From ae932090c5d95fc36abd88d3e3015949c841a417 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Wed, 15 Aug 2018 23:19:03 +0300 Subject: [PATCH 01/14] complete changes --- .../windows-defender-atp/TOC.md | 69 ++++++- ...defender-advanced-threat-protection-new.md | 77 +++++++ ...defender-advanced-threat-protection-new.md | 101 ++++++++++ ...defender-advanced-threat-protection-new.md | 96 +++++++++ ...defender-advanced-threat-protection-new.md | 90 +++++++++ ...defender-advanced-threat-protection-new.md | 189 ++++++++++++++++++ ...defender-advanced-threat-protection-new.md | 47 +++++ ...defender-advanced-threat-protection-new.md | 86 ++++++++ ...defender-advanced-threat-protection-new.md | 97 +++++++++ ...defender-advanced-threat-protection-new.md | 86 ++++++++ ...defender-advanced-threat-protection-new.md | 99 +++++++++ ...defender-advanced-threat-protection-new.md | 89 +++++++++ ...defender-advanced-threat-protection-new.md | 98 +++++++++ ...defender-advanced-threat-protection-new.md | 90 +++++++++ ...defender-advanced-threat-protection-new.md | 128 ++++++++++++ ...defender-advanced-threat-protection-new.md | 124 ++++++++++++ ...defender-advanced-threat-protection-new.md | 121 +++++++++++ ...defender-advanced-threat-protection-new.md | 84 ++++++++ ...defender-advanced-threat-protection-new.md | 97 +++++++++ ...defender-advanced-threat-protection-new.md | 103 ++++++++++ ...defender-advanced-threat-protection-new.md | 121 +++++++++++ ...defender-advanced-threat-protection-new.md | 89 +++++++++ ...defender-advanced-threat-protection-new.md | 104 ++++++++++ ...defender-advanced-threat-protection-new.md | 114 +++++++++++ ...defender-advanced-threat-protection-new.md | 84 ++++++++ ...defender-advanced-threat-protection-new.md | 99 +++++++++ ...defender-advanced-threat-protection-new.md | 106 ++++++++++ ...defender-advanced-threat-protection-new.md | 104 ++++++++++ ...defender-advanced-threat-protection-new.md | 91 +++++++++ ...defender-advanced-threat-protection-new.md | 165 +++++++++++++++ ...defender-advanced-threat-protection-new.md | 120 +++++++++++ ...defender-advanced-threat-protection-new.md | 84 ++++++++ ...defender-advanced-threat-protection-new.md | 86 ++++++++ ...defender-advanced-threat-protection-new.md | 123 ++++++++++++ ...defender-advanced-threat-protection-new.md | 121 +++++++++++ ...defender-advanced-threat-protection-new.md | 73 +++++++ ...defender-advanced-threat-protection-new.md | 80 ++++++++ ...defender-advanced-threat-protection-new.md | 103 ++++++++++ ...defender-advanced-threat-protection-new.md | 45 +++++ ...defender-advanced-threat-protection-new.md | 42 ++++ ...defender-advanced-threat-protection-new.md | 96 +++++++++ ...defender-advanced-threat-protection-new.md | 96 +++++++++ ...defender-advanced-threat-protection-new.md | 105 ++++++++++ ...defender-advanced-threat-protection-new.md | 44 ++++ ...defender-advanced-threat-protection-new.md | 93 +++++++++ ...defender-advanced-threat-protection-new.md | 101 ++++++++++ ...defender-advanced-threat-protection-new.md | 96 +++++++++ ...defender-advanced-threat-protection-new.md | 108 ++++++++++ ...defender-advanced-threat-protection-new.md | 23 +++ 49 files changed, 4676 insertions(+), 11 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 7ae86fbea9..07e39fd8d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -39,8 +39,6 @@ #### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) - - ###Machines list #### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) #### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) @@ -97,16 +95,65 @@ #### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) #### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -### [**Beta!** Windows Defender ATP APIs](exposed-apis-intro.md) -#### Create your app -##### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) -##### [Get access without a user](exposed-apis-create-app-webapp.md) -#### [Supported Windows Defender ATP APIs](exposed-apis-list.md) -##### [Advanced Hunting](run-advanced-query-api.md) +### [**Beta!** Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md) +#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) +##### [Advanced Hunting](run-advanced-query-windows-defender-advanced-threat-protection.md) + +##### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) +###### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) +###### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +###### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md) +###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +###### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +###### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) + +##### Domain +###### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +##### [File](files-windows-defender-advanced-threat-protection-new.md) +###### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md) +###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +##### IP +###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) + +##### [Machine](machine-windows-defender-advanced-threat-protection-new.md) +###### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md) +###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) + +##### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) +###### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +###### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +###### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +###### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +###### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) +###### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) +###### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +###### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +###### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) +###### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) + +##### [User](user-windows-defender-advanced-threat-protection-new.md) +###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + #### How to use APIs - Samples -##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) -##### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) -##### [Advanced Hunting using Python](run-advanced-query-sample-python.md) +##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md) +##### [Advanced Hunting using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md) +##### [Advanced Hunting using Python](run-advanced-query-windows-defender-advanced-threat-protection-sample-python.md) ### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..6f49e0bacf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,77 @@ +--- +title: Get alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Alert resource type + +Represents an alert entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) object. +[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection | List [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection. +[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) +[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection|List Urls associated with the alert. +[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md). +[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated witht the alert. +[Get related Machine](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) entity | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md). +[Get related user](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md). + + +# Properties +Property | Type | Description +:---|:---|:--- +id | string | alert id. +severity | String | severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'. +status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +description | String | Description of the threat, identified by the alert. +recommendedAction | String | Action recommended for handling the suspected threat. +alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. +title | string | Alert title. +threatFamilyName | string | Threat family. +detectionSource | string | detection source +assignedTo | String | Owner of the alert +classification | String | Speficies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' +resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. +lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. +firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +machineId | string | id of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. + +# JSON representation +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..4b945f2c0f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,101 @@ +--- +title: Block file API +description: Use this API to blocking files from being running in the organization. +keywords: apis, graph api, supported apis, block file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Block file API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Prevent a file from being executed in the organization using Windows Defender Antivirus. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Threat Intelligence read write' + +## HTTP request +``` +POST /api/files/{sha1}/block +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/files/7327b54fd718525cbca07dacde913b5ac3c85673/block +Content-type: application/json +{ + "Comment": "Block file due to alert 32123" +} + + +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", + "fileIdentifierType": "Sha1", + "actionType": "Block", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..df75029191 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,96 @@ +--- +title: Collect investigation package API +description: Use this API to create calls related to the collecting an investigation package from a machine. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Collect investigation package API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Collect investigation package from a machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' + +## HTTP request +``` +POST /api/machines/{id}/collectInvestigationPackage +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage +Content-type: application/json +{ + "Comment": "Collect forensics due to alert 1234" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": " Collect forensics due to alert 1234", + "status": "InProgress", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2017-12-04T12:09:24.1785079Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0028551bf1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,90 @@ +--- +title: Create alert from event API +description: Creates an alert using event details +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Create alert from event API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Enables using event data, as obtained from the [Advanced hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) for creating a new alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +POST /api/CreateAlertByReference +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + +## Request body +In the request body, supply the following values (all are required): + +Property | Type | Description +:---|:---|:--- +machineId | String | Id of the machine on which the event was identified. **Required**. +severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. +title | String | Title for the alert. **Required**. +description | String | Description of the alert. **Required**. +recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. +eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. +reportId | String | The reportId, as obtained from the advanced query. **Required**. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. + + +## Response +If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. +If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/CreateAlertByReference +Content-Length: application/json + +{ + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "severity": "Low", + "title": "test alert", + "description": "redalert", + "recommendedAction": "white alert", + "eventTime": "2018-08-03T16:45:21.7115183Z", + "reportId": "20776", + "category": "None" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..bfe251407b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,189 @@ +--- +title: Use Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Use Windows Defender ATP APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + +This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/webapp-create.png) + + - **Name:** WdatpEcosystemPartner + - **Application type:** Web app / API + - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.) + + +4. Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/webapp-add-permission.png) + +5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + +6. Click **Select permissions** > **Run advanced queries** > **Select**. + + **Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example! + + ![Image of select permissions](images/webapp-select-permission.png) + + - In order to send telemetry events to WDATP, check 'Write timeline events' permission + - In order to send TI events to WDATP, check 'Read and write IOCs belonging to the app' permission + - In order to run advanced queries in WDATP, check 'Run advanced queries' permission + +8. User with "Global Admin" permissions, need to click **Grant Permissions** in the **Required Permissions** tab. + +8. Click **Done** + + ![Image of add permissions completion](images/webapp-add-permission-end.png) + +9. Click **Keys** and type a key name and click **Save**. + + **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave! + + ![Image of create app key](images/webapp-create-key.png) + +10. Write down your application ID. + + ![Image of app ID](images/webapp-get-appid.png) + +11. Set your application to be multi-tenanted + + This is **required** for 3rd party apps (i.e., if you create an application that is intended to run in multiple customers tenant). + + This is **not required** if you create a service that you want to run in your tenant only (i.e., if you create an application for your own usage that will only interact with your own data)​ + + Click **Properties** > **Yes** > **Save**. + + ![Image of multi tenant](images/webapp-edit-multitenant.png) + + +## Application consent + +You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. + +You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. + +Consent link is of the form: + +``` +https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ +``` + +where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID + + +## Get an access token + +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) + +### Using C# + +>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 + +- Create a new Console Application +- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Add the below using + + ``` + using Microsoft.IdentityModel.Clients.ActiveDirectory; + ``` + +- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```) + + ``` + string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here + string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here + + const string authority = "https://login.windows.net"; + const string wdatpResourceId = "https://api.securitycenter.windows.com/windowsatpservice"; + + AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); + ClientCredential clientCredential = new ClientCredential(appId, appSecret); + AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult(); + string token = authenticationResult.AccessToken; + ``` + +### Using PowerShell + +Refer to [Get token using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md#get-token) + +### Using Python + +Refer to [Get token using Python](run-advanced-query-windows-defender-advanced-threat-protection-sample-python.md#get-token) + +### Using Curl + +> [!NOTE] +> The below procedure supposed Curl for Windows is already installed on your computer + +- Open a command window +- ​Set CLIENT_ID to your Azure application ID +- Set CLIENT_SECRET to your Azure application secret +- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application +- Run the below command: + +``` +curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​ +``` + +You will get an answer of the form: + +``` +{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA"} +``` + +## Validate the token + +- Copy/paste into [JWT](https://jwt.ms/) the token you get in the previous step +- Validate you get a 'roles' claim with the desired permission as you've chosen when adding permissions to the applications: + +![Image of token validation](images/webapp-validate-token.png) + +> [!NOTE] +> The same token can be used for 1 hour and then it expired + +## Related topics +- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..00e1b1e364 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,47 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# File resource type + +Represent a file entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file +[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file. +[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert. +[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file. + + +# Properties +Property | Type | Description +:---|:---|:--- +sha1 | String | Sha1 hash of the file content +sha256 | String | Sha256 hash of the file content +md5 | String | md5 hash of the file content +globalPrevalence | Integer | File prevalence accross organization +globalFirstObserved | DateTimeOffset | First time the file was observed. +globalLastObserved | DateTimeOffset | Last time the file was observed. +size | Integer | Size of the file. +fileType | String | Type of the file. +isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) +filePublisher | String | File publisher. +fileProductName | String | Product name. +signer | String | File signer. +issuer | String | File issuer. +signerHash | String | Hash of the signing certificate. +isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent. + diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..87e402b102 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,86 @@ +--- +title: Find machine information by internal IP API +description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. +keywords: ip, apis, graph api, supported apis, find machine, machine information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 07/25/2018 +--- + +# Find machine information by internal IP API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Find a machine entity around a specific timestamp by internal IP. + +>[!NOTE] +>The timestamp must be within the last 30 days. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machines/find(timestamp={time},key={IP}) +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK. +If no machine found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", + "computerDnsName": "", + "firstSeen": "2017-07-06T01:25:04.9480498Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..26333d85c4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,97 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert information by ID API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Retrieves an alert by its ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +GET /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and an [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. +If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +``` + +**Response** + +Here is an example of the response. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..42d2bad378 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,86 @@ +--- +title: Get alert related domains information +description: Retrieves all domains related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related domain +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related domain information API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Retrieves all domains related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' + +## HTTP request +``` +GET /api/alerts/{id}/domains +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and domain exist - 200 OK. +If alert not found or domain not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains", + "value": [ + { + "host": "www.example.com" + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5bac7b1862 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,99 @@ +--- +title: Get alert related files information +description: Retrieves all files related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related files +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related files information API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Retrieves all files related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' + +## HTTP request +``` +GET /api/alerts/{id}/files +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and files exist - 200 OK. +If alert not found or files not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files", + "value": [ + { + "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d", + "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87", + "md5": "82849dc81d94056224445ea73dc6153a", + "globalPrevalence": 33, + "globalFirstObserved": "2018-07-17T18:17:27.5909748Z", + "globalLastObserved": "2018-08-06T16:07:12.9414137Z", + "windowsDefenderAVThreatName": null, + "size": 801112, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": "Microsoft Windows", + "issuer": "Microsoft Development PCA 2014", + "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f", + "isValidCertificate": true + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d28d7e4c38 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,89 @@ +--- +title: Get alert related IPs information +description: Retrieves all IPs related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related IP information API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves all IPs related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' + +## HTTP request +``` +GET /api/alerts/{id}/ips +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and an IP exist - 200 OK. +If alert not found or IPs not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips", + "value": [ + { + "id": "104.80.104.128" + }, + { + "id": "23.203.232.228 + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d4e17a8f25 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Get alert related machine information +description: Retrieves all machines related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related machine information API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves machine that is related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/alerts/{id}/machine +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and machine exist - 200 OK. +If alert not found or machine not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity", + "id": "ff0c3800ed8d66738a514971cd6867166809369f", + "computerDnsName": "amazingmachine.contoso.com", + "firstSeen": "2017-12-10T07:47:34.4269783Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "systemProductName": null, + "lastIpAddress": "172.17.0.0", + "lastExternalIpAddress": "167.220.0.0", + "agentVersion": "10.5830.17732.1001", + "groupName": "ContosoGroup", + "osBuild": 17732, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 75, + "riskScore": "Low", + "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..f2f994a6cb --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,90 @@ +--- +title: Get alert related user information +description: Retrieves the user associated to a specific alert. +keywords: apis, graph api, supported apis, get, alert, information, related, user +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related user information API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves the user associated to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' + +## HTTP request +``` +GET /api/alerts/{id}/user +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and a user exists - 200 OK with user in the body. +If alert not found or user not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://wdatpapi-eus-stg.cloudapp.net/api/$metadata#Users/$entity", + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..240b6627fc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,128 @@ +--- +title: Get alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alerts API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves top recent alerts. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +GET /api/alerts +``` + +## Optional query parameters +Method supports $skip and $top query parameters. + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. +If no recent alerts found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/alerts +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + }, + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 2", + "recommendedAction": "Some recommended action 2", + "alertCreationTime": "2018-08-04T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 2", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-03T07:02:52.0894451Z", + "firstEventTime": "2018-08-03T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d67c7e990a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,124 @@ +--- +title: Get domain related alerts API +description: Retrieves a collection of alerts related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain related alerts API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of alerts related to a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +GET /api/domains/{domain}/alerts +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects. +If domain or alert does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + }, + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 2", + "recommendedAction": "Some recommended action 2", + "alertCreationTime": "2018-08-04T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 2", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-03T07:02:52.0894451Z", + "firstEventTime": "2018-08-03T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + } + ] +} +``` + diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0294068db8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,121 @@ +--- +title: Get domain related machines API +description: Retrieves a collection of machines related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain related machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of machines that have communicated to or from a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' + +## HTTP request +``` +GET /api/domains/{domain}/machines +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) objects. +If domain or machines do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5", + "computerDnsName": "testMachine1", + "firstSeen": "2018-07-30T20:12:00.3708661Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "10.209.67.177", + "lastExternalIpAddress": "167.220.1.210", + "agentVersion": "10.5830.18208.1000", + "groupName": null, + "osBuild": 18208, + "healthStatus": "Inactive", + "isAadJoined": false, + "machineTags": [], + "rbacGroupId": 75, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949", + "computerDnsName": "testMachine2", + "firstSeen": "2018-07-30T19:50:47.3618349Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "10.209.70.231", + "lastExternalIpAddress": "167.220.0.28", + "agentVersion": "10.5830.18208.1000", + "groupName": null, + "osBuild": 18208, + "healthStatus": "Inactive", + "isAadJoined": false, + "machineTags": [], + "rbacGroupId": 75, + "riskScore": "None", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..cae669cc07 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,84 @@ +--- +title: Get domain statistics API +description: Retrieves the prevalence for the given domain. +keywords: apis, graph api, supported apis, get, domain, domain related machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain statistics API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves the prevalence for the given domain. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read all machine profiles' + +## HTTP request +``` +GET /api/domains/{domain}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK, with statistics object in the respnose body. +If domain does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", + "host": "example.com", + "orgPrevalence": "4070", + "orgFirstSeen": "2017-07-30T13:23:48Z", + "orgLastSeen": "2017-08-29T13:09:05Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0c8cc1a590 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,97 @@ +--- +title: Get file information API +description: Retrieves a file by identifier Sha1, Sha256, or MD5. +keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file information API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + + +Retrieves a file by identifier Sha1, Sha256, or MD5. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read all file profiles' + +## HTTP request +``` +GET /api/files/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. +If file does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf", + "md5": "7f05a371d2beffb3784fd2199f81d730", + "globalPrevalence": 7329, + "globalFirstObserved": "2018-04-08T05:50:29.4459725Z", + "globalLastObserved": "2018-08-07T23:35:11.1361328Z", + "windowsDefenderAVThreatName": null, + "size": 391680, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": null, + "issuer": null, + "signerHash": null, + "isValidCertificate": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..467ec1b0f0 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,103 @@ +--- +title: Get file related alerts API +description: Retrieves a collection of alerts related to a given file hash. +keywords: apis, graph api, supported apis, get, file, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file related alerts API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of alerts related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +GET /api/files/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. +If file or alerts do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636692391408655573_2010598859", + "severity": "Low", + "status": "New", + "description": "test alert", + "recommendedAction": "do this and that", + "alertCreationTime": "2018-08-07T11:45:40.0199932Z", + "category": "None", + "title": "test alert", + "threatFamilyName": null, + "detectionSource": "CustomerTI", + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2018-08-03T16:45:21.7115182Z", + "firstEventTime": "2018-08-03T16:45:21.7115182Z", + "actorName": null, + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a4edd6751b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,121 @@ +--- +title: Get file related machines API +description: Retrieves a collection of machines related to a given file hash. +keywords: apis, graph api, supported apis, get, machines, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file related machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of machines related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/files/{id}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. +If file or machines do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "groupName": null, + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "groupName": "WDATPClientTeam", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..3c97bc8e75 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,89 @@ +--- +title: Get file statistics API +description: Retrieves the prevalence for the given file. +keywords: apis, graph api, supported apis, get, file, statistics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file statistics API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves the prevalence for the given file. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' + +## HTTP request +``` +GET /api/files/{id}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with statistical data in the body. +If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "orgPrevalence": "3", + "orgFirstSeen": "2018-07-15T06:13:59Z", + "orgLastSeen": "2018-08-03T16:45:21Z", + "topFileNames": [ + "chrome_1.exe", + "chrome_2.exe" + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ef6e67570d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,104 @@ +--- +title: Get IP related alerts API +description: Retrieves a collection of alerts related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP related alerts API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of alerts related to a given IP address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +GET /api/ips/{ip}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. +If IP and alerts do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636692391408655573_2010598859", + "severity": "Low", + "status": "New", + "description": "test alert", + "recommendedAction": "do this and that", + "alertCreationTime": "2018-08-07T11:45:40.0199932Z", + "category": "None", + "title": "test alert", + "threatFamilyName": null, + "detectionSource": "CustomerTI", + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2018-08-03T16:45:21.7115182Z", + "firstEventTime": "2018-08-03T16:45:21.7115182Z", + "actorName": null, + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c89ed86297 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,114 @@ +--- +title: Get IP related machines API +description: Retrieves a collection of machines related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP related machines API +Retrieves a collection of alerts related to a given IP address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/ips/{ip}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. +If IP or machines do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "groupName": null, + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "groupName": "WDATPClientTeam", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..affd63c23c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,84 @@ +--- +title: Get IP statistics API +description: Retrieves the prevalence for the given IP. +keywords: apis, graph api, supported apis, get, ip, statistics, prevalence +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP statistics API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves the prevalence for the given IP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' + +## HTTP request +``` +GET /api/ips/{ip}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with statistical data in the body. +If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", + "ipAddress": "192.168.1.1", + "orgPrevalence": "63515", + "orgFirstSeen": "2017-07-30T13:36:06Z", + "orgLastSeen": "2017-08-29T13:32:59Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d7dae982e8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,99 @@ +--- +title: Get machine by ID API +description: Retrieves a machine entity by ID. +keywords: apis, graph api, supported apis, get, machines, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine by ID API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a machine entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machines/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body. +If machine with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "groupName": null, + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..7f94e8c74e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,106 @@ +--- +title: Get machine log on users API +description: Retrieves a collection of logged on users. +keywords: apis, graph api, supported apis, get, machine, log on, users +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine log on users API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + + +Retrieves a collection of logged on users. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' + + +## HTTP request +``` +GET /api/machines/{id}/logonusers +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine and user exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body +If no machine found or no users found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users", + "value": [ + { + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + }, + { + "id": "contoso\\user2", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-05T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5b98bf3a4f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,104 @@ +--- +title: Get machine related alerts API +description: Retrieves a collection of alerts related to a given machine ID. +keywords: apis, graph api, supported apis, get, machines, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine related alerts API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of alerts related to a given machine ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +GET /api/machines/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. +If no machine or no alerts found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +GET https://api.securitycenter.windows.com/api/machines/{id}/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636692391408655573_2010598859", + "severity": "Low", + "status": "New", + "description": "test alert", + "recommendedAction": "do this and that", + "alertCreationTime": "2018-08-07T11:45:40.0199932Z", + "category": "None", + "title": "test alert", + "threatFamilyName": null, + "detectionSource": "CustomerTI", + "classification": null, + "determination": null, + "assignedTo": null, + "resolvedTime": null, + "lastEventTime": "2018-08-03T16:45:21.7115182Z", + "firstEventTime": "2018-08-03T16:45:21.7115182Z", + "actorName": null, + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..2f3ae63b1c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,91 @@ +--- +title: Get MachineAction object API +description: Use this API to create calls related to get machineaction object +keywords: apis, graph api, supported apis, machineaction object +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get MachineAction object API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Get actions done on a machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machineactions/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) object. +If machine action with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z" +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ae7970fd01 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,165 @@ +--- +title: Get MachineActions collection API +description: Use this API to create calls related to get machineactions collection +keywords: apis, graph api, supported apis, machineaction collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get MachineActions collection API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machineactions +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) objects since the Retention policy time of the organization. + + +## Example 1 + +**Request** + +Here is an example of the request on an organization that has three MachineActions. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/machineactions +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z" + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z" + }, + { + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "UnrestrictCodeExecution", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2017-12-04T12:16:14.2899973Z" + } + ] +} +``` + +## Example 2 + +**Request** + +Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. + +``` +GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/testwdatppreview/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z" + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..35c4d198ee --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,120 @@ +--- +title: Get machines API +description: Retrieves a collection of recently seen machines. +keywords: apis, graph api, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of recently seen machines. + +## Permissions + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. +If no recent machines - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "groupName": null, + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "groupName": "WDATPClientTeam", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e3b14550d2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,84 @@ +--- +title: Get package SAS URI API +description: Use this API to get a URI that allows downloading an investigation package. +keywords: apis, graph api, supported apis, get package, sas, uri +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get package SAS URI API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Get a URI that allows downloading of an investigation package. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' + +## HTTP request +``` +GET /api/machineactions/{id}/getPackageUri +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri + +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +HTTP/1.1 200 Ok +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String", + "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..74880584e6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,86 @@ +--- +title: Get user information API +description: Retrieve a User entity by key such as user name or domain. +keywords: apis, graph api, supported apis, get, user, user information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user information API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieve a User entity by key (user name or domain\user). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read all user profiles' + +## HTTP request +``` +GET /api/users/{id}/ +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. +If user does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/users/{id} +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/testwdatppreview/$metadata#Users/$entity", + "id": "", + "accountSid": null, + "accountName": "", + "accountDomainName": "", +… +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d0024bf007 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,123 @@ +--- +title: Get user related alerts API +description: Retrieves a collection of alerts related to a given user ID. +keywords: apis, graph api, supported apis, get, user, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user related alerts API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of alerts related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +GET /api/users/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user and alert exists - 200 OK. +If user does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/users/user1@contoso.com/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 1", + "recommendedAction": "Some recommended action 1", + "alertCreationTime": "2018-08-03T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 1", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-02T07:02:52.0894451Z", + "firstEventTime": "2018-08-02T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + }, + { + "id": "636688558380765161_2136280442", + "severity": "Informational", + "status": "InProgress", + "description": "Some alert description 2", + "recommendedAction": "Some recommended action 2", + "alertCreationTime": "2018-08-04T01:17:17.9516179Z", + "category": "General", + "title": "Some alert title 2", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": "TruePositive", + "determination": null, + "assignedTo": "best secop ever", + "resolvedTime": null, + "lastEventTime": "2018-08-03T07:02:52.0894451Z", + "firstEventTime": "2018-08-03T07:02:52.0894451Z", + "actorName": null, + "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5a304b14c3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,121 @@ +--- +title: Get user related machines API +description: Retrieves a collection of machines related to a given user ID. +keywords: apis, graph api, supported apis, get, user, user related alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user related machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Retrieves a collection of machines related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/users/{id}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. +If user or machines does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/users/user1@contoso.com/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "groupName": null, + "osBuild": 18209, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": null, + "systemProductName": null, + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "groupName": "WDATPClientTeam", + "osBuild": 17724, + "healthStatus": "Inactive", + "isAadJoined": true, + "machineTags": [], + "rbacGroupId": 140, + "riskScore": "Low", + "aadDeviceId": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..67e10348a6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,73 @@ +--- +title: Is domain seen in org API +description: Use this API to create calls related to checking whether a domain was seen in the organization. +keywords: apis, graph api, supported apis, domain, domain seen +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 04/24/2018 +--- + +# Was domain seen in org +Answers whether a domain was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Url.Read.All | 'Read URLs' + +## HTTP request +``` +GET /api/domains/{domain} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity", + "host": "example.com" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..22da7d935e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,80 @@ +--- +title: Is IP seen in org API +description: Answers whether an IP was seen in the organization. +keywords: apis, graph api, supported apis, is, ip, seen, org, organization +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Was IP seen in org + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Answers whether an IP was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' + +## HTTP request +``` +GET /api/ips/{ip} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177 +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity", + "id": "10.209.67.177" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0542b64fcf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,103 @@ +--- +title: Isolate machine API +description: Use this API to create calls related isolating a machine. +keywords: apis, graph api, supported apis, isolate machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Isolate machine API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Isolates a machine from accessing external network. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' + +## HTTP request +``` +POST /api/machines/{id}/isolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'. + +**IsolationType** controls the type of isolation to perform and can be one of the following: +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network + + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate +Content-type: application/json +{ + "Comment": "Isolate machine due to alert 1234", + “IsolationType”: “Full” +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "b89eb834-4578-496c-8be0-03f004061435", + "type": "Isolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Isolate machine due to alert 1234", + "status": "InProgress", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..9afd33baef --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,45 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Machine resource type + + +# Methods +Method|Return Type |Description +:---|:---|:--- +[List machines](get-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List set of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the org. +[Get machine](get-machine-by-id-windows-defender-advanced-threat-protection.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Get a [machine](machine-windows-defender-advanced-threat-protection-new.md) by its identity. +[Get logged on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [User](user-windows-defender-advanced-threat-protection-new.md) that logged on to the [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that were raised on the [machine](machine-windows-defender-advanced-threat-protection-new.md). + +# Properties +Property | Type | Description +:---|:---|:--- +id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity. +computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name. +firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +osPlatform | String | OS platform. +osVersion | String | OS Version. +lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +lastExternalIpAddress | Ip | Last Ip through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +agentVersion | String | Version of WDATP agent. +groupName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) group name (when defined). +osBuild | Int | OS build number. +healthStatus | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. +isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. +machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. +rbacGroupId | Int | Group Id. +riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +aadDeviceId | String | AAD Device Id (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e611322103 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,42 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Machine Action resource type + +Method|Return Type |Description +:---|:---|:--- +[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities. +[Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get a single [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +[Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Collect investigation package from a [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get URI for downloading the investigation package. +[Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Isolate [machine](machine-windows-defender-advanced-threat-protection-new.md) from network. +[Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Release [machine](machine-windows-defender-advanced-threat-protection-new.md) from Isolation. +[Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. +[Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. +[Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). +[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP. + +# Properties +Property | Type | Description +:---|:---|:--- +id | Guid | Identity of the [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +type | String | Type of the action. +requestor | String | Identity of the person that executed the action. +requestorComment | String | Comment that was written when issuing the action. +status | String | Current status of the command. Possible values are: "InProgress", "Succeeded", "Failed" and "Cancelled". +error | String | Error code providing more insight as to what have caused the command to fail. +machineId | String | Id of the machine on which the action was executed. +creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. +lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..305514fa27 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,96 @@ +--- +title: Collect investigation package API +description: Use this API to create calls related to the collecting an investigation package from a machine. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Collect investigation package API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Offboard machine from WDATP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Offboard | 'Offboard machine' + +## HTTP request +``` +POST /api/machines/{id}/offboard +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/offboard +Content-type: application/json +{ + "Comment": "Offboard machine by automation" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "OffboardMachine", + "requestor": "Analyst@contoso.com", + "requestorComment": "offboard machine by automation", + "status": "InProgress", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2017-12-04T12:09:24.1785079Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..8f738be715 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,96 @@ +--- +title: Restrict app execution API +description: Use this API to create calls related to restricting an application from executing. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Restrict app execution API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Restrict execution of all applications on the machine except a predefined set. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' + +## HTTP request +``` +POST /api/machines/{id}/restrictCodeExecution +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution +Content-type: application/json +{ + "Comment": "Restrict code execution due to alert 1234" +} + +``` +**Response** + +Here is an example of the response. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "78d408d1-384c-4c19-8b57-ba39e378011a", + "type": "RestrictCodeExecution", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Restrict code execution due to alert 1234", + "status": "InProgress", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2017-12-04T12:15:04.3825985Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..9d33981067 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Run antivirus scan API +description: Use this API to create calls related to running an antivirus scan on a machine. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Run antivirus scan API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Initiate Windows Defender Antivirus scan on the machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Scan | 'Scan machine' + +## HTTP request +``` +POST /api/machines/{id}/runAntiVirusScan +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. +Content-Type | string | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +ScanType| String | Defines the type of the Scan. **Required**. + +**ScanType** controls the type of scan to perform and can be one of the following: + +- **Quick** – Perform quick scan on the machine +- **Full** – Perform full scan on the machine + + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan +Content-type: application/json +{ + "Comment": "Check machine for viruses due to alert 3212", + “ScanType”: “Full” +} +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "InProgress", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2017-12-04T12:18:27.1293487Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e8279e443f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,44 @@ +--- +title: Supported Windows Defender Advanced Threat Protection query APIs +description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. +keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Supported Windows Defender ATP query APIs + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) + +Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. + +## In this section +Topic | Description +:---|:--- +Advanced Hunting | Run queries from API. +Alerts | Run API calls such as get alerts, create alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. +Domain |Run API calls such as get domain related machines, statistics, and check if a domain is seen in your organization. +File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. +IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. +Machines | Run API calls such as get machines, get machines by ID, perform actions on machines (s.a. "Collect investigation package") information about logged on users, and alerts related to a given machine ID. +User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. + +## Related topic +- [Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e3cb3d3e64 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,93 @@ +--- +title: Unblock file API +description: Use this API to create calls related to allowing a file to be executed in the organization +keywords: apis, graph api, supported apis, unblock file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Unblock file API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Allow a file to be executed in the organization, using Windows Defender Antivirus. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Threat Intelligence read write' + +## HTTP request +``` +POST /api/files/{sha1}/unblock +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 201 Created response code with action details, which indicates that unblock message was sent to Windows Defender deployed in the organization. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock +Content-type: application/json +{ + "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", +} +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", + "fileIdentifierType": "Sha1", + "actionType": "UnBlock", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..aacb10b79f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,101 @@ +--- +title: Release machine from isolation API +description: Use this API to create calls related to release a machine from isolation. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Release machine from isolation API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Undo isolation of a machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' + +## HTTP request +``` +POST /api/machines/{id}/unisolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate +Content-type: application/json +{ + "Comment": "Unisolate machine since it was clean and validated" +} + +``` +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558", + "type": "Unisolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Unisolate machine since it was clean and validated ", + "status": "InProgress", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:13:15.0104931Z", + "lastUpdateTimeUtc": "2017-12-04T12:13:15.0104931Z" +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..e08b5d033f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,96 @@ +--- +title: Remove app restriction API +description: Use this API to create calls related to removing a restriction from applications from executing. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Remove app restriction API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Enable execution of any application on the machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' + +## HTTP request +``` +POST /api/machines/{id}/unrestrictCodeExecution +``` + +## Request headers +Name | Type | Description +:---|:---|:--- +Authorization | string | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Unrestrict code execution since machine was cleaned and validated" +} + +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "UnrestrictCodeExecution", + "requestor": "Analyst@contoso.com", + "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", + "status": "InProgress", + "error": "None", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2017-12-04T12:15:40.6052029Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..76d372f7b5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,108 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Update alert + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Update the properties of an alert object. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' + +## HTTP request +``` +PATCH /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on tchanges to other property values. For best performance you shouldn't include existing values that haven't change. + +Property | Type | Description +:---|:---|:--- +status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +assignedTo | String | Owner of the alert +classification | String | Speficies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' + + +## Response +If successful, this method returns 200 OK, and an [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body with the updated properties. +If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +Content-Type: application/json + +{ + "assignedTo": "Our designated secop" +} +``` + +**Response** + +Here is an example of the response. + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", + "id": "636692338844234222_1806644926", + "severity": "Medium", + "status": "InProgress", + "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.", + "recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.", + "alertCreationTime": "2018-08-07T10:18:04.2665329Z", + "category": "Installation", + "title": "Possible sensor tampering in memory", + "threatFamilyName": null, + "detectionSource": "WindowsDefenderAtp", + "classification": null, + "determination": null, + "assignedTo": "Our designated secop", + "resolvedTime": null, + "lastEventTime": "2018-08-07T10:14:35.470671Z", + "firstEventTime": "2018-08-07T10:14:35.470671Z", + "actorName": null, + "machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..509ded9db9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,23 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# User resource type + +Method|Return Type |Description +:---|:---|:--- +[List User related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List all the alerts that are associated with a [user](user-windows-defender-advanced-threat-protection-new.md). +[List User related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List all the machines that were logged on by a [user](user-windows-defender-advanced-threat-protection-new.md). + + From 7c07c111923fb9793c2e6e1c5dae54198fba00e4 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 08:44:30 +0300 Subject: [PATCH 02/14] fix --- .../security/threat-protection/windows-defender-atp/TOC.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 07e39fd8d3..e0fbd229bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -96,6 +96,11 @@ #### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) ### [**Beta!** Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md) +#### Create your app + +##### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) + +##### [Get access without a user](exposed-apis-create-app-webapp.md) #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) ##### [Advanced Hunting](run-advanced-query-windows-defender-advanced-threat-protection.md) @@ -152,7 +157,9 @@ #### How to use APIs - Samples ##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md) + ##### [Advanced Hunting using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md) + ##### [Advanced Hunting using Python](run-advanced-query-windows-defender-advanced-threat-protection-sample-python.md) From 7fe9692f380f648d952f9423cb1a29e015118b21 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 08:51:12 +0300 Subject: [PATCH 03/14] foxes --- .../windows-defender-atp/TOC.md | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index e0fbd229bd..e46669dc19 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -95,14 +95,26 @@ #### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) #### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) -### [**Beta!** Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md) +### [**Beta!** Windows Defender ATP APIs](exposed-apis-intro.md) + #### Create your app ##### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) ##### [Get access without a user](exposed-apis-create-app-webapp.md) -#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) -##### [Advanced Hunting](run-advanced-query-windows-defender-advanced-threat-protection.md) + +#### [Supported Windows Defender ATP APIs](exposed-apis-list.md) + +##### [Advanced Hunting](run-advanced-query-api.md) + +#### How to use APIs - Samples + +##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) + +##### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) + +##### [Advanced Hunting using Python](run-advanced-query-sample-python.md) + ##### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) ###### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) @@ -155,14 +167,6 @@ ###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) -#### How to use APIs - Samples -##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-windows-defender-advanced-threat-protection-sample-ms-flow.md) - -##### [Advanced Hunting using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md) - -##### [Advanced Hunting using Python](run-advanced-query-windows-defender-advanced-threat-protection-sample-python.md) - - ### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) #####Actor From 07946c4cee3e4c1779b581c8dcf1a9e9aacef4b9 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 08:52:11 +0300 Subject: [PATCH 04/14] fixes --- .../threat-protection/windows-defender-atp/TOC.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index e46669dc19..b4d24cbc95 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -96,26 +96,17 @@ #### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) ### [**Beta!** Windows Defender ATP APIs](exposed-apis-intro.md) - #### Create your app - ##### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) - ##### [Get access without a user](exposed-apis-create-app-webapp.md) - #### [Supported Windows Defender ATP APIs](exposed-apis-list.md) - ##### [Advanced Hunting](run-advanced-query-api.md) #### How to use APIs - Samples - ##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) - ##### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) - ##### [Advanced Hunting using Python](run-advanced-query-sample-python.md) - ##### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) ###### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) ###### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) From 972931d8fbb2f02b4a124f811783385045b6370c Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 09:48:06 +0300 Subject: [PATCH 05/14] fix failures --- .../alerts-windows-defender-advanced-threat-protection-new.md | 2 +- ...reference-windows-defender-advanced-threat-protection-new.md | 2 +- ...osed-apis-windows-defender-advanced-threat-protection-new.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index 6f49e0bacf..b6aa792424 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -22,7 +22,7 @@ Method|Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) object. [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection | List [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection. -[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) +[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md) [List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection|List Urls associated with the alert. [List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md). [List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated witht the alert. diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 0028551bf1..970ce1702b 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Enables using event data, as obtained from the [Advanced hunting API](run-advanced-query-windows-defender-advanced-threat-protection.md) for creating a new alert entity. +Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md index bfe251407b..68d63bddd1 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md @@ -152,7 +152,7 @@ Refer to [Get token using PowerShell](run-advanced-query-windows-defender-advanc ### Using Python -Refer to [Get token using Python](run-advanced-query-windows-defender-advanced-threat-protection-sample-python.md#get-token) +Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) ### Using Curl From bc236fc8f7b299b7b84e7e4e146a37bb65000b1d Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 10:20:14 +0300 Subject: [PATCH 06/14] fix two warnings --- ...osed-apis-windows-defender-advanced-threat-protection-new.md | 2 +- ...ineaction-windows-defender-advanced-threat-protection-new.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md index 68d63bddd1..b64bf198ef 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md @@ -148,7 +148,7 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co ### Using PowerShell -Refer to [Get token using PowerShell](run-advanced-query-windows-defender-advanced-threat-protection-sample-powershell.md#get-token) +Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token) ### Using Python diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md index e611322103..cc9b4418a7 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ Method|Return Type |Description [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). -[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP. +[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP. # Properties Property | Type | Description From d98bc8fac0e982cafaafcb18134f8463439a7cfe Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 10:30:03 +0300 Subject: [PATCH 07/14] Add prereleased prefix --- .../threat-protection/windows-defender-atp/TOC.md | 11 ++++++----- ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 6 ++++++ ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 5 ++--- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 2 ++ ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 7 +++++++ ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 4 ++-- ...windows-defender-advanced-threat-protection-new.md | 3 ++- 44 files changed, 101 insertions(+), 43 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index b4d24cbc95..7e5b918b32 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -102,11 +102,6 @@ #### [Supported Windows Defender ATP APIs](exposed-apis-list.md) ##### [Advanced Hunting](run-advanced-query-api.md) -#### How to use APIs - Samples -##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) -##### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) -##### [Advanced Hunting using Python](run-advanced-query-sample-python.md) - ##### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) ###### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) ###### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) @@ -158,6 +153,12 @@ ###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) ###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) +#### How to use APIs - Samples +##### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) +##### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +##### [Advanced Hunting using Python](run-advanced-query-sample-python.md) + + ### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) #### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) #####Actor diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index b6aa792424..25f518344c 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Alert resource type +[!include[Prereleaseinformation](prerelease.md)] + Represents an alert entity in WDATP. # Methods diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md index 4b945f2c0f..84bbef9016 100644 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Block file API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index df75029191..7f8808cd66 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Collect investigation package API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 970ce1702b..dc6e3ab67a 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Create alert from event API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md index 00e1b1e364..8961b49e34 100644 --- a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # File resource type +[!include[Prereleaseinformation](prerelease.md)] + Represent a file entity in WDATP. # Methods diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md index 87e402b102..eb6d684c80 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 07/25/2018 # Find machine information by internal IP API +[!include[Prerelease information](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index 26333d85c4..46cb0db71b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get alert information by ID API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index 42d2bad378..bfdfc9935b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get alert related domain information API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index 5bac7b1862..90083b44b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get alert related files information API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md index d28d7e4c38..1ed55af361 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get alert related IP information API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index d4e17a8f25..46b6be0dc4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get alert related machine information API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index f2f994a6cb..6ac1ca8121 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get alert related user information API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 240b6627fc..ac34277345 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get alerts API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index d67c7e990a..a64b80a325 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get domain related alerts API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index 0294068db8..c757b85e20 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get domain related machines API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index cae669cc07..cac75199c0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get domain statistics API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index 0c8cc1a590..0b128088bf 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get file information API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 467ec1b0f0..79d9ce83fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get file related alerts API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index a4edd6751b..7f56ef7bb9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get file related machines API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index 3c97bc8e75..455b5c051b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get file statistics API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index ef6e67570d..a1b072c358 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get IP related alerts API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index c89ed86297..fad2a57955 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,6 +14,12 @@ ms.date: 12/08/2017 --- # Get IP related machines API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + Retrieves a collection of alerts related to a given IP address. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index affd63c23c..4744b4c554 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get IP statistics API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Retrieves the prevalence for the given IP. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index d7dae982e8..ed74621b98 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get machine by ID API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Retrieves a machine entity by ID. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index 7f94e8c74e..db2f410ad7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -15,13 +15,12 @@ ms.date: 12/08/2017 # Get machine log on users API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - Retrieves a collection of logged on users. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 5b98bf3a4f..29a18a285d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get machine related alerts API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Retrieves a collection of alerts related to a given machine ID. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 2f3ae63b1c..32946e2f35 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get MachineAction object API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Get actions done on a machine. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index ae7970fd01..8adbf1ddfd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 12/08/2017 # Get MachineActions collection API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 35c4d198ee..8f57ed8f68 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get machines API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Retrieves a collection of recently seen machines. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index e3b14550d2..95c7d5f771 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get package SAS URI API +[!include[Prerelease information](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Get a URI that allows downloading of an investigation package. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md index 74880584e6..cabf478649 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get user information API +[!include[Prerelease information](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Retrieve a User entity by key (user name or domain\user). ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index d0024bf007..9d2755148a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get user related alerts API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Retrieves a collection of alerts related to a given user ID. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 5a304b14c3..6c7f9ad663 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Get user related machines API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Retrieves a collection of machines related to a given user ID. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md index 67e10348a6..1c1e122d2c 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -14,6 +14,13 @@ ms.date: 04/24/2018 --- # Was domain seen in org + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + Answers whether a domain was seen in the organization. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md index 22da7d935e..7459ba5ffd 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Was IP seen in org +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Answers whether an IP was seen in the organization. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index 0542b64fcf..cb23139a00 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Isolate machine API +[!include[Prerelease information](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Isolates a machine from accessing external network. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index 305514fa27..264b5d8a98 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Collect investigation package API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Offboard machine from WDATP. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 8f738be715..a2ee20bb6c 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Restrict app execution API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Restrict execution of all applications on the machine except a predefined set. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 9d33981067..2c50e1f063 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Run antivirus scan API +[!include[Prerelease information](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Initiate Windows Defender Antivirus scan on the machine. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md index e8279e443f..ac8271ccc0 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md @@ -15,6 +15,8 @@ ms.date: 30/07/2018 # Supported Windows Defender ATP query APIs +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows 10 Enterprise @@ -23,8 +25,6 @@ ms.date: 30/07/2018 - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md index e3cb3d3e64..6132ed769b 100644 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Unblock file API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Allow a file to be executed in the organization, using Windows Defender Antivirus. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index aacb10b79f..9a9609fdba 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,12 @@ ms.date: 12/08/2017 # Release machine from isolation API +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - Undo isolation of a machine. ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 76d372f7b5..e9d317c65e 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -15,11 +15,12 @@ ms.date: 12/08/2017 # Update alert +[!include[Prereleaseinformation](prerelease.md)] + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - Update the properties of an alert object. ## Permissions From 09be5a18a19f8c9282a0e0ad8c0e5f32abfd0258 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 10:59:15 +0300 Subject: [PATCH 08/14] fix oren comments --- ...defender-advanced-threat-protection-new.md | 103 ------------------ ...ows-defender-advanced-threat-protection.md | 91 ---------------- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 6 +- ...defender-advanced-threat-protection-new.md | 93 ---------------- ...ows-defender-advanced-threat-protection.md | 89 --------------- 10 files changed, 17 insertions(+), 393 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md delete mode 100644 windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md delete mode 100644 windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md delete mode 100644 windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md deleted file mode 100644 index 84bbef9016..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection-new.md +++ /dev/null @@ -1,103 +0,0 @@ ---- -title: Block file API -description: Use this API to blocking files from being running in the organization. -keywords: apis, graph api, supported apis, block file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 12/08/2017 ---- - -# Block file API - -[!include[Prereleaseinformation](prerelease.md)] - -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - -Prevent a file from being executed in the organization using Windows Defender Antivirus. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Ti.ReadWrite | 'Threat Intelligence read write' - -## HTTP request -``` -POST /api/files/{sha1}/block -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. - - -## Example - -**Request** - -Here is an example of the request. - ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com - -``` -POST https://api.securitycenter.windows.com/api/files/7327b54fd718525cbca07dacde913b5ac3c85673/block -Content-type: application/json -{ - "Comment": "Block file due to alert 32123" -} - - -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", - "fileIdentifierType": "Sha1", - "actionType": "Block", - "fileStatus": "Blocked", - "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", - "requestor": "Analyst@contoso.com ", - "requestorComment": "test", - "cancellationDateTimeUtc": null, - "cancellationRequestor": null, - "cancellationComment": null, - "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" -} - -``` diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 933ac113b2..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: Block file API -description: Use this API to blocking files from being running in the organization. -keywords: apis, graph api, supported apis, block file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 12/08/2017 ---- - -# Block file API - -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - -Prevent a file from being executed in the organization using Windows Defender Antivirus. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/files/{sha1}/block -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. - - -## Example - -**Request** - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/block -Content-type: application/json -{ - "Comment": "Block file due to alert 32123" -} - - -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", - "fileIdentifierType": "Sha1", - "actionType": "Block", - "fileStatus": "Blocked", - "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", - "requestor": "Analyst@contoso.com ", - "requestorComment": "test", - "cancellationDateTimeUtc": null, - "cancellationRequestor": null, - "cancellationComment": null, - "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" -} - -``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index ac34277345..d412cbe067 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -1,5 +1,5 @@ --- -title: Get alerts API +title: List alerts API description: Retrieves top recent alerts. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alerts API +# List alerts API [!include[Prereleaseinformation](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 8adbf1ddfd..442cc66b64 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -1,5 +1,5 @@ --- -title: Get MachineActions collection API +title: List machineActions API description: Use this API to create calls related to get machineactions collection keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get MachineActions collection API +# List machineActions API [!include[Prereleaseinformation](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 8f57ed8f68..8fe48d7d82 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -1,5 +1,5 @@ --- -title: Get machines API +title: List machines API description: Retrieves a collection of recently seen machines. keywords: apis, graph api, supported apis, get, machines search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machines API +# List machines API [!include[Prereleaseinformation](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md index 9afd33baef..3144f9c7d1 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -1,7 +1,7 @@ --- -title: File resource type -description: Retrieves top recent alerts. -keywords: apis, graph api, supported apis, get, alerts, recent +title: machine resource type +description: Retrieves top machines. +keywords: apis, supported apis, get, machines search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Machine resource type +# machine resource type # Methods diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md index cc9b4418a7..3166f0526d 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -1,7 +1,7 @@ --- -title: File resource type -description: Retrieves top recent alerts. -keywords: apis, graph api, supported apis, get, alerts, recent +title: machineAction resource type +description: Retrieves top recent machineActions. +keywords: apis, supported apis, get, machineaction, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Machine Action resource type +# MachineAction resource type Method|Return Type |Description :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index 264b5d8a98..de81a4a47f 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -1,6 +1,6 @@ --- -title: Collect investigation package API -description: Use this API to create calls related to the collecting an investigation package from a machine. +title: Offboard machine API +description: Use this API to offboard a machine from WDATP. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Collect investigation package API +# Offboard machine API [!include[Prereleaseinformation](prerelease.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md deleted file mode 100644 index 6132ed769b..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection-new.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: Unblock file API -description: Use this API to create calls related to allowing a file to be executed in the organization -keywords: apis, graph api, supported apis, unblock file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 12/08/2017 ---- - -# Unblock file API - -[!include[Prereleaseinformation](prerelease.md)] - -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -Allow a file to be executed in the organization, using Windows Defender Antivirus. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Ti.ReadWrite | 'Threat Intelligence read write' - -## HTTP request -``` -POST /api/files/{sha1}/unblock -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 201 Created response code with action details, which indicates that unblock message was sent to Windows Defender deployed in the organization. - - -## Example - -**Request** - -Here is an example of the request. - -``` -POST https://api.securitycenter.windows.com/api/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock -Content-type: application/json -{ - "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", -} -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", - "fileIdentifierType": "Sha1", - "actionType": "UnBlock", - "fileStatus": "Blocked", - "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", - "requestor": "Analyst@contoso.com ", - "requestorComment": "test", - "cancellationDateTimeUtc": null, - "cancellationRequestor": null, - "cancellationComment": null, - "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" -} - -``` diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 7ea3ec1258..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Unblock file API -description: Use this API to create calls related to allowing a file to be executed in the organization -keywords: apis, graph api, supported apis, unblock file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 12/08/2017 ---- - -# Unblock file API - -**Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - -Allow a file to be executed in the organization, using Windows Defender Antivirus. - -## Permissions -Users need to have Security administrator or Global admin directory roles. - -## HTTP request -``` -POST /testwdatppreview/files/{sha1}/unblock -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. - - -## Example - -**Request** - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock -Content-type: application/json -{ - "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", -} -``` - -**Response** - -Here is an example of the response. - - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", - "fileIdentifierType": "Sha1", - "actionType": "UnBlock", - "fileStatus": "Blocked", - "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", - "requestor": "Analyst@contoso.com ", - "requestorComment": "test", - "cancellationDateTimeUtc": null, - "cancellationRequestor": null, - "cancellationComment": null, - "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" -} - -``` From eb0171a8116dec21902d35db9855f7d843607d17 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 16 Aug 2018 11:23:32 +0300 Subject: [PATCH 09/14] undo removal of block and unblock from old docs --- ...ows-defender-advanced-threat-protection.md | 91 +++++++++++++++++++ ...ows-defender-advanced-threat-protection.md | 89 ++++++++++++++++++ 2 files changed, 180 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md create mode 100644 windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..933ac113b2 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,91 @@ +--- +title: Block file API +description: Use this API to blocking files from being running in the organization. +keywords: apis, graph api, supported apis, block file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Block file API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Prevent a file from being executed in the organization using Windows Defender Antivirus. + +## Permissions +Users need to have Security administrator or Global admin directory roles. + +## HTTP request +``` +POST /testwdatppreview/files/{sha1}/block +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/block +Content-type: application/json +{ + "Comment": "Block file due to alert 32123" +} + + +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", + "fileIdentifierType": "Sha1", + "actionType": "Block", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..7ea3ec1258 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -0,0 +1,89 @@ +--- +title: Unblock file API +description: Use this API to create calls related to allowing a file to be executed in the organization +keywords: apis, graph api, supported apis, unblock file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Unblock file API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +Allow a file to be executed in the organization, using Windows Defender Antivirus. + +## Permissions +Users need to have Security administrator or Global admin directory roles. + +## HTTP request +``` +POST /testwdatppreview/files/{sha1}/unblock +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + + +## Response +If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock +Content-type: application/json +{ + "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", +} +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673", + "fileIdentifierType": "Sha1", + "actionType": "UnBlock", + "fileStatus": "Blocked", + "creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z", + "requestor": "Analyst@contoso.com ", + "requestorComment": "test", + "cancellationDateTimeUtc": null, + "cancellationRequestor": null, + "cancellationComment": null, + "lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z" +} + +``` From d911f45f7ba2f583e56bf2f9b98aedd6edd26603 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Sun, 19 Aug 2018 13:26:06 +0300 Subject: [PATCH 10/14] David comments --- ...defender-advanced-threat-protection-new.md | 16 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 9 +- ...defender-advanced-threat-protection-new.md | 189 ------------------ ...defender-advanced-threat-protection-new.md | 2 +- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 11 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 11 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 10 +- ...defender-advanced-threat-protection-new.md | 11 +- ...defender-advanced-threat-protection-new.md | 13 +- ...defender-advanced-threat-protection-new.md | 18 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 10 +- ...ows-defender-advanced-threat-protection.md | 3 +- ...defender-advanced-threat-protection-new.md | 13 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 13 +- ...defender-advanced-threat-protection-new.md | 15 +- ...defender-advanced-threat-protection-new.md | 18 +- ...defender-advanced-threat-protection-new.md | 13 +- ...defender-advanced-threat-protection-new.md | 12 +- ...defender-advanced-threat-protection-new.md | 29 ++- ...defender-advanced-threat-protection-new.md | 11 +- ...defender-advanced-threat-protection-new.md | 11 +- .../improverequestperformance-new.md | 8 + ...defender-advanced-threat-protection-new.md | 6 +- ...defender-advanced-threat-protection-new.md | 8 +- ...defender-advanced-threat-protection-new.md | 14 +- ...defender-advanced-threat-protection-new.md | 6 +- ...defender-advanced-threat-protection-new.md | 12 +- ...defender-advanced-threat-protection-new.md | 17 +- ...defender-advanced-threat-protection-new.md | 14 +- ...defender-advanced-threat-protection-new.md | 16 +- ...defender-advanced-threat-protection-new.md | 14 +- ...defender-advanced-threat-protection-new.md | 14 +- 45 files changed, 164 insertions(+), 503 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md create mode 100644 windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index 25f518344c..2e9a1b2edf 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -22,20 +22,20 @@ Represents an alert entity in WDATP. # Methods Method|Return Type |Description :---|:---|:--- -[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) object. -[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection | List [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection. -[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md) +[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object. +[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection. +[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md) [List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection|List Urls associated with the alert. -[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md). +[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). [List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated witht the alert. -[Get related Machine](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) entity | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md). -[Get related user](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md). +[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). # Properties Property | Type | Description :---|:---|:--- -id | string | alert id. +id | String | alert id. severity | String | severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'. status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. description | String | Description of the threat, identified by the alert. @@ -51,7 +51,7 @@ determination | String | Specifies the determination of the alert. The property resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. -machineId | string | id of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. +machineId | String | id of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. # JSON representation ``` diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index 7f8808cd66..3fb8f55a22 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -41,7 +41,7 @@ POST /api/machines/{id}/collectInvestigationPackage Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. ## Request body @@ -61,11 +61,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index dc6e3ab67a..ea866b92f6 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -59,8 +59,7 @@ category| String | Category of the alert. The property values are: 'None', 'Susp ## Response -If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. -If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. +If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. ## Example @@ -69,11 +68,7 @@ If event with the specified properties (_reportId_, _eventTime_ and _machineId_) Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` POST https://api.securitycenter.windows.com/api/CreateAlertByReference diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md deleted file mode 100644 index b64bf198ef..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md +++ /dev/null @@ -1,189 +0,0 @@ ---- -title: Use Windows Defender Advanced Threat Protection APIs -description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. -keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 30/07/2018 ---- - -# Use Windows Defender ATP APIs - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). - -In general, you’ll need to take the following steps to use the APIs: -- Create an app -- Get an access token -- Use the token to access Windows Defender ATP API - -This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. - -## Create an app - -1. Log on to [Azure](https://portal.azure.com). - -2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. - - ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) - -3. In the Create window, enter the following information then click **Create**. - - ![Image of Create application window](images/webapp-create.png) - - - **Name:** WdatpEcosystemPartner - - **Application type:** Web app / API - - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.) - - -4. Click **Settings** > **Required permissions** > **Add**. - - ![Image of new app in Azure](images/webapp-add-permission.png) - -5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. - - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. - - ![Image of API access and API selection](images/webapp-add-permission-2.png) - -6. Click **Select permissions** > **Run advanced queries** > **Select**. - - **Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example! - - ![Image of select permissions](images/webapp-select-permission.png) - - - In order to send telemetry events to WDATP, check 'Write timeline events' permission - - In order to send TI events to WDATP, check 'Read and write IOCs belonging to the app' permission - - In order to run advanced queries in WDATP, check 'Run advanced queries' permission - -8. User with "Global Admin" permissions, need to click **Grant Permissions** in the **Required Permissions** tab. - -8. Click **Done** - - ![Image of add permissions completion](images/webapp-add-permission-end.png) - -9. Click **Keys** and type a key name and click **Save**. - - **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave! - - ![Image of create app key](images/webapp-create-key.png) - -10. Write down your application ID. - - ![Image of app ID](images/webapp-get-appid.png) - -11. Set your application to be multi-tenanted - - This is **required** for 3rd party apps (i.e., if you create an application that is intended to run in multiple customers tenant). - - This is **not required** if you create a service that you want to run in your tenant only (i.e., if you create an application for your own usage that will only interact with your own data)​ - - Click **Properties** > **Yes** > **Save**. - - ![Image of multi tenant](images/webapp-edit-multitenant.png) - - -## Application consent - -You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. - -You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. - -Consent link is of the form: - -``` -https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ -``` - -where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID - - -## Get an access token - -For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) - -### Using C# - ->The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 - -- Create a new Console Application -- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) -- Add the below using - - ``` - using Microsoft.IdentityModel.Clients.ActiveDirectory; - ``` - -- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```) - - ``` - string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here - string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here - string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here - - const string authority = "https://login.windows.net"; - const string wdatpResourceId = "https://api.securitycenter.windows.com/windowsatpservice"; - - AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); - ClientCredential clientCredential = new ClientCredential(appId, appSecret); - AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult(); - string token = authenticationResult.AccessToken; - ``` - -### Using PowerShell - -Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token) - -### Using Python - -Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) - -### Using Curl - -> [!NOTE] -> The below procedure supposed Curl for Windows is already installed on your computer - -- Open a command window -- ​Set CLIENT_ID to your Azure application ID -- Set CLIENT_SECRET to your Azure application secret -- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application -- Run the below command: - -``` -curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​ -``` - -You will get an answer of the form: - -``` -{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA"} -``` - -## Validate the token - -- Copy/paste into [JWT](https://jwt.ms/) the token you get in the previous step -- Validate you get a 'roles' claim with the desired permission as you've chosen when adding permissions to the applications: - -![Image of token validation](images/webapp-validate-token.png) - -> [!NOTE] -> The same token can be used for 1 hour and then it expired - -## Related topics -- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md index 8961b49e34..076ab10d21 100644 --- a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -23,7 +23,7 @@ Represent a file entity in WDATP. Method|Return Type |Description :---|:---|:--- [Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file -[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file. +[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file. [List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert. [file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md index eb6d684c80..8e140990af 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -22,7 +22,7 @@ ms.date: 07/25/2018 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Find a machine entity around a specific timestamp by internal IP. +Find a machine by internal IP. >[!NOTE] >The timestamp must be within the last 30 days. @@ -44,7 +44,7 @@ GET /api/machines/find(timestamp={time},key={IP}) Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index 46cb0db71b..1ca4e9a7e3 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -41,15 +41,14 @@ GET /api/alerts/{id} Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful, this method returns 200 OK, and an [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. -If alert with the specified id was not found - 404 Not Found. +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found. ## Example @@ -58,11 +57,7 @@ If alert with the specified id was not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index bfdfc9935b..f514a5809c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -40,7 +40,7 @@ GET /api/alerts/{id}/domains Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -57,11 +57,7 @@ If alert not found or domain not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index 90083b44b6..26b2ce24f5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -40,7 +40,7 @@ GET /api/alerts/{id}/files Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -57,11 +57,7 @@ If alert not found or files not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md index 1ed55af361..cc1b764c25 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -41,15 +41,14 @@ GET /api/alerts/{id}/ips Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and alert and an IP exist - 200 OK. -If alert not found or IPs not found - 404 Not Found. +If successful and alert and an IP exist - 200 OK. If alert not found or IPs not found - 404 Not Found. ## Example @@ -58,11 +57,7 @@ If alert not found or IPs not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 46b6be0dc4..480e3a73ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -42,7 +42,7 @@ GET /api/alerts/{id}/machine Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -58,11 +58,7 @@ If alert not found or machine not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index 6ac1ca8121..6a63063984 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -41,7 +41,7 @@ GET /api/alerts/{id}/user Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -58,11 +58,7 @@ If alert not found or user not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` @@ -78,7 +74,7 @@ Here is an example of the response. HTTP/1.1 200 OK Content-type: application/json { - "@odata.context": "https://wdatpapi-eus-stg.cloudapp.net/api/$metadata#Users/$entity", + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", "id": "contoso\\user1", "firstSeen": "2018-08-02T00:00:00Z", "lastSeen": "2018-08-04T00:00:00Z", diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index d412cbe067..2bca208feb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -46,15 +46,14 @@ Method supports $skip and $top query parameters. Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. -If no recent alerts found - 404 Not Found. +If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. If no recent alerts found - 404 Not Found. ## Example @@ -63,11 +62,7 @@ If no recent alerts found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index a64b80a325..6a1c66a8f4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -41,16 +41,15 @@ GET /api/domains/{domain}/alerts ## Request headers Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects. -If domain or alert does not exist - 404 Not Found. +If successful and domain and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain or alert does not exist - 404 Not Found. ## Example @@ -59,11 +58,7 @@ If domain or alert does not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index c757b85e20..9bd21b69fa 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -30,7 +30,8 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- -Application | URL.Read.All | 'Read URLs' +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' ## HTTP request ``` @@ -39,17 +40,16 @@ GET /api/domains/{domain}/machines ## Request headers -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) objects. -If domain or machines do not exist - 404 Not Found. +If successful and domain and machine exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain or machines do not exist - 404 Not Found. ## Example @@ -58,11 +58,7 @@ If domain or machines do not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index cac75199c0..92e88b5f76 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -48,7 +48,7 @@ Authorization | Bearer {token}. **Required**. Empty ## Response -If successful and domain exists - 200 OK, with statistics object in the respnose body. +If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found. @@ -58,11 +58,7 @@ If domain does not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/domains/example.com/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index 0b128088bf..fa5304bd4b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -42,7 +42,7 @@ GET /api/files/{id} Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -59,11 +59,7 @@ If file does not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1 diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 79d9ce83fb..6fe4d8bd01 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -42,7 +42,7 @@ GET /api/files/{id}/alerts Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -59,11 +59,7 @@ If file or alerts do not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index 7f56ef7bb9..bc829eca2b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -42,7 +42,7 @@ GET /api/files/{id}/machines Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -59,11 +59,7 @@ If file or machines do not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index 455b5c051b..6cdada986e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -41,7 +41,7 @@ GET /api/files/{id}/stats Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -58,11 +58,7 @@ If file do not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index a1b072c358..6d8a3c4b91 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -42,7 +42,7 @@ GET /api/ips/{ip}/alerts Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -59,11 +59,7 @@ If IP and alerts do not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index fad2a57955..559d950e2c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -20,7 +20,7 @@ ms.date: 12/08/2017 **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a collection of alerts related to a given IP address. +Retrieves a collection of machines that communicated with or from a particular IP. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) @@ -39,7 +39,7 @@ GET /api/ips/{ip}/machines Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -56,11 +56,7 @@ If IP or machines do not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md index 1796c563b1..9e0adbf0ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -36,8 +36,7 @@ Content type | application/json Empty ## Response -If successful and IP and machines exists - 200 OK. -If IP or machines do not exist - 404 Not Found. +If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index 4744b4c554..6133e368b8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -39,15 +39,14 @@ GET /api/ips/{ip}/stats Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and file exists - 200 OK with statistical data in the body. -If file do not exist - 404 Not Found. +If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found. ## Example @@ -56,11 +55,7 @@ If file do not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats @@ -76,7 +71,7 @@ HTTP/1.1 200 OK Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", - "ipAddress": "192.168.1.1", + "ipAddress": "10.209.67.177", "orgPrevalence": "63515", "orgFirstSeen": "2017-07-30T13:36:06Z", "orgLastSeen": "2017-08-29T13:32:59Z" diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index ed74621b98..c69c8c7fb7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -40,7 +40,7 @@ GET /api/machines/{id} Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -57,11 +57,7 @@ If machine with the specified id was not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index db2f410ad7..28fae29459 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -40,7 +40,7 @@ GET /api/machines/{id}/logonusers Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -57,11 +57,7 @@ If no machine found or no users found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 29a18a285d..c04950f37e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -40,15 +40,14 @@ GET /api/machines/{id}/alerts Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. -If no machine or no alerts found - 404 Not Found. +If successful and machine and alert exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If no machine or no alerts found - 404 Not Found. ## Example @@ -57,15 +56,11 @@ If no machine or no alerts found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` -GET https://api.securitycenter.windows.com/api/machines/{id}/alerts +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts ``` **Response** diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 32946e2f35..48d22ae303 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -13,7 +13,7 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get MachineAction object API +# Get machineAction API [!include[Prereleaseinformation](prerelease.md)] @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Get actions done on a machine. +Get action performed on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) @@ -40,15 +40,14 @@ GET /api/machineactions/{id} Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) object. -If machine action with the specified id was not found - 404 Not Found. +If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found. ## Example @@ -56,11 +55,7 @@ If machine action with the specified id was not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 442cc66b64..c3b6f32ab8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries. + Gets collection of actions done on machines. Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/odata-version-2-0/uri-conventions/#FilterSystemQueryOption). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) @@ -40,14 +40,14 @@ GET /api/machineactions Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful, this method returns 200, Ok response code with a collection of [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) objects since the Retention policy time of the organization. +If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities. ## Example 1 @@ -56,11 +56,7 @@ If successful, this method returns 200, Ok response code with a collection of [M Here is an example of the request on an organization that has three MachineActions. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/machineactions @@ -128,11 +124,7 @@ GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId Here is an example of the response. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` HTTP/1.1 200 Ok diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 8fe48d7d82..581b175fe0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a collection of recently seen machines. +Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. ## Permissions @@ -39,15 +39,14 @@ GET /api/machines Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. -If no recent machines - 404 Not Found. +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found. ## Example @@ -56,11 +55,7 @@ If no recent machines - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index 95c7d5f771..ce05cde3e4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Get a URI that allows downloading of an investigation package. +Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) @@ -32,14 +32,14 @@ Application | Machine.CollectForensics | 'Collect forensics' ## HTTP request ``` -GET /api/machineactions/{id}/getPackageUri +GET /api/machineactions/{machine action id}/getPackageUri ``` ## Request headers Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -64,11 +64,7 @@ GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbc Here is an example of the response. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md index cabf478649..4766668f1f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -39,15 +39,14 @@ GET /api/users/{id}/ Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. -If user does not exist - 404 Not Found. +If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found. ## Example @@ -56,14 +55,10 @@ If user does not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` -GET https://api.securitycenter.windows.com/api/users/{id} +GET https://api.securitycenter.windows.com/api/users/user1@contoso.com Content-type: application/json ``` @@ -76,11 +71,15 @@ Here is an example of the response. HTTP/1.1 200 OK Content-type: application/json { - "@odata.context": "https://api.securitycenter.windows.com/testwdatppreview/$metadata#Users/$entity", - "id": "", - "accountSid": null, - "accountName": "", - "accountDomainName": "", -… + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "id": "user1@contoso.com", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index 9d2755148a..b13bd6028c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -40,15 +40,14 @@ GET /api/users/{id}/alerts Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and user and alert exists - 200 OK. -If user does not exist - 404 Not Found. +If successful and user and alert exists - 200 OK. If user or alerts does not exist - 404 Not Found. ## Example @@ -57,11 +56,7 @@ If user does not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/users/user1@contoso.com/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 6c7f9ad663..15d20fd626 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -40,15 +40,14 @@ GET /api/users/{id}/machines Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body Empty ## Response -If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. -If user or machines does not exist - 404 Not Found. +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user or machines does not exist - 404 Not Found. ## Example @@ -57,11 +56,7 @@ If user or machines does not exist - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/users/user1@contoso.com/machines diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md new file mode 100644 index 0000000000..b9e64dc7e6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md @@ -0,0 +1,8 @@ +--- +ms.date: 08/28/2017 +--- +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md index 1c1e122d2c..42327cbefd 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -54,11 +54,7 @@ If successful and domain exists - 200 OK. If domain does not exist - 404 Not Fou Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` GET https://api.securitycenter.windows.com/api/domains/example.com diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md index 7459ba5ffd..97d668298e 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ GET /api/ips/{ip} Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. ## Request body @@ -63,11 +63,7 @@ GET https://api.securitycenter.windows.com/api/ips/10.209.67.177 Here is an example of the response. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index cb23139a00..684e292d69 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ POST /api/machines/{id}/isolate Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. ## Request body @@ -65,14 +65,10 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate Content-type: application/json { "Comment": "Isolate machine due to alert 1234", @@ -95,9 +91,11 @@ Content-type: application/json "requestorComment": "Isolate machine due to alert 1234", "status": "InProgress", "error": "None", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z" } ``` + +To unisolate a machine, see [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md). diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md index 3144f9c7d1..093e47ba79 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -33,13 +33,13 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win osPlatform | String | OS platform. osVersion | String | OS Version. lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). -lastExternalIpAddress | Ip | Last Ip through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. agentVersion | String | Version of WDATP agent. groupName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) group name (when defined). osBuild | Int | OS build number. healthStatus | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. -rbacGroupId | Int | Group Id. +rbacGroupId | Int | Group ID. riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -aadDeviceId | String | AAD Device Id (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). \ No newline at end of file +aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index de81a4a47f..af1d892f23 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ POST /api/machines/{id}/offboard Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. ## Request body @@ -59,14 +59,10 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/offboard +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard Content-type: application/json { "Comment": "Offboard machine by automation" @@ -88,7 +84,7 @@ Content-type: application/json "requestorComment": "offboard machine by automation", "status": "InProgress", "error": "None", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "creationDateTimeUtc": "2017-12-04T12:09:24.1785079Z", "lastUpdateTimeUtc": "2017-12-04T12:09:24.1785079Z" } diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index a2ee20bb6c..f11a938c5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Restrict execution of all applications on the machine except a predefined set. +Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) @@ -39,7 +39,7 @@ POST /api/machines/{id}/restrictCodeExecution Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. ## Request body @@ -60,7 +60,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution Content-type: application/json { "Comment": "Restrict code execution due to alert 1234" @@ -71,11 +71,7 @@ Content-type: application/json Here is an example of the response. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` HTTP/1.1 201 Created @@ -88,9 +84,12 @@ Content-type: application/json "requestorComment": "Restrict code execution due to alert 1234", "status": "InProgress", "error": "None", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "creationDateTimeUtc": "2017-12-04T12:15:04.3825985Z", "lastUpdateTimeUtc": "2017-12-04T12:15:04.3825985Z" } ``` + +To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 2c50e1f063..63ea7a6b03 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Initiate Windows Defender Antivirus scan on the machine. +Initiate Windows Defender Antivirus scan on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) @@ -39,7 +39,7 @@ POST /api/machines/{id}/runAntiVirusScan Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json ## Request body @@ -68,7 +68,7 @@ If successful, this method returns 201, Created response code and _MachineAction Here is an example of the request. ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan Content-type: application/json { "Comment": "Check machine for viruses due to alert 3212", @@ -80,11 +80,7 @@ Content-type: application/json Here is an example of the response. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` HTTP/1.1 201 Created @@ -97,7 +93,7 @@ Content-type: application/json "requestorComment": "Check machine for viruses due to alert 3212", "status": "InProgress", "error": "None", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z", "lastUpdateTimeUtc": "2017-12-04T12:18:27.1293487Z" } diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index 9a9609fdba..fffe759586 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ POST /api/machines/{id}/unisolate Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. @@ -60,14 +60,10 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate Content-type: application/json { "Comment": "Unisolate machine since it was clean and validated" @@ -92,10 +88,12 @@ Content-type: application/json "requestorComment": "Unisolate machine since it was clean and validated ", "status": "InProgress", "error": "None", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "creationDateTimeUtc": "2017-12-04T12:13:15.0104931Z", "lastUpdateTimeUtc": "2017-12-04T12:13:15.0104931Z" } - ``` + +To isolate a machine, see [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index e08b5d033f..942629d81d 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -38,7 +38,7 @@ POST /api/machines/{id}/unrestrictCodeExecution ## Request headers Name | Type | Description :---|:---|:--- -Authorization | string | Bearer {token}. **Required**. +Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. ## Request body @@ -58,14 +58,10 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution Content-type: application/json { "Comment": "Unrestrict code execution since machine was cleaned and validated" @@ -88,9 +84,11 @@ Content-type: application/json "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", "status": "InProgress", "error": "None", - "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z", "lastUpdateTimeUtc": "2017-12-04T12:15:40.6052029Z" } ``` + +To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index e9d317c65e..6d777a5382 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Update the properties of an alert object. +Update the properties of an alert entity. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) @@ -55,8 +55,7 @@ determination | String | Specifies the determination of the alert. The property ## Response -If successful, this method returns 200 OK, and an [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body with the updated properties. -If alert with the specified id was not found - 404 Not Found. +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found. ## Example @@ -65,16 +64,11 @@ If alert with the specified id was not found - 404 Not Found. Here is an example of the request. ->[!NOTE] ->For better performance, you can use server closer to your geo location: -> - api-us.securitycenter.windows.com -> - api-eu.securitycenter.windows.com -> - api-uk.securitycenter.windows.com +[!include[Improve request performance](improverequestperformance-new.md)] ``` PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 Content-Type: application/json - { "assignedTo": "Our designated secop" } @@ -87,7 +81,7 @@ Here is an example of the response. ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", - "id": "636692338844234222_1806644926", + "id": "636688558380765161_2136280442", "severity": "Medium", "status": "InProgress", "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.", From 7c71ad856c7483e1df78bf63ee02808915134f12 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Sun, 19 Aug 2018 15:04:10 +0300 Subject: [PATCH 11/14] fix link to create an app --- ...n-package-windows-defender-advanced-threat-protection-new.md | 2 +- ...reference-windows-defender-advanced-threat-protection-new.md | 2 +- ...nfo-by-ip-windows-defender-advanced-threat-protection-new.md | 2 +- ...nfo-by-id-windows-defender-advanced-threat-protection-new.md | 2 +- ...main-info-windows-defender-advanced-threat-protection-new.md | 2 +- ...iles-info-windows-defender-advanced-threat-protection-new.md | 2 +- ...d-ip-info-windows-defender-advanced-threat-protection-new.md | 2 +- ...hine-info-windows-defender-advanced-threat-protection-new.md | 2 +- ...user-info-windows-defender-advanced-threat-protection-new.md | 2 +- ...et-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- ...ed-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- ...-machines-windows-defender-advanced-threat-protection-new.md | 2 +- ...tatistics-windows-defender-advanced-threat-protection-new.md | 2 +- ...formation-windows-defender-advanced-threat-protection-new.md | 2 +- ...ed-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- ...-machines-windows-defender-advanced-threat-protection-new.md | 2 +- ...tatistics-windows-defender-advanced-threat-protection-new.md | 2 +- ...ed-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- ...-machines-windows-defender-advanced-threat-protection-new.md | 2 +- ...tatistics-windows-defender-advanced-threat-protection-new.md | 2 +- ...ine-by-id-windows-defender-advanced-threat-protection-new.md | 2 +- ...-on-users-windows-defender-advanced-threat-protection-new.md | 2 +- ...ed-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- ...on-object-windows-defender-advanced-threat-protection-new.md | 2 +- ...ollection-windows-defender-advanced-threat-protection-new.md | 2 +- ...e-sas-uri-windows-defender-advanced-threat-protection-new.md | 2 +- ...formation-windows-defender-advanced-threat-protection-new.md | 2 +- ...ed-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- ...-machines-windows-defender-advanced-threat-protection-new.md | 2 +- ...en-in-org-windows-defender-advanced-threat-protection-new.md | 2 +- ...-seen-org-windows-defender-advanced-threat-protection-new.md | 2 +- ...e-machine-windows-defender-advanced-threat-protection-new.md | 2 +- ...chine-api-windows-defender-advanced-threat-protection-new.md | 2 +- ...execution-windows-defender-advanced-threat-protection-new.md | 2 +- ...n-av-scan-windows-defender-advanced-threat-protection-new.md | 2 +- ...e-machine-windows-defender-advanced-threat-protection-new.md | 2 +- ...execution-windows-defender-advanced-threat-protection-new.md | 2 +- ...ate-alert-windows-defender-advanced-threat-protection-new.md | 2 +- 38 files changed, 38 insertions(+), 38 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index 3fb8f55a22..3fc76468dd 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Collect investigation package from a machine. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index ea866b92f6..05ecd44a39 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -25,7 +25,7 @@ ms.date: 12/08/2017 Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md index 8e140990af..443b86b728 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -28,7 +28,7 @@ Find a machine by internal IP. >The timestamp must be within the last 30 days. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index 1ca4e9a7e3..ea5d18dcca 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -25,7 +25,7 @@ ms.date: 12/08/2017 Retrieves an alert by its ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index f514a5809c..1c6eeee2a3 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -25,7 +25,7 @@ ms.date: 12/08/2017 Retrieves all domains related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index 26b2ce24f5..114dd4ebf5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -25,7 +25,7 @@ ms.date: 12/08/2017 Retrieves all files related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md index cc1b764c25..027e4f2dfa 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves all IPs related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 480e3a73ec..1b02c04a0e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves machine that is related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index 6a63063984..e31cb2df14 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves the user associated to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 2bca208feb..0bc8191610 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -27,7 +27,7 @@ Retrieves top recent alerts. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index 6a1c66a8f4..5c96f8e93f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves a collection of alerts related to a given domain address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index 9bd21b69fa..5c00e541d9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves a collection of machines that have communicated to or from a given domain address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index 92e88b5f76..3192b853ab 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves the prevalence for the given domain. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index fa5304bd4b..1294734ef7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -27,7 +27,7 @@ ms.date: 12/08/2017 Retrieves a file by identifier Sha1, Sha256, or MD5. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 6fe4d8bd01..a67c221e7d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves a collection of alerts related to a given file hash. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index bc829eca2b..6781f48a9a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves a collection of machines related to a given file hash. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index 6cdada986e..5123aa9f3e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves the prevalence for the given file. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 6d8a3c4b91..1cb5b54981 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -26,7 +26,7 @@ ms.date: 12/08/2017 Retrieves a collection of alerts related to a given IP address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index 559d950e2c..b50d7dbc2e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -23,7 +23,7 @@ ms.date: 12/08/2017 Retrieves a collection of machines that communicated with or from a particular IP. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index 6133e368b8..597e70c583 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Retrieves the prevalence for the given IP. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index c69c8c7fb7..0ec132066f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Retrieves a machine entity by ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index 28fae29459..8c1da55b43 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Retrieves a collection of logged on users. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index c04950f37e..3a0717469c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Retrieves a collection of alerts related to a given machine ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 48d22ae303..5c15530e45 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Get action performed on a machine. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index c3b6f32ab8..d5084a4d5e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Gets collection of actions done on machines. Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/odata-version-2-0/uri-conventions/#FilterSystemQueryOption). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index ce05cde3e4..e8b45a5419 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md index 4766668f1f..b0c31a0088 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Retrieve a User entity by key (user name or domain\user). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index b13bd6028c..cc16ae3c5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Retrieves a collection of alerts related to a given user ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 15d20fd626..37be0e6280 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Retrieves a collection of machines related to a given user ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md index 42327cbefd..9fc66f2cd0 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 04/24/2018 Answers whether a domain was seen in the organization. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md index 97d668298e..0b0e8a826b 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Answers whether an IP was seen in the organization. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index 684e292d69..97470afecb 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Isolates a machine from accessing external network. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index af1d892f23..7ef5465b2c 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Offboard machine from WDATP. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index f11a938c5f..863ca96953 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 63ea7a6b03..e76b3d51be 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Initiate Windows Defender Antivirus scan on a machine. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index fffe759586..1f759231a2 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Undo isolation of a machine. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index 942629d81d..4fef4dd344 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Enable execution of any application on the machine. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 6d777a5382..6900e0585a 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 Update the properties of an alert entity. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Create your app](exposed-apis-windows-defender-advanced-threat-protection-new.md#create-an-app) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- From 64f5a66c5cf44b179868f17d0a87d2c42c43a298 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Sun, 19 Aug 2018 15:37:01 +0300 Subject: [PATCH 12/14] remove redundant file --- ...defender-advanced-threat-protection-new.md | 2 +- ...defender-advanced-threat-protection-new.md | 44 ------------------- 2 files changed, 1 insertion(+), 45 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index e8b45a5419..121dc80314 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,7 @@ ms.date: 12/08/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new). +Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md deleted file mode 100644 index ac8271ccc0..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection-new.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: Supported Windows Defender Advanced Threat Protection query APIs -description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. -keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -ms.date: 30/07/2018 ---- - -# Supported Windows Defender ATP query APIs - -[!include[Prereleaseinformation](prerelease.md)] - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) - -Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. - -## In this section -Topic | Description -:---|:--- -Advanced Hunting | Run queries from API. -Alerts | Run API calls such as get alerts, create alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. -Domain |Run API calls such as get domain related machines, statistics, and check if a domain is seen in your organization. -File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. -IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. -Machines | Run API calls such as get machines, get machines by ID, perform actions on machines (s.a. "Collect investigation package") information about logged on users, and alerts related to a given machine ID. -User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. - -## Related topic -- [Use Windows Defender ATP APIs](exposed-apis-windows-defender-advanced-threat-protection-new.md) From 0bbc860820588faa842194b2148b33168f310799 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Sun, 19 Aug 2018 15:55:13 +0300 Subject: [PATCH 13/14] add author to YAMR --- .../windows-defender-atp/improverequestperformance-new.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md index b9e64dc7e6..169b2ffb46 100644 --- a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md +++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md @@ -1,5 +1,6 @@ --- ms.date: 08/28/2017 +author: zavidor --- >[!NOTE] >For better performance, you can use server closer to your geo location: From c937b2eba66341b6b37795daca77902e47a39842 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 20 Aug 2018 22:33:18 +0000 Subject: [PATCH 14/14] Updated .openpublishing.publish.config.json --- .openpublishing.publish.config.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index f9d982e542..38266abdb5 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -508,6 +508,10 @@ "master": [ "Publish", "Pdf" + ], + "atp-api-danm": [ + "Publish", + "Pdf" ] }, "need_generate_pdf_url_template": true,