deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-25 23:33:35 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into TVM_API_JAN

Browse Source
This commit is contained in:
Dolcita Montemayor
2020-01-23 14:33:57 -08:00
parent de04d48b36 e77db4ef3f
commit dafb51802b
311 changed files with 7437 additions and 4269 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/security/identity-protection/access-control/security-identifiers.md
View File

@ -289,6 +289,16 @@ Capability Security Identifiers (SIDs) are used to uniquely and immutably identi
All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location.
## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition
You may see the following registry keys under AllCachedCapabilities:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
All Capability SIDs are prefixed by S-1-15-3
## See also

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -86,6 +86,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic
```
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
> [!NOTE]
> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.

2
windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
View File

@ -68,3 +68,5 @@ Following are the various deployment guides and models included in this topic:
Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
> [!NOTE]
> You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.

6
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -58,6 +58,9 @@ To resolve this issue, the CRL distribution point must be a location that is acc
If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
> [!NOTE]
> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server.
### Windows Server 2016 Domain Controllers
If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
@ -335,6 +338,3 @@ Sign-in a workstation with access equivalent to a _domain user_.
If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).

5
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -118,6 +118,11 @@ Hybrid certificate trust deployments need the device write back feature. Authen
> [!NOTE]
> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object.
## Provisioning
You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
### Section Checklist ###
> [!div class="checklist"]
> * Azure Active Directory Device writeback

5
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -31,7 +31,7 @@ In hybrid deployments, users register the public portion of their Windows Hello
The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
> [!IMPORTANT]
> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**.
> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article.
### Configure Permissions for Key Synchronization
@ -56,9 +56,6 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. Open **Active Directory Users and Computers**.
2. Click the **Users** container in the navigation pane.
>[!IMPORTANT]
> If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created.
3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**.
4. Click the **Members** tab and click **Add**
5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**.

8
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -40,7 +40,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
@ -125,7 +125,11 @@ Hybrid Windows Hello for Business deployments can use Azures Multifactor Auth
## Device Registration
Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory.
## Provisioning
You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
### Section Checklist

24
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -36,18 +36,6 @@ Windows Hello addresses the following problems with passwords:
## Prerequisites
> [!Important]
> 1. Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.</br>.
> **Requirements:**</br>
> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903</br>
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
>
> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.</br>
> **Requirements:**</br>
> Reset from settings - Windows 10, version 1703, Professional</br>
> Reset above lock screen - Windows 10, version 1709, Professional</br>
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
### Cloud Only Deployment
* Windows 10, version 1511 or later
@ -75,6 +63,18 @@ The table shows the minimum requirements for each deployment. For key trust in a
| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
> [!Important]
> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. </br>
> **Requirements:**</br>
> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903</br>
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
>
> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.</br>
> **Requirements:**</br>
> Reset from settings - Windows 10, version 1703, Professional</br>
> Reset above lock screen - Windows 10, version 1709, Professional</br>
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
### On-premises Deployments
The table shows the minimum requirements for each deployment.

2
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -196,7 +196,7 @@ Alternatively, you can forcefully trigger automatic certificate enrollment using
Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions.
## Follow the Windows Hello for Business on premises certificate trust deployment guide
## Follow the Windows Hello for Business on premises key trust deployment guide
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
2. Validate and Configure Public Key Infrastructure (*You are here*)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)

31
windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -1,9 +1,9 @@
---
title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
ms.reviewer:
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -15,26 +15,29 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/13/2019
ms.date: 01/09/2020
---
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
- System Center Configuration Manager
- Microsoft Endpoint Configuration Manager
System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
## Add a WIP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
After youve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
>[!TIP]
> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues.
**To create a configuration item for WIP**
1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
@ -43,7 +46,7 @@ The **Create Configuration Item Wizard** starts.
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10
@ -62,7 +65,7 @@ The **Create Configuration Item Wizard** starts.
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
## Add app rules to your policy
During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
@ -295,9 +298,9 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using System Center Configuration Manager.
12. After youve created your XML file, you need to import it by using Configuration Manager.
**To import your Applocker policy file app rule using System Center Configuration Manager**
**To import your Applocker policy file app rule using Configuration Manager**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -506,3 +509,5 @@ After youve created your WIP policy, you'll need to deploy it to your organiz
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)

136
windows/security/threat-protection/TOC.md
View File

@ -42,6 +42,7 @@
#### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
### [Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
@ -113,22 +114,23 @@
#### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
#### [Advanced hunting schema reference]()
##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
##### [AlertEvents](microsoft-defender-atp/advanced-hunting-alertevents-table.md)
##### [FileCreationEvents](microsoft-defender-atp/advanced-hunting-filecreationevents-table.md)
##### [ImageLoadEvents](microsoft-defender-atp/advanced-hunting-imageloadevents-table.md)
##### [LogonEvents](microsoft-defender-atp/advanced-hunting-logonevents-table.md)
##### [MachineInfo](microsoft-defender-atp/advanced-hunting-machineinfo-table.md)
##### [MachineNetworkInfo](microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md)
##### [MiscEvents](microsoft-defender-atp/advanced-hunting-miscevents-table.md)
##### [NetworkCommunicationEvents](microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md)
##### [ProcessCreationEvents](microsoft-defender-atp/advanced-hunting-processcreationevents-table.md)
##### [RegistryEvents](microsoft-defender-atp/advanced-hunting-registryevents-table.md)
##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
##### [DeviceFileCertificateInfoBeta](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md)
##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md)
##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md)
##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md)
##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md)
#### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
#### [Stream Advanced hunting events to Azure Event Hubs](microsoft-defender-atp/raw-data-export-event-hub.md)
#### [Custom detections]()
##### [Understand custom detection rules](microsoft-defender-atp/overview-custom-detections.md)
@ -136,8 +138,6 @@
### [Management and APIs]()
#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
#### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
#### [Managed security service provider support](microsoft-defender-atp/mssp-support.md)
### [Integrations]()
#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
@ -153,6 +153,15 @@
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
## [Deployment guide]()
### [Product brief](microsoft-defender-atp/product-brief.md)
### [Prepare deployment](microsoft-defender-atp/prepare-deployment.md)
### [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
### [Production deployment](microsoft-defender-atp/production-deployment.md)
### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
## [Get started]()
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
@ -361,14 +370,15 @@
###### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
#### [Microsoft Defender ATP API]()
##### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
##### [Get started with Microsoft Defender ATP APIs]()
###### [Introduction](microsoft-defender-atp/apis-intro.md)
###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
###### [Hello World](microsoft-defender-atp/api-hello-world.md)
###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
##### [APIs]()
##### [Microsoft Defender ATP APIs Schema]()
###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
@ -409,7 +419,12 @@
####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
####### [Initiate investigation (preview)](microsoft-defender-atp/initiate-autoir-investigation.md)
###### [Automated Investigation]()
####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
###### [Indicators]()
####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
@ -480,6 +495,14 @@
##### [Get CVE-KB map](microsoft-defender-atp/get-cvekbmap-collection.md)
#### [Pull detections to your SIEM tools]()
#### [Raw data streaming API]()
##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
#### [SIEM integration]()
##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
@ -488,6 +511,7 @@
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Reporting]()
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
@ -514,45 +538,55 @@
###### [Using machine groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
#### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)
#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
## [Partner integration scenarios]()
### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md)
## [Configure Microsoft threat protection integration]()
### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
## [Configure portal settings]()
### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
### [General]()
#### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
#### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
#### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
#### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
#### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
### [Permissions]()
#### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
#### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
##### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
### [APIs]()
#### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
#### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
### [Rules]()
#### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
#### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
#### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
#### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
### [Machine management]()
#### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
#### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
### [Configure Microsoft threat protection integration]()
#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
#### [Configure information protection in Windows](microsoft-defender-atp/information-protection-in-windows-config.md)
### [Configure portal settings]()
#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
##### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
##### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
##### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
#### [Permissions]()
##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
####### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
#### [APIs]()
##### [Enable Threat intel (Deprecated)](microsoft-defender-atp/enable-custom-ti.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
#### [Rules]()
##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
#### [Machine management]()
##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
## [Troubleshoot Microsoft Defender ATP]()

1
windows/security/threat-protection/auditing/event-4771.md
View File

@ -184,6 +184,7 @@ The most common values:
| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.|
| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. |
| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.<br>Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. |

5
windows/security/threat-protection/auditing/event-4912.md
View File

@ -126,8 +126,9 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
- **Subcategory** \[Type = UnicodeString\]**:** the name of auditing subcategory which state was changed. Possible values:
| Audit Credential Validation | Audit Process Termination | Audit Other Logon/Logoff Events |
| Value | Value | Value |
|------------------------------------------|----------------------------------------------|--------------------------------------|
| Audit Credential Validation | Audit Process Termination | Audit Other Logon/Logoff Events |
| Audit Kerberos Authentication Service | Audit RPC Events | Audit Special Logon |
| Audit Kerberos Service Ticket Operations | Audit Detailed Directory Service Replication | Audit Application Generated |
| Audit Other Logon/Logoff Events | Audit Directory Service Access | Audit Certification Services |
@ -145,7 +146,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category
| Audit Policy Change | Audit Non-Sensitive Privilege Use | Audit System Integrity |
| Audit Authentication Policy Change | Audit Sensitive Privilege Use | Audit PNP Activity |
| Audit Authorization Policy Change | Audit Other Privilege Use Events | |
| Group Membership | Audit Network Policy Server | |
| Audit Group Membership | Audit Network Policy Server | |
- **Subcategory GUID** \[Type = GUID\]**:** the unique GUID of changed subcategory.

BIN
windows/security/threat-protection/images/securityrecs-tamperprotect.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

45
windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
View File

@ -18,10 +18,19 @@ ms.topic: article
# Add or Remove Machine Tags API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Adds or remove tag to a specific [Machine](machine.md).
## Limitations
1. You can post on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
This API adds or remove tag to a specific machine.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -77,34 +86,4 @@ Content-type: application/json
"Action": "Add"
}
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```
- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

52
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md
View File

@ -1,52 +0,0 @@
---
title: AlertEvents table in the Advanced hunting schema
description: Learn about alert generation events in the AlertEvents table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, alertevents, alert, severity, category
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# AlertEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The AlertEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about alerts on Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| AlertId | string | Unique identifier for the alert |
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| Severity | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| Category | string | Type of threat indicator or breach activity identified by the alert |
| Title | string | Title of the alert |
| FileName | string | Name of the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| RemoteIP | string | IP address that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| Table | string | Table that contains the details of the event |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

26
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -1,6 +1,6 @@
---
title: Query best practices for Advanced hunting
description: Learn how to construct fast, efficient, and error-free threat hunting queries when using Advanced hunting
title: Query best practices for advanced hunting
description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -41,14 +41,14 @@ Apply these recommendations to get results faster and avoid timeouts while runni
## Query tips and pitfalls
### Queries with process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `MachineId` or `ComputerName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
```
NetworkCommunicationEvents
| where RemotePort == 445 and EventTime > ago(12h) and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by ComputerName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
```kusto
DeviceNetworkEvents
| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
| where RemoteIPCount > 10
```
@ -68,19 +68,19 @@ To create more durable queries using command lines, apply the following practice
The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
```
```kusto
// Non-durable query - do not use
ProcessCreationEvents
DeviceProcessEvents
| where ProcessCommandLine == "net stop MpsSvc"
| limit 10
// Better query - filters on filename, does case-insensitive matches
ProcessCreationEvents
| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"
DeviceProcessEvents
| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"
// Best query also ignores quotes
ProcessCreationEvents
| where EventTime > ago(7d) and FileName in~ ("net.exe", "net1.exe")
DeviceProcessEvents
| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
```

52
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md Normal file
View File

@ -0,0 +1,52 @@
---
title: DeviceAlertEvents table in the advanced hunting schema
description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 01/22/2020
---
# DeviceAlertEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `AlertId` | string | Unique identifier for the alert |
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| `Category` | string | Type of threat indicator or breach activity identified by the alert |
| `Title` | string | Title of the alert |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
| `RemoteIP` | string | IP address that was being connected to |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `Table` | string | Table that contains the details of the event |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

86
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md Normal file
View File

@ -0,0 +1,86 @@
---
title: DeviceEvents table in the advanced hunting schema
description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
| `AccountDomain` | string | Domain of the account |
| `AccountName` |string | User name of the account |
| `AccountSid` | string | Security Identifier (SID) of the account |
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
| `ProcessId` | int | Process ID (PID) of the newly created process |
| `ProcessCommandLine` | string | Command line used to create the new process |
| `ProcessCreationTime` | datetime | Date and time the process was created |
| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| `RegistryKey` | string | Registry key that the recorded action was applied to |
| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
| `RemoteIP` | string | IP address that was being connected to |
| `RemotePort` | int | TCP port on the remote device that was being connected to |
| `LocalIP` | string | IP address assigned to the local machine used during communication |
| `LocalPort` | int | TCP port on the local machine used during communication |
| `FileOriginUrl` | string | URL where the file was downloaded from |
| `FileOriginIP` | string | IP address where the file was downloaded from |
| `AdditionalFields` | string | Additional information about the event in JSON array format |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

60
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md Normal file
View File

@ -0,0 +1,60 @@
---
title: DeviceFileCertificateInfoBeta table in the advanced hunting schema
description: Learn about file signing information in the DeviceFileCertificateInfoBeta table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfoBeta
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 01/14/2020
---
# DeviceFileCertificateInfoBeta
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
The `DeviceFileCertificateInfoBeta` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `IsSigned` | boolean | Indicates whether the file is signed |
| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
| `Signer` | string | Information about the signer of the file |
| `SignerHash` | string | Unique hash value identifying the signer |
| `Issuer` | string | Information about the issuing certificate authority (CA) |
| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) |
| `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) |
| `CrlDistributionPointUrls` | string | JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) |
| `CertificateCreationTime` | datetime | Date and time the certificate was created |
| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire |
| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned |
| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

78
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md Normal file
View File

@ -0,0 +1,78 @@
---
title: DeviceFileEvents table in the advanced hunting schema
description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceFileEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
| `FileOriginUrl` | string | URL where the file was downloaded from |
| `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
| `FileOriginIP` | string | IP address where the file was downloaded from |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
| `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
| `ShareName` | string | Name of shared folder containing the file |
| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
| `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
| `RequestAccountName` | string | User name of account used to remotely initiate the activity |
| `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
| `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
| `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

64
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md Normal file
View File

@ -0,0 +1,64 @@
---
title: DeviceImageLoadEvents table in the advanced hunting schema
description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceImageLoadEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

53
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md Normal file
View File

@ -0,0 +1,53 @@
---
title: DeviceInfo table in the advanced hunting schema
description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine |
| `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| `OSBuild` | string | Build version of the operating system running on the machine |
| `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| `RegistryDeviceTag` | string | Machine tag added through the registry |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
| `OSVersion` | string | Version of the operating system running on the machine |
| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

72
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md Normal file
View File

@ -0,0 +1,72 @@
---
title: DeviceLogonEvents table in the advanced hunting schema
description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceLogonEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ActionType` | string |Type of activity that triggered the event |
| `AccountDomain` | string | Domain of the account |
| `AccountName` | string | User name of the account |
| `AccountSid` | string | Security Identifier (SID) of the account |
| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
| `RemoteIP` | string | IP address that was being connected to |
| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| `RemotePort` | int | TCP port on the remote device that was being connected to |
| `AdditionalFields` | string | Additional information about the event in JSON array format |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

68
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md Normal file
View File

@ -0,0 +1,68 @@
---
title: DeviceNetworkEvents table in the advanced hunting schema
description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceNetworkEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ActionType` | string | Type of activity that triggered the event |
| `RemoteIP` | string | IP address that was being connected to |
| `RemotePort` | int | TCP port on the remote device that was being connected to |
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
| `LocalIP` | string | IP address assigned to the local machine used during communication |
| `LocalPort` | int | TCP port on the local machine used during communication |
| `Protocol` | string | IP protocol used, whether TCP or UDP |
| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

54
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md Normal file
View File

@ -0,0 +1,54 @@
---
title: DeviceNetworkInfo table in the advanced hunting schema
description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceNetworkInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `NetworkAdapterName` | string | Name of the network adapter |
| `MacAddress` | string | MAC address of the network adapter |
| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
| `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
| `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
| `DnsAddresses` | string | DNS server addresses in JSON array format |
| `IPv4Dhcp` | string | IPv4 address of DHCP server |
| `IPv6Dhcp` | string | IPv6 address of DHCP server |
| `DefaultGateways` | string | Default gateway addresses in JSON array format |
| `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

76
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md Normal file
View File

@ -0,0 +1,76 @@
---
title: DeviceProcessEvents table in the advanced hunting schema
description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceProcessEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
| `ProcessId` | int | Process ID (PID) of the newly created process |
| `ProcessCommandLine` | string | Command line used to create the new process |
| `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| `ProcessCreationTime` | datetime | Date and time the process was created |
| `AccountDomain` | string | Domain of the account |
| `AccountName` | string | User name of the account |
| `AccountSid` | string | Security Identifier (SID) of the account |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

66
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md Normal file
View File

@ -0,0 +1,66 @@
---
title: DeviceRegistryEvents table in the advanced hunting schema
description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceRegistryEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ActionType` | string | Type of activity that triggered the event |
| `RegistryKey` | string | Registry key that the recorded action was applied to |
| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
| `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

78
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-filecreationevents-table.md
View File

@ -1,78 +0,0 @@
---
title: FileCreationEvents table in the Advanced hunting schema
description: Learn about file-related events in the FileCreationEvents table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, filecreationevents, files, path, hash, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# FileCreationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The FileCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| FileOriginUrl | string | URL where the file was downloaded from |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
| FileOriginIP | string | IP address where the file was downloaded from |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| RequestProtocol | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
| ShareName | string | Name of shared folder containing the file |
| RequestSourceIP | string | IPv4 or IPv6 address of the remote device that initiated the activity |
| RequestSourcePort | string | Source port on the remote device that initiated the activity |
| RequestAccountName | string | User name of account used to remotely initiate the activity |
| RequestAccountDomain | string | Domain of the account used to remotely initiate the activity |
| RequestAccountSid | string | Security Identifier (SID) of the account to remotely initiate the activity |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| SensitivityLabel | string | Label applied to an email, file, or other content to classify it for information protection |
| SensitivitySubLabel | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
| IsAzureInfoProtectionApplied | boolean | Indicates whether the file is encrypted by Azure Information Protection |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

64
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-imageloadevents-table.md
View File

@ -1,64 +0,0 @@
---
title: ImageLoadEvents table in the Advanced hunting schema
description: Learn about DLL loading events in the ImageLoadEvents table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, imageloadevents, DLL loading, library, file image
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# ImageLoadEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ImageLoadEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

72
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-logonevents-table.md
View File

@ -1,72 +0,0 @@
---
title: LogonEvents table in the Advanced hunting schema
description: Learn about authentication or sign-in events in the LogonEvents table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, logonevents, authentication, logon, sign in
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# LogonEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The LogonEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string |Type of activity that triggered the event |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
| RemoteIP | string | IP address that was being connected to |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemotePort | int | TCP port on the remote device that was being connected to |
| AdditionalFields | string | Additional information about the event in JSON array format |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| IsLocalAdmin | boolean | Boolean indicator of whether the user is a local administrator on the machine |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

53
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machineinfo-table.md
View File

@ -1,53 +0,0 @@
---
title: MachineInfo table in the Advanced hunting schema
description: Learn about OS, computer name, and other machine information in the MachineInfo table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, machineinfo, device, machine, OS, platform, users
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# MachineInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ClientVersion | string | Version of the endpoint agent or sensor running on the machine |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| OSBuild | string | Build version of the operating system running on the machine |
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| RegistryMachineTag | string | Machine tag added through the registry |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| OSVersion | string | Version of the operating system running on the machine |
| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

54
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-machinenetworkinfo-table.md
View File

@ -1,54 +0,0 @@
---
title: MachineNetworkInfo table in the Advanced hunting schema
description: Learn about network configuration information in the MachineNetworkInfo table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, machinenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# MachineNetworkInfo
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The MachineNetworkInfo table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| NetworkAdapterName | string | Name of the network adapter |
| MacAddress | string | MAC address of the network adapter |
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
| TunnelType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
| DnsAddresses | string | DNS server addresses in JSON array format |
| IPv4Dhcp | string | IPv4 address of DHCP server |
| IPv6Dhcp | string | IPv6 address of DHCP server |
| DefaultGateways | string | Default gateway addresses in JSON array format |
| IPAddresses | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

85
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-miscevents-table.md
View File

@ -1,85 +0,0 @@
---
title: MiscEvents table in the advanced hunting schema
description: Learn about antivirus, firewall, and other event types in the miscellaneous events (MiscEvents) table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# MiscEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The miscellaneous events or MiscEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Windows Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| AccountDomain | string | Domain of the account |
| AccountName |string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessCommandLine | string | Command line used to create the new process |
| ProcessCreationTime | datetime | Date and time the process was created |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| RemoteIP | string | IP address that was being connected to |
| RemotePort | int | TCP port on the remote device that was being connected to |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| FileOriginUrl | string | URL where the file was downloaded from |
| FileOriginIP | string | IP address where the file was downloaded from |
| AdditionalFields | string | Additional information about the event in JSON array format |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

68
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-networkcommunicationevents-table.md
View File

@ -1,68 +0,0 @@
---
title: NetworkCommunicationEvents table in the Advanced hunting schema
description: Learn about network connection events you can query from the NetworkCommunicationEvents table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, networkcommunicationevents, network connection, remote ip, local ip
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# NetworkCommunicationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The NetworkCommunicationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| RemoteIP | string | IP address that was being connected to |
| RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| Protocol | string | IP protocol used, whether TCP or UDP |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

14
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -1,5 +1,5 @@
---
title: Overview of Advanced hunting
title: Overview of advanced hunting
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto
search.product: eADQiWindows 10XVcnh
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 10/08/2019
---
# Proactively hunt for threats with Advanced hunting
# Proactively hunt for threats with advanced hunting
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -28,9 +28,9 @@ Advanced hunting is a query-based threat-hunting tool that lets you explore up t
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
## Get started with Advanced hunting
## Get started with advanced hunting
We recommend going through several steps to quickly get up and running with Advanced hunting.
We recommend going through several steps to quickly get up and running with advanced hunting.
| Learning goal | Description | Resource |
|--|--|--|
@ -41,7 +41,7 @@ We recommend going through several steps to quickly get up and running with Adva
## Get help as you write queries
Take advantage of the following functionality to write queries faster:
- **Autosuggest** — as you write queries, Advanced hunting provides suggestions.
- **Autosuggest** — as you write queries, advanced hunting provides suggestions.
- **Schema reference** — a schema reference that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
## Drilldown from query results
@ -54,14 +54,14 @@ Right-click a value in the result set to quickly enhance your query. You can use
- Exclude the selected value from the query (`!=`)
- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
![Image of Microsoft Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
![Image of Microsoft Defender ATP advanced hunting result set](images/atp-advanced-hunting-results-filter.png)
## Filter the query results
The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
Refine your query by selecting the "+" or "-" buttons next to the values that you want to include or exclude.
![Image of Advanced hunting filter](images/atp-filter-advanced-hunting.png)
![Image of advanced hunting filter](images/atp-filter-advanced-hunting.png)
Once you apply the filter to modify the query and then run the query, the results are updated accordingly.

76
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-processcreationevents-table.md
View File

@ -1,76 +0,0 @@
---
title: ProcessCreationEvents table in the Advanced hunting schema
description: Learn about the process spawning or creation events in the ProcessCreationEvents table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, processcreationevents, process id, command line
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# ProcessCreationEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The ProcessCreationEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| FileName | string | Name of the file that the recorded action was applied to |
| FolderPath | string | Folder containing the file that the recorded action was applied to |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| MD5 | string | MD5 hash of the file that the recorded action was applied to |
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessCommandLine | string | Command line used to create the new process |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| ProcessCreationTime | datetime | Date and time the process was created |
| AccountDomain | string | Domain of the account |
| AccountName | string | User name of the account |
| AccountSid | string | Security Identifier (SID) of the account |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSHA256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

74
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -1,6 +1,6 @@
---
title: Learn the Advanced hunting query language
description: Create your first threat hunting query and learn about common operators and other aspects of the Advanced hunting query language
title: Learn the advanced hunting query language
description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -18,14 +18,14 @@ ms.topic: article
ms.date: 10/08/2019
---
# Learn the Advanced hunting query language
# Learn the advanced hunting query language
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for Advanced hunting. To understand these concepts better, run your first query.
Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto syntax and operators to construct queries that locate information in the [schema](advanced-hunting-schema-reference.md) specifically structured for advanced hunting. To understand these concepts better, run your first query.
## Try your first query
@ -33,37 +33,37 @@ In Microsoft Defender Security Center, go to **Advanced hunting** to run your fi
```kusto
// Finds PowerShell execution events that could involve a download.
ProcessCreationEvents
| where EventTime > ago(7d)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by Timestamp
```
This is how it will look like in Advanced hunting.
This is how it will look like in advanced hunting.
![Image of Microsoft Defender ATP Advanced hunting query](images/advanced-hunting-query-example.png)
![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
### Describe the query and specify the table to search
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
```kusto
// Finds PowerShell execution events that could involve a download.
ProcessCreationEvents
DeviceProcessEvents
```
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `ProcessCreationEvents` and add piped elements as needed.
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed.
### Set the time range
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
```kusto
| where EventTime > ago(7d)
| where Timestamp > ago(7d)
```
### Search for specific executable files
The time range is immediately followed by a search for files representing the PowerShell application.
@ -85,48 +85,48 @@ Afterwards, the query looks for command lines that are typically used with Power
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
```kusto
| project EventTime, ComputerName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by EventTime
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
| top 100 by Timestamp
```
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
## Learn common query operators for Advanced hunting
## Learn common query operators for advanced hunting
Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by Advanced hunting supports a range of operators, including the following common ones.
Now that you've run your first query and have a general idea of its components, it's time to backtrack a little bit and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
| Operator | Description and usage |
|--|--|
| **`where`** | Filter a table to the subset of rows that satisfy a predicate. |
| **`summarize`** | Produce a table that aggregates the content of the input table. |
| **`join`** | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
| **`count`** | Return the number of records in the input record set. |
| **`top`** | Return the first N records sorted by the specified columns. |
| **`limit`** | Return up to the specified number of rows. |
| **`project`** | Select the columns to include, rename or drop, and insert new computed columns. |
| **`extend`** | Create calculated columns and append them to the result set. |
| **`makeset`** | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
| **`find`** | Find rows that match a predicate across a set of tables. |
| `where` | Filter a table to the subset of rows that satisfy a predicate. |
| `summarize` | Produce a table that aggregates the content of the input table. |
| `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
| `count` | Return the number of records in the input record set. |
| `top` | Return the first N records sorted by the specified columns. |
| `limit` | Return up to the specified number of rows. |
| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
| `extend` | Create calculated columns and append them to the result set. |
| `makeset` | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
| `find` | Find rows that match a predicate across a set of tables. |
To see a live example of these operators, run them from the **Get started** section of the Advanced hunting page.
To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
## Understand data types
Data in Advanced hunting tables are generally classified into the following data types.
Data in advanced hunting tables are generally classified into the following data types.
| Data type | Description and query implications |
|--|--|
| **datetime** | Data and time information typically representing event timestamps |
| **string** | Character string |
| **bool** | True or false |
| **int** | 32-bit numeric value |
| **long** | 64-bit numeric value |
| `datetime` | Data and time information typically representing event timestamps |
| `string` | Character string |
| `bool` | True or false |
| `int` | 32-bit numeric value |
| `long` | 64-bit numeric value |
## Use sample queries
The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
![Image of Advanced hunting window](images/atp-advanced-hunting.png)
![Image of advanced hunting window](images/atp-advanced-hunting.png)
> [!NOTE]
> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the GitHub query repository.
@ -140,4 +140,4 @@ For detailed information about the query language, see [Kusto query language doc
- [Understand the schema](advanced-hunting-schema-reference.md)
- [Apply query best practices](advanced-hunting-best-practices.md)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)

66
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-registryevents-table.md
View File

@ -1,66 +0,0 @@
---
title: RegistryEvents table in the Advanced hunting schema
description: Learn about registry events you can query from the RegistryEvents table of the Advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, registryevents, registry, key, subkey, value
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: lomayor
author: lomayor
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# RegistryEvents
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The RegistryEvents table in the [Advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| EventTime | datetime | Date and time when the event was recorded |
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ActionType | string | Type of activity that triggered the event |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| InitiatingProcessSHA1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessMD5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessFileName | string | Name of the process that initiated the event |
| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the query language](advanced-hunting-query-language.md)
- [Understand the schema](advanced-hunting-schema-reference.md)

33
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -1,6 +1,6 @@
---
title: Advanced hunting schema reference
description: Learn about the tables in the Advanced hunting schema to understand the data you can run threat hunting queries on
description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -15,10 +15,10 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
ms.date: 01/14/2020
---
# Understand the Advanced hunting schema
# Understand the advanced hunting schema
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -27,26 +27,27 @@ ms.date: 10/08/2019
[!include[Prerelease information](../../includes/prerelease.md)]
The [Advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the Advanced hunting schema.
The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
## Schema tables
The following reference lists all the tables in the Advanced hunting schema. Each table name links to a page describing the column names for that table.
The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the Advanced hunting screen.
Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
| Table name | Description |
|------------|-------------|
| **[AlertEvents](advanced-hunting-alertevents-table.md)** | Alerts on Microsoft Defender Security Center |
| **[MachineInfo](advanced-hunting-machineinfo-table.md)** | Machine information, including OS information |
| **[MachineNetworkInfo](advanced-hunting-machinenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
| **[ProcessCreationEvents](advanced-hunting-processcreationevents-table.md)** | Process creation and related events |
| **[NetworkCommunicationEvents](advanced-hunting-networkcommunicationevents-table.md)** | Network connection and related events |
| **[FileCreationEvents](advanced-hunting-filecreationevents-table.md)** | File creation, modification, and other file system events |
| **[RegistryEvents](advanced-hunting-registryevents-table.md)** | Creation and modification of registry entries |
| **[LogonEvents](advanced-hunting-logonevents-table.md)** | Sign-ins and other authentication events |
| **[ImageLoadEvents](advanced-hunting-imageloadevents-table.md)** | DLL loading events |
| **[MiscEvents](advanced-hunting-miscevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center |
| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information |
| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |
| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| **[DeviceFileCertificateInfoBeta](advanced-hunting-devicefilecertificateinfobeta-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -1,5 +1,5 @@
---
title: Use shared queries in Advanced hunting
title: Use shared queries in advanced hunting
description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
search.product: eADQiWindows 10XVcnh
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 10/08/2019
---
# Use shared queries in Advanced hunting
# Use shared queries in advanced hunting
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -54,10 +54,10 @@ You can save a new or existing query so that it is only accessible to you or sha
2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
## Access queries in the GitHub repository
Microsoft security researchers regularly share Advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
>[!TIP]
>Microsoft security researchers also provide Advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
>Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)

24
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md
View File

@ -1,5 +1,5 @@
---
title: DeviceTvmSecureConfigurationAssessment table in the Advanced hunting schema
title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
search.product: eADQiWindows 10XVcnh
@ -28,21 +28,21 @@ ms.date: 11/12/2019
[!include[Prerelease information](../../includes/prerelease.md)]
Each row in the DeviceTvmSecureConfigurationAssessment table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| Timestamp | datetime |Date and time when the record was generated |
| ConfigurationId | string | Unique identifier for a specific configuration |
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
| IsCompliant | boolean | Indicates whether the configuration or policy is properly configured |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| `Timestamp` | datetime |Date and time when the record was generated |
| `ConfigurationId` | string | Unique identifier for a specific configuration |
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
## Related topics

26
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md
View File

@ -1,5 +1,5 @@
---
title: DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema
title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
search.product: eADQiWindows 10XVcnh
@ -28,22 +28,22 @@ ms.date: 11/12/2019
[!include[Prerelease information](../../includes/prerelease.md)]
The DeviceTvmSecureConfigurationAssessmentKB table in the Advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| ConfigurationId | string | Unique identifier for a specific configuration |
| ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) |
| ConfigurationName | string | Display name of the configuration |
| ConfigurationDescription | string | Description of the configuration |
| RiskDescription | string | Description of the associated risk |
| ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
| ConfigurationSubcategory | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| ConfigurationBenchmarks | string | List of industry benchmarks recommending the same or similar configuration |
| RelatedMitreTechniques | string | List of Mitre ATT&CK framework techniques related to the configuration |
| RelatedMitreTactics | string | List of Mitre ATT&CK framework tactics related to the configuration |
| `ConfigurationId` | string | Unique identifier for a specific configuration |
| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
| `ConfigurationName` | string | Display name of the configuration |
| `ConfigurationDescription` | string | Description of the configuration |
| `RiskDescription` | string | Description of the associated risk |
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
## Related topics

28
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md
View File

@ -1,6 +1,6 @@
---
title: DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the Advanced hunting schema.
title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -29,22 +29,22 @@ ms.date: 11/12/2019
[!include[Prerelease information](../../includes/prerelease.md)]
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| MachineId | string | Unique identifier for the machine in the service |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| OSVersion | string | Version of the operating system running on the machine |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| SoftwareVendor | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| SoftwareName | string | Name of the software product |
| SoftwareVersion | string | Version number of the software product |
| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| `OSVersion` | string | Version of the operating system running on the machine |
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
| `SoftwareVendor` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| `SoftwareName` | string | Name of the software product |
| `SoftwareVersion` | string | Version number of the software product |
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |

24
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md
View File

@ -1,6 +1,6 @@
---
title: DeviceTvmSoftwareVulnerabilitiesKB table in the Advanced hunting schema
description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the Advanced hunting schema.
title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -28,20 +28,20 @@ ms.date: 11/12/2019
[!include[Prerelease information](../../includes/prerelease.md)]
The DeviceTvmSoftwareInventoryVulnerabilities table in the Advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
For information on other tables in the Advanced hunting schema, see [the Advanced hunting reference](advanced-hunting-reference.md).
For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| CvssScore | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
| IsExploitAvailable | boolean | Indicates whether exploit code for the vulnerability is publicly available |
| VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| LastModifiedTime | datetime | Date and time the item or related metadata was last modified |
| PublishedDate | datetime | Date vulnerability was disclosed to public |
| VulnerabilityDescription | string | Description of vulnerability and associated risks |
| AffectedSoftware | string | List of all software products affected by the vulnerability |
| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
## Related topics

32
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -27,6 +27,7 @@ Method |Return Type |Description
:---|:---|:---
[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
[List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md).
[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
[List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
[List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md).
@ -59,19 +60,8 @@ detectionSource | String | Detection source.
threatFamilyName | String | Threat family.
machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
alertFiles | List of Alert Files | **This list will be populated on $expand option, see example below** Alert File is an object that contains: sha1, sha256, filePath and fileName.
alertIPs | List of Alert IPs | **This list will be populated on $expand option, see example below** Alert IP is an object that contains: ipAddress string field.
alertDomains | List of Alert Domains | **This list will be populated on $expand option, see example below** Alert Domain is an object that contains: host string field.
## JSON representation:
- When querying for alert list the regular way (without expand option, e.g. /api/alerts) the expandable properties will not get populated (empty lists)
- To expand expandable properties use $expand option (e.g. to expand all send /api/alerts?$expand=files,ips,domains).
- When querying single alert all expandable properties will be expanded.
- Check out [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) for more OData examples.
### Response example for getting single alert:
```
@ -83,12 +73,12 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"investigationState": "Running",
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"investigationState": "Running",
"detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl",
"threatFamilyName": null,
@ -106,24 +96,6 @@ GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-2929
"createdBy": "secop@contoso.com",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
],
"alertFiles": [
{
"sha1": "77e862797dd525fd3e9c3058153247945d0d4cfd",
"sha256": "c05823562aee5e6d000b0e041197d5b8303f5aa4eecb49820879b705c926e16e",
"filePath": "C:\\Users\\test1212\\AppData\\Local\\Temp\\nsf61D3.tmp.exe",
"fileName": "nsf61D3.tmp.exe"
}
],
"alertDomains": [
{
"host": "login.bullguard.com"
}
],
"alertIps": [
{
"ipAddress": "91.231.212.53"
}
]
}
```

2
windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
View File

@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Microsoft Defender ATP Flow connector
# Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

2
windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -43,7 +43,7 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
```
let
AdvancedHuntingQuery = "MiscEvents | where ActionType contains 'Anti'",
AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'",
HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",

4
windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
View File

@ -1,5 +1,5 @@
---
title: Microsoft Defender Advanced Threat Protection API overview
title: Access the Microsoft Defender Advanced Threat Protection APIs
ms.reviewer:
description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender ATP API overview
# Access the Microsoft Defender Advanced Threat Protection APIs
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)

6
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -46,12 +46,12 @@ For information about configuring attack surface reduction rules, see [Enable at
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to understand how attack surface reduction rules could affect your environment.
You can query Microsoft Defender ATP data by using [Advanced hunting](advanced-hunting-query-language.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
Here is an example query:
```PowerShell
MiscEvents
```kusto
DeviceEvents
| where ActionType startswith 'Asr'
```

1
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -35,6 +35,7 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
>- Windows Server 2019
>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
>- Later versions of Windows 10

34
windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
View File

@ -18,11 +18,19 @@ ms.topic: article
---
# Collect investigation package API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Collect investigation package from a machine.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -74,25 +82,3 @@ Content-type: application/json
"Comment": "Collect forensics due to alert 1234"
}
```
**Response**
Here is an example of the response.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "c9042f9b-8483-4526-87b5-35e4c2532223",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com",
"requestorComment": " Collect forensics due to alert 1234",
"status": "InProgress",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z",
"lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z",
"relatedFileInfo": null
}
```

11
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/16/2017
---
# Pull detections to your SIEM tools
@ -56,13 +55,3 @@ Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using
For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
## In this section
Topic | Description
:---|:---
[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.

4
windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
View File

@ -51,12 +51,12 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
```PowerShell
MiscEvents
DeviceEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
```

15
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -16,13 +16,24 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Create alert from event API
# Create alert API
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Create alert using event data, as obtained from [Advanced Hunting](run-advanced-query-api.md) for creating a new alert.
## API description
Creates new [Alert](alerts.md).
<br>Microsoft Defender ATP Event is a required parameter for the alert creation.
<br>You can use an event found in Advanced Hunting API or Portal.
<br>If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
<br>An automatic investigation starts automatically on alerts created via the API.
## Limitations
1. Rate limitations for this API are 15 calls per minute.
## Permissions

20
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -34,17 +34,17 @@ Custom detection rules built from [Advanced hunting](advanced-hunting-overview.m
In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using an new query, run the query to identify errors and understand possible results.
#### Required columns in the query results
To use a query for a custom detection rule, the query must return the `EventTime`, `MachineId`, and `ReportId` columns in the results. Simple queries, such as those that dont use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that dont use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `MachineId`, you can still return `EventTime` and `ReportId` by getting them from the most recent event involving each machine.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine.
The sample query below counts the number of unique machines (`MachineId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `EventTime` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```
MiscEvents
| where EventTime > ago(7d)
```kusto
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AntivirusDetection"
| summarize (EventTime, ReportId)=arg_max(EventTime, ReportId), count() by MachineId
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| where count_ > 5
```
@ -76,7 +76,7 @@ Whenever a rule runs, similar detections on the same machine could be aggregated
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
#### Actions on machines
These actions are applied to machines in the `MachineId` column of the query results:
These actions are applied to machines in the `DeviceId` column of the query results:
- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
@ -117,7 +117,7 @@ You can also take the following actions on the rule from this page:
- **Run** — run the rule immediately. This also resets the interval for the next run.
- **Edit** — modify the rule without changing the query
- **Modify query** — edit the query in Advanced hunting
- **Modify query** — edit the query in advanced hunting
- **Turn on** / **Turn off** — enable the rule or stop it from running
- **Delete** — turn off the rule and remove it
@ -127,5 +127,5 @@ You can also take the following actions on the rule from this page:
## Related topic
- [Custom detections overview](overview-custom-detections.md)
- [Advanced hunting overview](advanced-hunting-overview.md)
- [Learn the Advanced hunting query language](advanced-hunting-query-language.md)
- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
- [View and organize alerts](alerts-queue.md)

25
windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
View File

@ -18,15 +18,18 @@ ms.topic: article
# Delete Indicator API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
>[!Note]
> Currently this API is only supported for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
## API description
Deletes an [Indicator](ti-indicator.md) entity by ID.
- Deletes an Indicator entity by ID.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
@ -66,15 +69,5 @@ If Indicator with the specified id was not found - 404 Not Found.
Here is an example of the request.
```
DELETE https://api.securitycenter.windows.com/api/indicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f
```
**Response**
Here is an example of the response.
```
HTTP/1.1 204 NO CONTENT
DELETE https://api.securitycenter.windows.com/api/indicators/995
```

119
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
View File

@ -10,9 +10,9 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
author: levinec
ms.author: ellevin
ms.date: 05/09/2019
author: denisebmsft
ms.author: deniseb
ms.date: 01/08/2020
ms.reviewer:
manager: dansimp
---
@ -23,51 +23,50 @@ manager: dansimp
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. It consists of a number of mitigations that can be applied to either the operating system or individual apps.
[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
> [!IMPORTANT]
> .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can enable each mitigation separately by using any of these methods:
* [Windows Security app](#windows-security-app)
* [Microsoft Intune](#intune)
* [Mobile Device Management (MDM)](#mdm)
* [System Center Configuration Manager (SCCM)](#sccm)
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
- [Windows Security app](#windows-security-app)
- [Microsoft Intune](#intune)
- [Mobile Device Management (MDM)](#mdm)
- [System Center Configuration Manager (SCCM)](#sccm)
- [Group Policy](#group-policy)
- [PowerShell](#powershell)
They are configured by default in Windows 10.
You can set each mitigation to on, off, or to its default value.
Some mitigations have additional options.
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
## Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
3. Go to **Program settings** and choose the app you want to apply mitigations to. <br/>
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. <br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
5. Repeat this for all the apps and mitigations you want to configure.
6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:<br/>
- **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
* **On by default** - The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
* **Off by default** - The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
* **Use default** - The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
7. Repeat this for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
@ -78,51 +77,45 @@ Enabled in **Program settings** | Enabled in **System settings** | Behavior
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
**Example 1**
### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
Mikael configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Mikael then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, he enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
**Example 2**
### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
Josie configures **Data Execution Prevention (DEP)** in the **System settings** section to be **Off by default**.
Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**.
Josie then adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, she enables the **Override system settings** option and sets the switch to **On**.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. She doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
CFG will be enabled for *miles.exe*.
The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
3. Go to **Program settings** and choose the app you want to apply mitigations to:
1. If the app you want to configure is already listed, click it and then click **Edit**
2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app:
* Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
* Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
3. Go to **Program settings** and choose the app you want to apply mitigations to.<br/>
- If the app you want to configure is already listed, click it and then click **Edit**.
- If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.<br/>
- Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
2. Click **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](../images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
1. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
![Enable network protection in Intune](../images/enable-ep-intune.png)
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
6. Click **OK** to save each open blade and click **Create**.
7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM
@ -131,21 +124,19 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
## SCCM
1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
1. Click **Home** > **Create Exploit Guard Policy**.
1. Enter a name and a description, click **Exploit protection**, and click **Next**.
1. Browse to the location of the exploit protection XML file and click **Next**.
1. Review the settings and click **Next** to create the policy.
1. After the policy is created, click **Close**.
2. Click **Home** > **Create Exploit Guard Policy**.
3. Enter a name and a description, click **Exploit protection**, and click **Next**.
4. Browse to the location of the exploit protection XML file and click **Next**.
5. Review the settings and click **Next** to create the policy.
6. After the policy is created, click **Close**.
## Group Policy
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
1. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
1. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
3. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
## PowerShell
@ -230,7 +221,7 @@ Validate handle usage | App-level only | StrictHandle | Audit not available
Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available
Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for dlls for a process:
<a href="#t1" id="r1">\[1\]</a>: Use the following format to enable EAF modules for DLLs for a process:
```PowerShell
Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll

2
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -130,7 +130,7 @@ h. Select **Manage > Assignments**. In the **Include** tab, select *
In terminal, run:
```bash
mdatp --edr --earlypreview true
mdatp --edr --early-preview true
```
For versions earlier than 100.78.0, run:

2
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -152,7 +152,7 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query
After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
Hunt for attack evidence through Advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
## Simulation results

6
windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
View File

@ -49,12 +49,12 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use Advanced hunting to see how exploit protection settings could affect your environment.
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment.
Here is an example query:
```PowerShell
MiscEvents
```kusto
DeviceEvents
| where ActionType startswith 'ExploitGuard' and ActionType !contains 'NetworkProtection'
```

239
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md Normal file
View File

@ -0,0 +1,239 @@
---
title: Create an Application to access Microsoft Defender ATP without a user
ms.reviewer:
description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Partner access through Microsoft Defender ATP APIs
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
This page describes how to create an AAD application to get programmatic access to Microsoft Defender ATP on behalf of your customers.
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, youll need to take the following steps to use the APIs:
- Create a **multi-tenant** AAD application.
- Get authorized(consent) by your customer administrator for your application to access Microsoft Defender ATP resources it needs.
- Get an access token using this application.
- Use the token to access Microsoft Defender ATP API.
The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
<br>**To become an official partner of Microsoft Defender ATP and appear in our partner page, you will provide us with your application identifier.**
## Create the multi-tenant app
1. Log on to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role.
2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
3. In the registration form:
- Choose a name for your application.
- Supported account types - accounts in any organizational directory.
- Redirect URI - type: Web, URI: https://portal.azure.com
![Image of Microsoft Azure partner application registration](images/atp-api-new-app-partner.png)
4. Allow your Application to access Microsoft Defender ATP and assign it with the minimal set of permissions required to complete the integration.
- On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
![Image of API access and API selection](images/add-permission.png)
### Request API permissions
To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. For instance:
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
In the following example we will use **'Read all alerts'** permission:
Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
![Image of API access and API selection](images/application-permissions.png)
5. Click **Grant consent**
- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
![Image of Grant permissions](images/grant-consent.png)
6. Add a secret to the application.
- Click **Certificates & secrets**, add description to the secret and click **Add**.
**Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
![Image of create app key](images/webapp-create-key2.png)
7. Write down your application ID:
- On your application page, go to **Overview** and copy the following:
![Image of created app id](images/app-id.png)
8. Add the application to your customer's tenant.
You need your application to be approved in each customer tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
A user with **Global Administrator** from your customer's tenant need to click the consent link and approve your application.
Consent link is of the form:
```
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
```
Where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID
After clicking on the consent link, login with the Global Administrator of the customer's tenant and consent the application.
![Image of consent](images/app-consent-partner.png)
In addition, you will need to ask your customer for their tenant ID and save it for future use when acquiring the token.
- **Done!** You have successfully registered an application!
- See examples below for token acquisition and validation.
## Get an access token examples:
**Note:** to get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions.
<br>For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
### Using PowerShell
```
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
# Paste below your Tenant ID, App ID and App Secret (App key).
$tenantId = '' ### Paste your tenant ID here
$appId = '' ### Paste your Application ID here
$appSecret = '' ### Paste your Application key here
$resourceAppIdUri = 'https://api.securitycenter.windows.com'
$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
$authBody = [Ordered] @{
resource = "$resourceAppIdUri"
client_id = "$appId"
client_secret = "$appSecret"
grant_type = 'client_credentials'
}
$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
$token = $authResponse.access_token
Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
```
### Using C#:
>The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
- Create a new Console Application
- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
- Add the below using
```
using Microsoft.IdentityModel.Clients.ActiveDirectory;
```
- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
```
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place!
const string authority = "https://login.windows.net";
const string wdatpResourceId = "https://api.securitycenter.windows.com";
AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
ClientCredential clientCredential = new ClientCredential(appId, appSecret);
AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
string token = authenticationResult.AccessToken;
```
### Using Python
Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
### Using Curl
> [!NOTE]
> The below procedure supposed Curl for Windows is already installed on your computer
- Open a command window
- Set CLIENT_ID to your Azure application ID
- Set CLIENT_SECRET to your Azure application secret
- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
- Run the below command:
```
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
```
You will get an answer of the form:
```
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
```
## Validate the token
Sanity check to make sure you got a correct token:
- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it
- Validate you get a 'roles' claim with the desired permissions
- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender ATP:
- The "tid" claim is the tenant ID the token belongs to.
![Image of token validation](images/webapp-decoded-token.png)
## Use the token to access Microsoft Defender ATP API
- Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme)
- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
- Example of sending a request to get a list of alerts **using C#**
```
var httpClient = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts");
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
// Do something useful with the response
```
## Related topics
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md)

2
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
View File

@ -32,7 +32,7 @@ In this section we share PowerShell samples to
**Prerequisite**: You first need to [create an app](apis-intro.md).
## Preparation Instructions
## Preparation instructions
- Open a PowerShell window.
- If your policy does not allow you to run the PowerShell commands, you can run the below command:

221
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
View File

@ -51,25 +51,25 @@ Content-type: application/json
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
.
.
.
...
]
}
```
@ -79,7 +79,7 @@ Content-type: application/json
- Get all the alerts that created after 2018-10-20 00:00:00
```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z
```
**Response:**
@ -91,28 +91,35 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
"id": "da637084217856368682_-292920499",
"incidentId": 66860,
"investigationId": 4416234,
"investigationState": "Running",
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"detectionSource": "WindowsDefenderAtp",
"category": "CommandAndControl",
"threatFamilyName": null,
"title": "Network connection to a risky host",
"description": "A network connection was made to a risky host which has exhibited malicious activity.",
"alertCreationTime": "2019-11-03T23:49:45.3823185Z",
"firstEventTime": "2019-11-03T23:47:16.2288822Z",
"lastEventTime": "2019-11-03T23:47:51.2966758Z",
"lastUpdateTime": "2019-11-03T23:55:52.6Z",
"resolvedTime": null,
"machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop@contoso.com",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
]
},
.
.
.
...
]
}
```
@ -122,7 +129,7 @@ Content-type: application/json
- Get all the machines with 'High' 'RiskScore'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High'
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
```
**Response:**
@ -135,25 +142,25 @@ Content-type: application/json
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
.
.
.
...
]
}
```
@ -163,7 +170,7 @@ Content-type: application/json
- Get top 100 machines with 'HealthStatus' not equals to 'Active'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
```
**Response:**
@ -176,25 +183,25 @@ Content-type: application/json
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "ImpairedCommunication",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
.
.
.
...
]
}
```
@ -217,25 +224,25 @@ Content-type: application/json
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "ImpairedCommunication",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "ExampleTag" ]
},
.
.
.
...
]
}
```
@ -245,7 +252,7 @@ Content-type: application/json
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP
```
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan'
HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan'
```
**Response:**
@ -257,19 +264,19 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
"value": [
{
"id": "5c3e3322-d993-1234-1111-dfb136ebc8c5",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@examples.onmicrosoft.com",
"requestorComment": "1533",
"scope": "Full",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "123321c10e44a82877af76b1d0161a17843f688a",
"creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z",
"lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z",
"relatedFileInfo": null
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
},
.
.
.
...
]
}
```

36
windows/security/threat-protection/microsoft-defender-atp/files.md
View File

@ -17,9 +17,10 @@ ms.topic: article
---
# File resource type
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Represent a file entity in Microsoft Defender ATP.
@ -37,11 +38,10 @@ Property | Type | Description
:---|:---|:---
sha1 | String | Sha1 hash of the file content
sha256 | String | Sha256 hash of the file content
md5 | String | md5 hash of the file content
globalPrevalence | Integer | File prevalence across organization
globalPrevalence | Nullable long | File prevalence across organization
globalFirstObserved | DateTimeOffset | First time the file was observed.
globalLastObserved | DateTimeOffset | Last time the file was observed.
size | Integer | Size of the file.
size | Nullable long | Size of the file.
fileType | String | Type of the file.
isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.)
filePublisher | String | File publisher.
@ -50,3 +50,29 @@ signer | String | File signer.
issuer | String | File issuer.
signerHash | String | Hash of the signing certificate.
isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender ATP agent.
determinationType | String | The determination type of the file.
determinationValue | String | Determination value.
## Json representation
```json
{
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
"sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
"globalPrevalence": 180022,
"globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
"globalLastObserved": "2020-01-06T03:59:21.3229314Z",
"size": 22139496,
"fileType": "APP",
"isPeFile": true,
"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
"fileProductName": "EaseUS MobiSaver for Android",
"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
"issuer": "VeriSign Class 3 Code Signing 2010 CA",
"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
"isValidCertificate": false,
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
```

48
windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
View File

@ -18,13 +18,19 @@ ms.topic: article
# Find machines by internal IP API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.
The given timestamp must be in the past 30 days.
## API description
Find [Machines](machine.md) seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.
## Limitations
1. The given timestamp must be in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -70,37 +76,5 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z)
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
]
}
GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z)
```

57
windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
View File

@ -18,11 +18,19 @@ ms.topic: article
# Get alert information by ID API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves specific [Alert](alerts.md) by its ID.
## Limitations
1. You can get alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves an alert by its ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -56,46 +64,3 @@ Empty
## Response
If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If alert with the specified id was not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
```
**Response**
Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

16
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
View File

@ -18,12 +18,20 @@ ms.topic: article
# Get alert related domain information API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves all domains related to a specific alert.
## Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -79,7 +87,11 @@ Content-type: application/json
"value": [
{
"host": "www.example.com"
},
{
"host": "www.example2.com"
}
...
]
}

44
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
View File

@ -18,12 +18,20 @@ ms.topic: article
# Get alert related files information API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves all files related to a specific alert.
## Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -79,23 +87,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files",
"value": [
{
"sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d",
"sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87",
"md5": "82849dc81d94056224445ea73dc6153a",
"globalPrevalence": 33,
"globalFirstObserved": "2018-07-17T18:17:27.5909748Z",
"globalLastObserved": "2018-08-06T16:07:12.9414137Z",
"windowsDefenderAVThreatName": null,
"size": 801112,
"fileType": "PortableExecutable",
"sha1": "f2a00fd2f2de1be0214b8529f1e9f67096c1aa70",
"sha256": "dcd71ef5fff4362a9f64cf3f96f14f2b11d6f428f3badbedcb9ff3361e7079aa",
"md5": "8d5b7cc9a832e21d22503057e1fec8e9",
"globalPrevalence": 29,
"globalFirstObserved": "2019-03-23T23:54:06.0135204Z",
"globalLastObserved": "2019-04-23T00:43:20.0489831Z",
"size": 113984,
"fileType": null,
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": "Microsoft Windows",
"issuer": "Microsoft Development PCA 2014",
"signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f",
"isValidCertificate": true
"filePublisher": "Microsoft Corporation",
"fileProductName": "Microsoft<66> Windows<77> Operating System",
"signer": "Microsoft Corporation",
"issuer": "Microsoft Code Signing PCA",
"signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",
"isValidCertificate": true,
"determinationType": "Unknown",
"determinationValue": null
}
...
]
}
```

15
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
View File

@ -16,14 +16,22 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Get alert related IP information API
# Get alert related IPs information API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves all IPs related to a specific alert.
## Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -85,6 +93,7 @@ Content-type: application/json
{
"id": "23.203.232.228
}
...
]
}

19
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
View File

@ -18,11 +18,19 @@ ms.topic: article
# Get alert related machine information API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves [Machine](machine.md) related to a specific alert.
## Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves machine that is related to a specific alert.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -85,15 +93,16 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]

29
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
View File

@ -18,11 +18,19 @@ ms.topic: article
# Get alert related user information API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves the User related to a specific alert.
## Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves the user associated to a specific alert.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -80,13 +88,16 @@ Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"accountName": "user1",
"accountDomain": "contoso",
"accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
"firstSeen": "2019-12-08T06:33:39Z",
"lastSeen": "2020-01-05T06:58:34Z",
"mostPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
"leastPrevalentMachineId": "0111b647235c26159bec3e5eb6c8c3a0cc3ab766",
"logonTypes": "Network",
"logOnMachinesCount": 3,
"logOnMachinesCount": 1,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
"isOnlyNetworkUser": false
}
```

22
windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
View File

@ -22,13 +22,19 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of Alerts.
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
Supports [OData V4 queries](https://www.odata.org/documentation/).
The OData's Filter query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity" and "category".
## Limitations
1. You can get alerts last updated in the past 30 days.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -50,10 +56,6 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
GET /api/alerts
```
## Optional query parameters
Method supports $top, $select, $filter, $expand and $skip query parameters.
<br>$expand is available on Files, IPs and Domains. e.g. $expand=files,domains
## Request headers
Name | Type | Description
@ -120,11 +122,9 @@ Here is an example of the response.
"createdBy": "secop@contoso.com",
"createdTime": "2019-11-05T14:08:37.8404534Z"
}
],
"alertFiles": [],
"alertDomains": [],
"alertIps": []
]
}
...
]
}
```

1
windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
View File

@ -15,6 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ROBOTS: NOINDEX
---
# Get CVE-KB map API

69
windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
View File

@ -18,11 +18,19 @@ ms.topic: article
# Get domain related alerts API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
## Limitations
1. You can query on alerts last updated in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves a collection of alerts related to a given domain address.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -68,58 +76,3 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```

67
windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
View File

@ -17,10 +17,20 @@ ms.topic: article
---
# Get domain related machines API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a collection of machines that have communicated to or from a given domain address.
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of [Machines](machine.md) that have communicated to or from a given domain address.
## Limitations
1. You can query on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -68,54 +78,3 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```

14
windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
View File

@ -18,10 +18,18 @@ ms.topic: article
# Get domain statistics API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves the statistics on the given domain.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves the prevalence for the given domain.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)

51
windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
View File

@ -17,10 +17,19 @@ ms.topic: article
---
# Get file information API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a file by identifier Sha1, Sha256, or MD5.
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a [File](files.md) by identifier Sha1, or Sha256
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -62,7 +71,7 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1
GET https://api.securitycenter.windows.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
```
**Response**
@ -74,22 +83,22 @@ Here is an example of the response.
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf",
"md5": "7f05a371d2beffb3784fd2199f81d730",
"globalPrevalence": 7329,
"globalFirstObserved": "2018-04-08T05:50:29.4459725Z",
"globalLastObserved": "2018-08-07T23:35:11.1361328Z",
"windowsDefenderAVThreatName": null,
"size": 391680,
"fileType": "PortableExecutable",
"isPeFile": true,
"filePublisher": null,
"fileProductName": null,
"signer": null,
"issuer": null,
"signerHash": null,
"isValidCertificate": null
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
"sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
"globalPrevalence": 180022,
"globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
"globalLastObserved": "2020-01-06T03:59:21.3229314Z",
"size": 22139496,
"fileType": "APP",
"isPeFile": true,
"filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
"fileProductName": "EaseUS MobiSaver for Android",
"signer": "CHENGDU YIWO Tech Development Co., Ltd.",
"issuer": "VeriSign Class 3 Code Signing 2010 CA",
"signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
"isValidCertificate": false,
"determinationType": "Pua",
"determinationValue": "PUA:Win32/FusionCore"
}
```

46
windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
View File

@ -18,12 +18,19 @@ ms.topic: article
# Get file related alerts API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of alerts related to a given file hash.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -69,38 +76,3 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```

62
windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
View File

@ -18,11 +18,18 @@ ms.topic: article
# Get file related machines API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of [Machines](machine.md) related to a given file hash.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
- Retrieves a collection of machines related to a given file hash.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -69,52 +76,3 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```

29
windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
View File

@ -18,11 +18,18 @@ ms.topic: article
# Get file statistics API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves the statistics for the given file.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves the prevalence for the given file.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -64,7 +71,7 @@ Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats
GET https://api.securitycenter.windows.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats
```
**Response**
@ -77,13 +84,15 @@ HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1",
"orgPrevalence": "3",
"orgFirstSeen": "2018-07-15T06:13:59Z",
"orgLastSeen": "2018-08-03T16:45:21Z",
"sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
"orgPrevalence": "14850",
"orgFirstSeen": "2019-12-07T13:44:16Z",
"orgLastSeen": "2020-01-06T13:39:36Z",
"globalPrevalence": "705012",
"globalFirstObserved": "2015-03-19T12:20:07.3432441Z",
"globalLastObserved": "2020-01-06T13:39:36Z",
"topFileNames": [
"chrome_1.exe",
"chrome_2.exe"
"MREC.exe"
]
}

110
windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md Normal file
View File

@ -0,0 +1,110 @@
---
title: List Investigations API
description: Use this API to create calls related to get Investigations collection
keywords: apis, graph api, supported apis, Investigations collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# List Investigations API
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of [Investigations](investigation.md).
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's ```$filter``` query is supported on: ```startTime```, ```state```, ```machineId``` and ```triggeringAlertId``` properties.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Limitations
1. Maximum page size is 10,000.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Alert.Read.All | 'Read all alerts'
Application | Alert.ReadWrite.All | 'Read and write all alerts'
Delegated (work or school account) | Alert.Read | 'Read alerts'
Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
```
GET https://api.securitycenter.windows.com/api/investigations
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
## Example
**Request**
Here is an example of a request to get all investigations:
```
GET https://api.securitycenter.windows.com/api/investigations
```
**Response**
Here is an example of the response:
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Investigations",
"value": [
{
"id": "63017",
"startTime": "2020-01-06T14:11:34Z",
"endTime": null,
"state": "Running",
"cancelledBy": null,
"statusDetails": null,
"machineId": "a69a22debe5f274d8765ea3c368d00762e057b30",
"computerDnsName": "desktop-gtrcon0",
"triggeringAlertId": "da637139166940871892_-598649278"
}
...
]
}
```

66
windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Get Investigation object API
description: Use this API to create calls related to get Investigation object
keywords: apis, graph api, supported apis, Investigation object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get Investigation API
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves specific [Investigation](investigation.md) by its ID.
<br> ID can be the investigation ID or the investigation triggering alert ID.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Alert.Read.All | 'Read all alerts'
Application | Alert.ReadWrite.All | 'Read and write all alerts'
Delegated (work or school account) | Alert.Read | 'Read alerts'
Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
```
GET https://api.securitycenter.windows.com/api/investigations/{id}
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity.

48
windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
View File

@ -18,12 +18,19 @@ ms.topic: article
# Get IP related alerts API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of alerts related to a given IP address.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -69,39 +76,4 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```
```

13
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
View File

@ -18,11 +18,18 @@ ms.topic: article
# Get IP statistics API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves the statistics for the given IP.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves the prevalence for the given IP.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)

2
windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/07/2018
ROBOTS: NOINDEX
---
# Get KB collection API

40
windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
View File

@ -18,11 +18,19 @@ ms.topic: article
# Get machine by ID API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves specific [Machine](machine.md) by its machine ID or computer name.
## Limitations
1. You can get machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves a machine entity by ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -83,20 +91,22 @@ Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}

45
windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
View File

@ -18,11 +18,19 @@ ms.topic: article
# Get machine log on users API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of logged on users on a specific machine.
## Limitations
1. You can query on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Retrieves a collection of logged on users.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -81,26 +89,19 @@ Content-type: application/json
"value": [
{
"id": "contoso\\user1",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-04T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
"accountName": "user1",
"accountDomain": "contoso",
"accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
"firstSeen": "2019-12-18T08:02:54Z",
"lastSeen": "2020-01-06T08:01:48Z",
"mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
"leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
"logonTypes": "Interactive",
"logOnMachinesCount": 8,
"isDomainAdmin": true,
"isOnlyNetworkUser": false
},
{
"id": "contoso\\user2",
"firstSeen": "2018-08-02T00:00:00Z",
"lastSeen": "2018-08-05T00:00:00Z",
"mostPrevalentMachineId": null,
"leastPrevalentMachineId": null,
"logonTypes": "Network",
"logOnMachinesCount": 3,
"isDomainAdmin": false,
"isOnlyNetworkUser": null
}
...
]
}
```

66
windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
View File

@ -17,13 +17,20 @@ ms.topic: article
---
# Get machine related alerts API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a collection of alerts related to a given machine ID.
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves all [Alerts](alerts.md) related to a specific machine.
## Limitations
1. You can query on machines last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
@ -54,52 +61,3 @@ Empty
## Response
If successful and machine exists - 200 OK with list of [alert](alerts.md) entities in the body. If machine was not found - 404 Not Found.
## Example
**Request**
Here is an example of the request.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```

32
windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
View File

@ -18,10 +18,18 @@ ms.topic: article
# Get machineAction API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves specific [Machine Action](machineaction.md) by its ID.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
Get action performed on a machine.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -77,15 +85,17 @@ HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
"type": "Isolate",
"scope": "Selective",
"requestor": "Analyst@TestPrd.onmicrosoft.com",
"requestorComment": "test for docs",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
"machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
"computerDnsName": "desktop-test",
"creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
"relatedFileInfo": null
}

27
windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
View File

@ -18,17 +18,22 @@ ms.topic: article
# List MachineActions API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Gets collection of actions done on machines.
Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
## API description
Retrieves a collection of [Machine Actions](machineaction.md).
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Limitations
1. Maximum page size is 10,000.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -89,10 +94,12 @@ Content-type: application/json
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"scope": null,
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
@ -100,10 +107,12 @@ Content-type: application/json
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"scope": "Full",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null
@ -111,10 +120,12 @@ Content-type: application/json
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "StopAndQuarantineFile",
"scope": null,
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
"relatedFileInfo": {
@ -151,10 +162,12 @@ Content-type: application/json
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"scope": null,
"requestor": "Analyst@contoso.com",
"requestorComment": "test",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
"relatedFileInfo": null
@ -162,10 +175,12 @@ Content-type: application/json
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"scope": "Full",
"requestor": "Analyst@contoso.com",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
"relatedFileInfo": null

67
windows/security/threat-protection/microsoft-defender-atp/get-machines.md
View File

@ -18,17 +18,23 @@ ms.topic: article
# List machines API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
This API can do the following actions:
- Retrieves a collection of machines that have communicated with Microsoft Defender ATP cloud on the last 30 days.
- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
## API description
Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud on the last 30 days.
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's ```$filter``` query is supported on: ```computerDnsName```, ```lastSeen```, ```lastIpAddress```, ```healthStatus```, ```osPlatform```, ```riskScore```, ```rbacGroupId``` and ```machineTags``` properties.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Limitations
1. You can get machines last seen in the past 30 days.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Permissions
@ -88,42 +94,25 @@ Content-type: application/json
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"osPlatform": "Windows10",
"version": "1709",
"osProcessor": "x64",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
"riskScore": "Low",
"exposureLevel": "Medium",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
...
]
}
```

9
windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
View File

@ -18,11 +18,14 @@ ms.topic: article
# Get package SAS URI API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md).
Get a URI that allows downloading of an [investigation package](collect-investigation-package.md).
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)

54
windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Become a Microsoft Defender ATP partner
ms.reviewer:
description: Learn the steps and requirements so that you can integrate your solution with Microsoft Defender ATP and be a partner
keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Become a Microsoft Defender ATP partner
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps.
## Step 1: Subscribe to a Microsoft Defender ATP Developer license
Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
## Step 2: Fulfill the solution validation and certification requirements
The best way for technology partners to certify their integration works, is to have a joint customer approve the suggested integration design and have it tested and demoed to the Microsoft Defender ATP team.
Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
## Step 3: Become a Microsoft Intelligent Security Association member
[Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products.
## Step 4: Get listed in the Microsoft Defender ATP partner application portal
Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender ATP management portal.
To have your company listed as a partner in the in-product partner page, you will need to provide the following:
1. A square logo (SVG).
2. Name of the product to be presented.
3. Provide a 15-word product description.
4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
## Related topics
- [Technical partner opportunities](partner-integration.md)

47
windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
View File

@ -18,16 +18,21 @@ ms.topic: article
# List Indicators API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
>[!NOTE]
> Currently this API is supported only for AppOnly context requests. (See [Get access with application context](exposed-apis-create-app-webapp.md) for more information)
## API description
Retrieves a collection of all active [Indicators](ti-indicator.md).
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's ```$filter``` query is supported on: ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```action``` and ```severity``` properties.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
- Gets collection of TI Indicators.
- Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/).
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
@ -36,7 +41,7 @@ Permission type | Permission | Permission display name
:---|:---|:---
Application | Ti.ReadWrite | 'Read and write Indicators'
Application | Ti.ReadWrite.All | 'Read and write All Indicators'
Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
## HTTP request
```
@ -82,26 +87,38 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"id": "995",
"indicatorValue": "12.13.14.15",
"indicatorType": "IpAddress",
"action": "Alert",
"application": "demo-test",
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "Alert",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "test",
"rbacGroupNames": []
},
{
"id": "996",
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"action": "AlertAndBlock",
"application": null,
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
@ -119,7 +136,7 @@ Content-type: application/json
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
```
GET https://api.securitycenter.windows.com/api/indicators?$filter=action eq 'AlertAndBlock'
GET https://api.securitycenter.windows.com/api/indicators?$filter=action+eq+'AlertAndBlock'
```
**Response**
@ -133,13 +150,19 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
"value": [
{
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"id": "997",
"indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"action": "AlertAndBlock",
"application": null,
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"action": "AlertAndBlock",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",

68
windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
View File

@ -18,12 +18,19 @@ ms.topic: article
# Get user related alerts API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of alerts related to a given user ID.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -70,59 +77,4 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/users/user1/alerts
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```
```

62
windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
View File

@ -18,12 +18,19 @@ ms.topic: article
# Get user related machines API
**Applies to:**
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Retrieves a collection of machines related to a given user ID.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -72,54 +79,3 @@ Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/users/user1/machines
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```

60
windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Helpful Microsoft Defender Advanced Threat Protection resources
description: Access helpful resources such as links to blogs and other resources related to Microsoft Defender Advanced Threat Protection
keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Helpful Microsoft Defender Advanced Threat Protection resources
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Access helpful resources such as links to blogs and other resources related to Microsoft Defender Advanced Threat Protection.
## Endpoint protection platform
- [Top scoring in industry
tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests)
- [Inside out: Get to know the advanced technologies at the core of Microsoft
Defender ATP next generation
protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/)
- [Protecting disconnected devices with Microsoft Defender
ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341)
- [Tamper protection in Microsoft Defender
ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571)
## Endpoint Detection Response
- [Incident response at your fingertips with Microsoft Defender ATP live
response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894)
## Threat Vulnerability Management
- [Microsoft Defender ATP Threat & Vulnerability Management now publicly
available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977)
## Operational
- [The Golden Hour remake - Defining metrics for a successful security
operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014)
- [Microsoft Defender ATP Evaluation lab is now available in public preview
](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271)
- [How automation brings value to your security
teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/09833d16df7f37eda97ea1d5009b651a.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.3 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

Some files were not shown because too many files have changed in this diff Show More