: ``` @@ -83,12 +73,12 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "id": "da637084217856368682_-292920499", "incidentId": 66860, "investigationId": 4416234, + "investigationState": "Running", "assignedTo": "secop@contoso.com", "severity": "Low", "status": "New", "classification": "TruePositive", "determination": null, - "investigationState": "Running", "detectionSource": "WindowsDefenderAtp", "category": "CommandAndControl", "threatFamilyName": null, @@ -106,24 +96,6 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "createdBy": "secop@contoso.com", "createdTime": "2019-11-05T14:08:37.8404534Z" } - ], - "alertFiles": [ - { - "sha1": "77e862797dd525fd3e9c3058153247945d0d4cfd", - "sha256": "c05823562aee5e6d000b0e041197d5b8303f5aa4eecb49820879b705c926e16e", - "filePath": "C:\\Users\\test1212\\AppData\\Local\\Temp\\nsf61D3.tmp.exe", - "fileName": "nsf61D3.tmp.exe" - } - ], - "alertDomains": [ - { - "host": "login.bullguard.com" - } - ], - "alertIps": [ - { - "ipAddress": "91.231.212.53" - } ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index b6056a66b3..bcaadd7a79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -22,14 +22,20 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +## API description + Retrieves a collection of Alerts. - Supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity" and "category". - See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) + +## Limitations +1. You can get alerts last updated in the past 30 days. +2. The maximum page size is 10,000. +3. The rate limitations of this API is 100 calls per minute and 1500 calls per hour. + + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -50,10 +56,6 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/alerts ``` -## Optional query parameters -Method supports $top, $select, $filter, $expand and $skip query parameters. -
$expand is available on Files, IPs and Domains. e.g. $expand=files,domains - ## Request headers Name | Type | Description @@ -120,10 +122,7 @@ Here is an example of the response. "createdBy": "secop@contoso.com", "createdTime": "2019-11-05T14:08:37.8404534Z" } - ], - "alertFiles": [], - "alertDomains": [], - "alertIps": [] + ] } ] }