From d83ddd2dc5f75e92ab4b9078d76a69c96df3c175 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 13 Mar 2017 17:16:58 -0700 Subject: [PATCH] new topic and update to generic api --- ...ows-defender-advanced-threat-protection.md | 13 +++++------ ...ows-defender-advanced-threat-protection.md | 22 +++++++++++++++++++ 2 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md diff --git a/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md index 036c63c696..f35d9d726c 100644 --- a/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/generic-api-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Get Windows Defender ATP alerts using REST API description: Get alerts from the Windows Defender ATP portal REST API. -keywords: alerts, get alerts, rest api, request, response, +keywords: alerts, get alerts, rest api, request, response, search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -25,19 +25,19 @@ Use this method in the Windows Defender ATP API to get alerts in JSON format. ## Before you begin - Before calling the Windows Defender ATP endpoint to get alerts, you'll need to enable the threat intelligence application in Azure Active Directory. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).

-- Have the access token that you generated from the **SIEM integration** ready for use in the request header. +- Have the access token that you generated from the **SIEM integration** feature ready for use in the request header. ## Request ### Request syntax Method | Request URI :---|:---| -GET| For EU: `https://wdatp-alertexporter-eu.windows.com/api/alerts`
For US: `https://wdatp-alertexporter-us.windows.com/api/alerts` +GET| Use the URI applicable for your region.

**For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts`
**For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts` ### Request header -| Header | Type | Description | -|---------------|--------|-----------------------------------------------------------------------------| -| Authorization | string | Required. The Azure AD access token in the form **Bearer** <*token*>. | +Header | Type | Description| +:--|:--|:-- +Authorization | string | Required. The Azure AD access token in the form **Bearer** <*token*>. | ### Request parameters @@ -51,7 +51,6 @@ int?limit | int | Defines the number of alerts to be retrieved. Most recent aler ### Request example The following example demonstrates how to retrieve all the alerts in your organization. - ```syntax GET https://wdatp-alertexporter-eu.windows.com/api/alerts Authorization: Bearer diff --git a/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..56b90de444 --- /dev/null +++ b/windows/keep-secure/siem-portal-mapping-windows-defender-advanced-threat-protection.md @@ -0,0 +1,22 @@ +--- +title: Security information and events management (SIEM) schema and portal mapping +description: Get alerts from the Windows Defender ATP portal REST API. +keywords: alerts, get alerts, rest api, request, response, +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Get Windows Defender ATP alerts using REST API + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP)