From 8f4cbb6ff3a512452eeb3f4d215470d74dc8e81b Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 5 Nov 2019 16:35:16 +0200 Subject: [PATCH 01/13] 1 --- .../microsoft-defender-atp/alerts.md | 119 +++++++++++++----- .../exposed-apis-list.md | 27 ++-- .../run-advanced-query-api.md | 28 +---- 3 files changed, 103 insertions(+), 71 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 2c44e8cfe9..994b80eda3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -17,13 +17,15 @@ ms.topic: article --- # Alert resource type -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Represents an alert entity in Microsoft Defender ATP. # Methods -Method|Return Type |Description +Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. @@ -39,45 +41,94 @@ Method|Return Type |Description Property | Type | Description :---|:---|:--- id | String | Alert ID. -incidentId | String | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. +title | String | Alert title. +description | String | Alert description. +alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created. +lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine. +firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. +lastUpdateTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. +resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. +incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. +investigationId | Nullable Long | The [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) ID related to the Alert. +investigationState | Nullable Enum | The current state of the [Investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. assignedTo | String | Owner of the alert. severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. -investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. -category| String | Category of the alert. Possible values are: 'Collection', 'Command and control', 'Credential access', 'Defense evasion', 'Discovery', 'Execution', 'Exfiltration', 'Exploit', 'Initial access', 'Lateral movement', 'Malware', 'Persistence', 'Privilege escalation', 'Ransomware', 'Suspicious activity', 'Unwanted software'. -detectionSource | string | Detection source. -threatFamilyName | string | Threat family. -title | string | Alert title. -description | String | Description of the threat, identified by the alert. -alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. -lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine. -firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. -resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. +category| String | Category of the alert. +detectionSource | String | Detection source. +threatFamilyName | String | Threat family. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. +comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. +alertFiles | List of Alert Files | **This list will be populated on $expand option, see example below** Alert File is an object that contains: sha1, sha256, filePath and fileName. +alertIPs | List of Alert IPs | **This list will be populated on $expand option, see example below** Alert IP is an object that contains: ipAddress string field. +alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field. + + +# JSON representation: + +- When querying for alert list the regular way (without expand option, e.g. https://api.securitycenter.windows.com/api/alerts) the expandable properties will not get populated (empty lists) +- To expand expandable properties use $expand option (e.g. to expand all send https://api.securitycenter.windows.com/api/alerts?$expand=files,ips,domains). +- When querying single alert all expandable properties will be expanded. +- Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. + +## Response example for getting single alert: + +``` +GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499 +``` -# JSON representation ``` { - "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "id": "121688558380765161_2136280442", - "incidentId": 7696, - "assignedTo": "secop@contoso.com", - "severity": "High", - "status": "New", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description" - "alertCreationTime": "2018-11-26T16:19:21.8409809Z", - "firstEventTime": "2018-11-26T16:17:50.0948658Z", - "lastEventTime": "2018-11-26T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + "id": "da637084217856368682_-292920499", + "incidentId": 66860, + "investigationId": 4416234, + "assignedTo": secop@contoso.com, + "severity": "Low", + "status": "New", + "classification": "TruePositive", + "determination": null, + "investigationState": "Running", + "detectionSource": "WindowsDefenderAtp", + "category": "CommandAndControl", + "threatFamilyName": null, + "title": "Network connection to a risky host", + "description": "A network connection was made to a risky host which has exhibited malicious activity.", + "alertCreationTime": "2019-11-03T23:49:45.3823185Z", + "firstEventTime": "2019-11-03T23:47:16.2288822Z", + "lastEventTime": "2019-11-03T23:47:51.2966758Z", + "lastUpdateTime": "2019-11-03T23:55:52.6Z", + "resolvedTime": null, + "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", + "alertUser": { + "accountName": "test1212", + "domainName": "neba-phjfkum2" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop@contoso.com", + "createdTime": "2019-11-05T14:08:37.8404534Z" + } + ], + "alertFiles": [ + { + "sha1": "77e862797dd525fd3e9c3058153247945d0d4cfd", + "sha256": "c05823562aee5e6d000b0e041197d5b8303f5aa4eecb49820879b705c926e16e", + "filePath": "C:\\Users\\test1212\\AppData\\Local\\Temp\\nsf61D3.tmp.exe", + "fileName": "nsf61D3.tmp.exe" + } + ], + "alertDomains": [ + { + "host": "login.bullguard.com" + } + ], + "alertIps": [ + { + "ipAddress": "91.231.212.53" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index 1c8dc327c6..c91de23386 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -1,5 +1,5 @@ --- -title: Supported Microsoft Defender Advanced Threat Protection query APIs +title: Supported Microsoft Defender Advanced Threat Protection APIs ms.reviewer: description: Learn about the specific supported Microsoft Defender Advanced Threat Protection entities where you can create API calls to. keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting @@ -17,14 +17,11 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Supported Microsoft Defender ATP query APIs +# Supported Microsoft Defender ATP APIs -**Applies to:** -- Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## End Point URI and Versioning @@ -42,7 +39,7 @@ ms.topic: article > > To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts > -> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. +> If you don't specify any version (e.g. https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. @@ -52,12 +49,14 @@ Learn more about the individual supported entities where you can run API calls t Topic | Description :---|:--- Advanced Hunting | Run queries from API. -Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. -Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization. -File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. -IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. -Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. -User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. +Alerts | Run API calls such as get alerts, create alert, update alert and more. +Domains | Run API calls such as get domain related machines, domain statistics and more. +Files | Run API calls such as get file information, file related alerts, file related machines, and file statistics. +IPs | Run API calls such as get IP related alerts and get IP statistics. +Machines | Run API calls such as get machines, get machines by ID, information about logged on users, edit tags and more. +Machine Actions | Run API call such as Isolation, Run anti-virus scan and more. +Indicators | Run API call such as create Indicator, get Indicators and delete Indicators. +Users | Run API calls such as get user related alerts and user related machines. ## Related topic - [Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 079a79034a..f85d3c65c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -19,15 +19,14 @@ ms.topic: article # Advanced hunting API -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -This API allows you to run programmatic queries that you are used to running from [Microsoft Defender ATP Portal](https://securitycenter.windows.com/hunting). +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Limitations 1. You can only run a query on data from the last 30 days -2. The results will include a maximum of 10,000 rows -3. The number of executions is limited (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day) +2. The results will include a maximum of 100,000 rows +3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. ## Permissions @@ -126,24 +125,7 @@ Content-Type: application/json​ } ``` -## Troubleshoot issues - -- Error: (403) Forbidden / (401) Unauthorized - - -~~~ -If you get this error when calling Microsoft Defender ATP API, your token might not include the necessary permission. - -Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token. - -If the 'roles' section in the token does not include the necessary permission: - -- The necessary permission to your app might not have been granted. For more information, see [Access Microsoft Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or, -- The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent). -~~~ - - ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Microsoft Defender ATP APIs introduction](apis-intro.md) - [Advanced Hunting from Portal](advanced-hunting-query-language.md) - [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) From 218e0d6e1c831096a996516558376b608dd50444 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 5 Nov 2019 16:49:16 +0200 Subject: [PATCH 02/13] 2 --- .../microsoft-defender-atp/alerts.md | 6 +- .../microsoft-defender-atp/get-alerts.md | 73 ++++++++----------- 2 files changed, 33 insertions(+), 46 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 994b80eda3..dad2d2b35a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -79,7 +79,7 @@ alertDomains | List of Alert Domains | **This list will be populated on $expand GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499 ``` -``` +```json { "id": "da637084217856368682_-292920499", "incidentId": 66860, @@ -101,10 +101,6 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "lastUpdateTime": "2019-11-03T23:55:52.6Z", "resolvedTime": null, "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", - "alertUser": { - "accountName": "test1212", - "domainName": "neba-phjfkum2" - }, "comments": [ { "comment": "test comment for docs", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 3f94ebab37..e59f997999 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -18,16 +18,15 @@ ms.topic: article # List alerts API -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves a collection of Alerts. Supports [OData V4 queries](https://www.odata.org/documentation/). -The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". +The OData's Filter query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity" and "category". See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) @@ -52,7 +51,8 @@ GET /api/alerts ``` ## Optional query parameters -Method supports $skip and $top query parameters. +Method supports $top, $select, $filter, $expand and $skip query parameters. +$expand is available on Files, IPs and Domains. e.g. $expand=files,domains ## Request headers @@ -85,7 +85,7 @@ GET https://api.securitycenter.windows.com/api/alerts Here is an example of the response. >[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. +>The response list shown here may be truncated for brevity. All alerts will be returned from an actual call. ```json @@ -93,45 +93,36 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "121688558380765161_2136280442", - "incidentId": 7696, - "assignedTo": "secop@contoso.com", - "severity": "High", + "id": "da637084217856368682_-292920499", + "incidentId": 66860, + "investigationId": 4416234, + "assignedTo": secop@contoso.com, + "severity": "Low", "status": "New", "classification": "TruePositive", - "determination": "Malware", + "determination": null, "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-26T16:19:21.8409809Z", - "firstEventTime": "2018-11-26T16:17:50.0948658Z", - "lastEventTime": "2018-11-26T16:18:01.809871Z", + "detectionSource": "WindowsDefenderAtp", + "category": "CommandAndControl", + "threatFamilyName": null, + "title": "Network connection to a risky host", + "description": "A network connection was made to a risky host which has exhibited malicious activity.", + "alertCreationTime": "2019-11-03T23:49:45.3823185Z", + "firstEventTime": "2019-11-03T23:47:16.2288822Z", + "lastEventTime": "2019-11-03T23:47:51.2966758Z", + "lastUpdateTime": "2019-11-03T23:55:52.6Z", "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - }, - { - "id": "441688558380765161_2136280442", - "incidentId": 8633, - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "InProgress", - "classification": "TruePositive", - "determination": "Malware", - "investigationState": "Running", - "category": "MalwareDownload", - "detectionSource": "WindowsDefenderAv", - "threatFamilyName": "Mikatz", - "title": "Windows Defender AV detected 'Mikatz', high-severity malware", - "description": "Some description", - "alertCreationTime": "2018-11-25T16:19:21.8409809Z", - "firstEventTime": "2018-11-25T16:17:50.0948658Z", - "lastEventTime": "2018-11-25T16:18:01.809871Z", - "resolvedTime": null, - "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" - } + "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop@contoso.com", + "createdTime": "2019-11-05T14:08:37.8404534Z" + } + ], + "alertFiles": [], + "alertDomains": [], + "alertIps": [] ] } ``` From 1ad0a142bef13806296615fcc7f06efba4d679f0 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 5 Nov 2019 20:51:14 +0200 Subject: [PATCH 03/13] 3 --- windows/security/threat-protection/TOC.md | 2 +- .../threat-protection/microsoft-defender-atp/alerts.md | 9 ++++----- .../microsoft-defender-atp/get-alerts.md | 3 ++- .../threat-protection/microsoft-defender-atp/oldTOC.txt | 2 +- .../microsoft-defender-atp/run-advanced-query-api.md | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 099acd1d5f..859fcce644 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -370,7 +370,7 @@ ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md) ##### [APIs]() -###### [Supported Microsoft Defender ATP query APIs](microsoft-defender-atp/exposed-apis-list.md) +###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) ###### [Alert]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index dad2d2b35a..94978e31b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -22,8 +22,6 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Represents an alert entity in Microsoft Defender ATP. - # Methods Method |Return Type |Description :---|:---|:--- @@ -66,14 +64,15 @@ alertIPs | List of Alert IPs | **This list will be populated on $expand option, alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field. -# JSON representation: + +## JSON representation: - When querying for alert list the regular way (without expand option, e.g. https://api.securitycenter.windows.com/api/alerts) the expandable properties will not get populated (empty lists) - To expand expandable properties use $expand option (e.g. to expand all send https://api.securitycenter.windows.com/api/alerts?$expand=files,ips,domains). - When querying single alert all expandable properties will be expanded. - Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. -## Response example for getting single alert: +### Response example for getting single alert: ``` GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499 @@ -84,7 +83,7 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929 "id": "da637084217856368682_-292920499", "incidentId": 66860, "investigationId": 4416234, - "assignedTo": secop@contoso.com, + "assignedTo": "secop@contoso.com", "severity": "Low", "status": "New", "classification": "TruePositive", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index e59f997999..4db08b5045 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -96,7 +96,7 @@ Here is an example of the response. "id": "da637084217856368682_-292920499", "incidentId": 66860, "investigationId": 4416234, - "assignedTo": secop@contoso.com, + "assignedTo": "secop@contoso.com", "severity": "Low", "status": "New", "classification": "TruePositive", @@ -123,6 +123,7 @@ Here is an example of the response. "alertFiles": [], "alertDomains": [], "alertIps": [] + } ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt index ffdde6dfa0..c4263e9958 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt +++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt @@ -343,7 +343,7 @@ ###### [Get access with user context](exposed-apis-create-app-nativeapp.md) ##### [APIs]() -###### [Supported Microsoft Defender ATP query APIs](exposed-apis-list.md) +###### [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) ###### [Advanced Hunting](run-advanced-query-api.md) ###### [Alert]() diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index f85d3c65c0..8dc833cda8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -24,8 +24,8 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Limitations -1. You can only run a query on data from the last 30 days -2. The results will include a maximum of 100,000 rows +1. You can only run a query on data from the last 30 days. +2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. From f1bf57df6203a5af3b62beb1ce7dd582b2368fbd Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 5 Nov 2019 21:55:29 +0200 Subject: [PATCH 04/13] 4 --- .../threat-protection/microsoft-defender-atp/get-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 4db08b5045..696e0de719 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -52,7 +52,7 @@ GET /api/alerts ## Optional query parameters Method supports $top, $select, $filter, $expand and $skip query parameters. -$expand is available on Files, IPs and Domains. e.g. $expand=files,domains +
$expand is available on Files, IPs and Domains. e.g. $expand=files,domains ## Request headers From 4fa86409a47d0165546509d13cf262bc1ee031b7 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Wed, 6 Nov 2019 17:37:58 +0200 Subject: [PATCH 05/13] 5 --- .../microsoft-defender-atp/create-alert-by-reference.md | 8 ++++---- .../microsoft-defender-atp/get-alerts.md | 5 +++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index f4a2b266d9..3dbdf5372a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -18,11 +18,11 @@ ms.topic: article # Create alert from event API -**Applies to:** +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. +Create alert using event data, as obtained from [Advanced Hunting](run-advanced-query-api.md) for creating a new alert. ## Permissions @@ -64,7 +64,7 @@ description | String | Description of the alert. **Required**. recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**. eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. reportId | String | The reportId, as obtained from the advanced query. **Required**. -category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. +category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**. ## Response diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 696e0de719..f33b29bd88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -74,12 +74,13 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje Here is an example of the request. -[!include[Improve request performance](improve-request-performance.md)] - ``` GET https://api.securitycenter.windows.com/api/alerts ``` +[!include[Improve request performance](improve-request-performance.md)] + + **Response** Here is an example of the response. From e06010a59562b9f9a06d0ba7f71c2143223aa6b3 Mon Sep 17 00:00:00 2001 From: Ben Date: Sun, 10 Nov 2019 11:43:46 +0200 Subject: [PATCH 06/13] Update alerts.md --- .../threat-protection/microsoft-defender-atp/alerts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 94978e31b9..d39e109080 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -67,8 +67,8 @@ alertDomains | List of Alert Domains | **This list will be populated on $expand ## JSON representation: -- When querying for alert list the regular way (without expand option, e.g. https://api.securitycenter.windows.com/api/alerts) the expandable properties will not get populated (empty lists) -- To expand expandable properties use $expand option (e.g. to expand all send https://api.securitycenter.windows.com/api/alerts?$expand=files,ips,domains). +- When querying for alert list the regular way (without expand option, e.g. /api/alerts) the expandable properties will not get populated (empty lists) +- To expand expandable properties use $expand option (e.g. to expand all send /api/alerts?$expand=files,ips,domains). - When querying single alert all expandable properties will be expanded. - Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples. From da43414c0512405fce62b7c928a262319a2d0d51 Mon Sep 17 00:00:00 2001 From: Ben Date: Sun, 10 Nov 2019 12:19:55 +0200 Subject: [PATCH 07/13] Update alerts.md --- .../threat-protection/microsoft-defender-atp/alerts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index d39e109080..7a3ea94c49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -22,7 +22,7 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -# Methods +## Methods Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. @@ -35,7 +35,7 @@ Method |Return Type |Description [Get related users](get-alert-related-user-info.md) | [User](user.md) | The [user](user.md) that is associated with the [alert](alerts.md). -# Properties +## Properties Property | Type | Description :---|:---|:--- id | String | Alert ID. From a1cc829eded06096c3b7987b3cef55c91717f5a2 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 12 Nov 2019 15:37:04 -0800 Subject: [PATCH 08/13] Update advanced-hunting-tvm-configassessment-table.md --- .../advanced-hunting-tvm-configassessment-table.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md index 35d38020d6..51a94636d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema -description: Learn about the DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema, such as machine ID, computer name, operating system platform, security configuration details, impact, and compliance information. -keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSecureConfigurationAssessment +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/27/2019 +ms.date: 11/12/2019 --- # DeviceTvmSecureConfigurationAssessment @@ -28,7 +28,7 @@ ms.date: 10/27/2019 [!include[Prerelease information](prerelease.md)] -Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration. Use this reference to check the latest assessment results and determine whether device are compliant. +Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt). Use this reference to check the latest assessment results and determine whether device are compliant. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -51,3 +51,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) From d8bead40edf6df411036dbf64631b18d55cd1293 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 12 Nov 2019 17:20:02 -0800 Subject: [PATCH 09/13] Tweaks to AH-TVM topics --- ...nced-hunting-tvm-configassessment-table.md | 6 ++--- ...vanced-hunting-tvm-secureconfigkb-table.md | 11 ++++---- ...ced-hunting-tvm-softwareinventory-table.md | 23 +++++++++-------- ...hunting-tvm-softwarevulnerability-table.md | 25 ++++++++++--------- 4 files changed, 34 insertions(+), 31 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md index 51a94636d9..038b6a2195 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -28,7 +28,7 @@ ms.date: 11/12/2019 [!include[Prerelease information](prerelease.md)] -Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt). Use this reference to check the latest assessment results and determine whether device are compliant. +Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt). Use this reference to check the latest assessment results and determine whether devices are compliant. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -37,9 +37,9 @@ For information on other tables in the Advanced hunting schema, see [the Advance | MachineId | string | Unique identifier for the machine in the service | | ComputerName | string | Fully qualified domain name (FQDN) of the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| -| Timestamp | datetime |Date and time when the record was generated| +| Timestamp | datetime |Date and time when the record was generated | | ConfigurationId | string | Unique identifier for a specific configuration | -| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | | ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | | ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | | IsCompliant | boolean | Indicates whether the configuration or policy is properly configured | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md index 857a5731c6..ef544939ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema -description: Learn about the DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema, security configuration details, and the associated industry benchmarks that it adheres to. -keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query security configuration, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, MITRE ATT&CK framework, DeviceTvmSecureConfigurationAssessmentKB +description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/27/2019 +ms.date: 11/12/2019 --- # DeviceTvmSecureConfigurationAssessmentKB @@ -28,7 +28,7 @@ ms.date: 10/27/2019 [!include[Prerelease information](prerelease.md)] -The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configuration TVM checks during assessments related to your organization. An example of a security configuration is to block JavaScript or VBScript from launching downloaded executable content to prevent accidentally downloading malicious files in your network. Use this reference to construct queries that return information from the table. +The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -43,7 +43,7 @@ For information on other tables in the Advanced hunting schema, see [the Advance | ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | | ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration | | RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration | -| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration| +| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration | ## Related topics @@ -51,3 +51,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md index fcf0c2e4bd..13ab77bce0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema -description: Learn about the DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema, such as operating system platform, version, and architecture, software vendor, name, and version, CVE ID, vulnerability severity, and descriptions -keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software inventory, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareInventoryVulnerabilities +description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the Advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/27/2019 +ms.date: 11/12/2019 --- # DeviceTvmSoftwareInventoryVulnerabilities @@ -29,7 +29,7 @@ ms.date: 10/27/2019 [!include[Prerelease information](prerelease.md)] -The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains an inventory of the software on your devices as well as any known vulnerabilities in the software products. Use this reference to construct queries that return information from the table. +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -37,14 +37,14 @@ For information on other tables in the Advanced hunting schema, see [the Advance |-------------|-----------|-------------| | MachineId | string | Unique identifier for the machine in the service | | ComputerName | string | Fully qualified domain name (FQDN) of the machine | -| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | OSVersion | string | Version of the operating system running on the machine | -| OSArchitecture | string | Architecture of the operating system running on the machine| -| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| -| SoftwareName | string | Name of the software product| -|SoftwareVersion | string | Version number of the software product| -| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| -| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| +| OSArchitecture | string | Architecture of the operating system running on the machine | +| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| SoftwareName | string | Name of the software product | +| SoftwareVersion | string | Version number of the software product | +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | @@ -54,3 +54,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md index 757ad9858c..6084894c09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema -description: Learn about the DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema, such as CVE ID, CVSS score, exploit availability, vulnerability severity, last modified time, date the vulnerability was disclosed to public, and affected software in your network. -keywords: advanced hunting, atp query, device management, query atp data, query tvm data, query software vulnerability inventory, intellisense, atp telemetry, events, events telemetry, azure log analytics, description, DeviceTvmSoftwareVulnerabilitiesKB +description: Learn about the software vulnerabilities tracked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/27/2019 +ms.date: 11/12/2019 --- # DeviceTvmSoftwareVulnerabilitiesKB @@ -28,20 +28,20 @@ ms.date: 10/27/2019 [!include[Prerelease information](prerelease.md)] -The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains information about the vulnerabilities Threat & Vulnerability Management assesses devices for. Use this reference along with DeviceTvmSoftwareInventoryVulnerabilities to construct queries that return information on the metadata related to the vulnerabilities in your inventory. +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) assesses devices for. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| -| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system| -| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS)| -| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available| -| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape| -| LastModifiedTime | datetime | Date and time the item or related metadata was last modified| -| PublishedDate | datetime | Date vulnerability was disclosed to public| -| VulnerabilityDescription | string | Description of vulnerability and associated risks| -| AffectedSoftware | string | List of all software products affected by the vulnerability| +| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | +| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available | +| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| LastModifiedTime | datetime | Date and time the item or related metadata was last modified | +| PublishedDate | datetime | Date vulnerability was disclosed to public | +| VulnerabilityDescription | string | Description of vulnerability and associated risks | +| AffectedSoftware | string | List of all software products affected by the vulnerability | ## Related topics @@ -49,3 +49,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) From ac47f46c9e47a36260a9eb94f0bc09abac816db1 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 12 Nov 2019 17:45:09 -0800 Subject: [PATCH 10/13] fixed links --- .../advanced-hunting-tvm-configassessment-table.md | 4 ++-- .../advanced-hunting-tvm-secureconfigkb-table.md | 4 ++-- .../advanced-hunting-tvm-softwareinventory-table.md | 4 ++-- .../advanced-hunting-tvm-softwarevulnerability-table.md | 6 +++--- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md index 038b6a2195..e13c834dce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md @@ -28,7 +28,7 @@ ms.date: 11/12/2019 [!include[Prerelease information](prerelease.md)] -Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt). Use this reference to check the latest assessment results and determine whether devices are compliant. +Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -51,4 +51,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md index ef544939ac..a2196c5789 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md @@ -28,7 +28,7 @@ ms.date: 11/12/2019 [!include[Prerelease information](prerelease.md)] -The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. +The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -51,4 +51,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md index 13ab77bce0..2657a97f61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md @@ -29,7 +29,7 @@ ms.date: 11/12/2019 [!include[Prerelease information](prerelease.md)] -The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -54,4 +54,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md index 6084894c09..3e5bd4f7ec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md @@ -1,6 +1,6 @@ --- title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema -description: Learn about the software vulnerabilities tracked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema. +description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema. keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -28,7 +28,7 @@ ms.date: 11/12/2019 [!include[Prerelease information](prerelease.md)] -The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) assesses devices for. Use this reference to construct queries that return information from the table. +The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table. For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md). @@ -49,4 +49,4 @@ For information on other tables in the Advanced hunting schema, see [the Advance - [All Advanced hunting tables](advanced-hunting-reference.md) - [Advanced hunting query best practices](advanced-hunting-best-practices.md) - [Query data using Advanced hunting](advanced-hunting.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) From 342bb5bcb38aea2daccf3f8b4a70e8e1a3c0362f Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 13 Nov 2019 09:20:51 -0800 Subject: [PATCH 11/13] tools updates --- devices/surface/microsoft-surface-data-eraser.md | 10 ++++++++-- devices/surface/surface-dock-firmware-update.md | 5 +++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 64e380aab5..90b623c490 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -14,7 +14,7 @@ author: dansimp ms.author: dansimp ms.topic: article ms.audience: itpro -ms.date: 10/21/2019 +ms.date: 11/13/2019 --- # Microsoft Surface Data Eraser @@ -160,11 +160,17 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### 3.28.137 +*Release Date: 11 Nov 2019* +This version of Surface Data Eraser: + +- Includes bug fixes + ### Version 3.21.137 *Release Date: 21 Oct 2019* This version of Surface Data Eraser is compiled for x86 and adds support for the following devices: -Supports Surface Pro 7, Surface Pro X, and Surface Laptop 3. +- Supports Surface Pro 7, Surface Pro X, and Surface Laptop 3 ### Version 3.2.78.0 *Release Date: 4 Dec 2018* diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 8fa4e11515..5a35ad30b4 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -86,15 +86,16 @@ Successful completion of Surface Dock Firmware Update results in new registry ke ## Event logging -**Table 1. Event logging for Surface Dock Firmware Update** +**Table 1. Log files for Surface Dock Firmware Update** | Log | Location | Notes | | -------------------------------- | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Surface Dock Firmware Update log | Path needs to be specified (see note) | Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | +| Surface Dock Firmware Update log | /l*v %windir%\logs\ SurfaceDockFWI.log | | | Windows Device Install log | %windir%\inf\setupapi.dev.log | For more information about using Device Install Log, refer to [SetupAPI Logging](https://docs.microsoft.com/windows-hardware/drivers/install/setupapi-logging--windows-vista-and-later-). | **Table 2. Event log IDs for Surface Dock Firmware Update** +Events are logged in the Application Event Log. Note: Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | Event ID | Event type | | -------- | -------------------------------------------------------------------- | From 9080c68cb98e7f173c7df27cb1ca856b5a236a8c Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 13 Nov 2019 09:53:05 -0800 Subject: [PATCH 12/13] pencil edit line 98 --- devices/surface/surface-dock-firmware-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index 5a35ad30b4..c37245b054 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -95,7 +95,7 @@ Successful completion of Surface Dock Firmware Update results in new registry ke **Table 2. Event log IDs for Surface Dock Firmware Update** -Events are logged in the Application Event Log. Note: Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. +Events are logged in the Application Event Log. Note: Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | Event ID | Event type | | -------- | -------------------------------------------------------------------- | From 59353e9d654458348e41b3c34977aefb7a9b2837 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 13 Nov 2019 09:56:15 -0800 Subject: [PATCH 13/13] pencil edit lines 98-100 --- devices/surface/surface-dock-firmware-update.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index c37245b054..819203d9e4 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -95,7 +95,9 @@ Successful completion of Surface Dock Firmware Update results in new registry ke **Table 2. Event log IDs for Surface Dock Firmware Update** -Events are logged in the Application Event Log. Note: Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. +Events are logged in the Application Event Log. +> [!NOTE] +> Earlier versions of this tool wrote events to Applications and Services Logs\Microsoft Surface Dock Updater. | Event ID | Event type | | -------- | -------------------------------------------------------------------- |