deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into wdeg-working

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-09-28 17:34:07 -07:00
parent 330ae5d7d8 da4fa481d1
commit dc35e4ef57
659 changed files with 10657 additions and 2635 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
windows/threat-protection/TOC.md
View File

@ -6,17 +6,20 @@
### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
#### [Configure endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
#### [Configure proxy and Internet settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
#### [View the Dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
#### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
#### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
@ -27,17 +30,23 @@
#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts)
##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
##### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
##### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
###### [Undo machine isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation)
###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package)
###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restict-app-execution)
###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
###### [Release machine from the isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
@ -63,6 +72,46 @@
#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
##### Actor
###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
##### Alerts
###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
##### Domain
###### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
##### File
###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
##### IP
###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
##### Machines
###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
##### User
###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
@ -74,12 +123,12 @@
#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)
@ -95,6 +144,7 @@
#### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md)
##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md)
#### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md)
##### [Troublehsoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md)
#### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md)
##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md)
##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md)

2
windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md
View File

@ -649,3 +649,5 @@ You can get more info with the following links:
- [Event Queries and Event XML](http://msdn.microsoft.com/library/bb399427.aspx)
- [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx)
- [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx)
Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub:?tabid=2&contextid=897).

77
windows/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Collect diagnostic data for Update Compliance and Windows Defender AV
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Windows Defender AV Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 09/06/2017
---
# Collect Update Compliance diagnostic data for Windows Defender AV Assessment
**Applies to:**
- Windows 10
**Audience**
- IT administrators
This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in.
Before attempting this process, ensure you have read the [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md) topic, met all require pre-requisites, and taken any other suggested troubleshooting steps.
1. On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process:
1. Open an administrator-level version of the command prompt:
1. Open the **Start** menu.
2. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**.
3. Enter administrator credentials or approve the prompt.
2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example:
```Dos
cd c:\program files\windows\defender
```
3. Enter the following command and press **Enter**
```Dos
mpcmdrun -getfiles
```
4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.
2. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us.
3. Send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
```
I am encountering the following issue when using Windows Defender AV in Update Compliance:
I have provided at least 2 support .cab files at the following location: <accessible share, including access details such as password>
My OMS workspace ID is:
Please contact me at:
```
## Related topics
- [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md)

7
windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
View File

@ -45,12 +45,11 @@ You can also [specify how long the file should be prevented from running](config
## How it works
When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works.
When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
The Block at first sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
The Block at First Sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
<iframe
src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe.

2
windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -147,7 +147,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t
Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud:
```DOS
MpCmdRun - ValidateMapsConnection
MpCmdRun -ValidateMapsConnection
```
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703.

BIN
windows/threat-protection/windows-defender-antivirus/images/server-add-gui.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

70
windows/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Troubleshoot problems with reporting tools for Windows Defender AV
description: Identify and solve common problems when attempting to report in Windows Defender AV protection status in Update Compliance
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, windows defender av
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 09/06/2017
---
# Troubleshoot Windows Defender Antivirus reporting in Update Compliance
**Applies to:**
- Windows 10
**Audience**
- IT administrators
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues.
Typically, the most common indicators of a problem are:
- You only see a small number or subset of all the devices you were expecting to see
- You do not see any devices at all
- The reports and information you do see is outdated (older than a few days)
For common error codes and event IDs related to the Windows Defender AV service that are not related to Update Compliance, see the [Windows Defender Antivirus events](troubleshoot-windows-defender-antivirus.md) topic.
There are three steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites
2. Check your connectivity to the Windows Defender cloud-based service
3. Submit support logs
>[!IMPORTANT]
>It typically takes 3 days for devices to start appearing in Update Compliance
## Confirm pre-requisites
In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender AV protection:
>[!div class="checklist"]
>- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance.
> - [Cloud-delivered protection is enabled](enable-cloud-protection-windows-defender-antivirus.md).
> - Endpoints can [connect to the Windows Defender AV cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud)
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 telemetry must be set to the Enhanced level](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic information and send it to us.
> [!div class="nextstepaction"]
> [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md)
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)

5
windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
View File

@ -33,6 +33,11 @@ Cloud-delivered protection for Windows Defender Antivirus, also referred to as M
Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds.
The following video describes how it works:
<iframe
src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc62c59" width="768" height="432" allowFullScreen="true" frameBorder="0" scrolling="no"></iframe>
Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies.
The following table describes the differences in cloud-delivered protection between recent versions of Windows and System Center Configuration Manager.

62
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -1,6 +1,6 @@
---
title: Windows Defender Antivirus and Windows Defender ATP
description: Windows Defender AV and Windows Defender ATP work together to provide threat detection, remediation, and investigation.
title: Windows Defender Antivirus compatibility with other security products
description: Windows Defender AV operates in different ways depending on what other security products you have installed, and the operating system you are using.
keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -11,35 +11,75 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 06/13/2017
ms.date: 09/07/2017
---
# Windows Defender Antivirus and Advanced Threat Protection: Better together
# Windows Defender Antivirus and third party protection products
**Applies to:**
- Windows 10
- Windows Server 2016
**Audience**
- Enterprise security administrators
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
Windows Defender Advanced Threat Protection (ATP) is an additional service beyond Windows Defender Antivirus that helps enterprises detect, investigate, and respond to advanced persistent threats on their network.
See the [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) topics for more information about the service.
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender AV will automatically disable itself.
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product.
If you are also using Windows Defender Advanced Threat Protection, then Windows Defender AV will enter a passive mode.
In passive mode, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
On Windows Server 2016, Windows Defender AV will not enter passive or disabled mode if you have also installed a third-party antivirus product. See [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) topic for key differences and management options for Windows Server installations.
You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
The following matrix illustrates how Windows Defender AV operates when third-party antivirus products or Windows Defender ATP are also used.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
Windows version | Antimalware protection offered by | Organization enrolled in Windows Defender ATP | Windows Defender AV state
-|-|-|-
Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode
Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode
Windows 10 | Windows Defender AV | Yes | Active mode
Windows 10 | Windows Defender AV | No | Active mode
Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode
Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Active mode
Windows Server 2016 | Windows Defender AV | Yes | Active mode
Windows Server 2016 | Windows Defender AV | No | Active mode
>[!IMPORTANT]
>Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016.
>
>In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/en-us/library/hh508760.aspx), which is managed through System Center Configuration Manager.
>
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/en-us/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
In the passive and automatic disabled modes, Windows Defender AV will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender AV will not provide real-time protection from malware.
The reasons for this are twofold:
1. If you are enrolled in Windows Defender ATP, [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
2. If the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, then Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint.
Therefore, the Windows Defender AV service needs to update itself to ensure it has up-to-date protection coverage in case it needs to automatically enable itself.
You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
>[!WARNING]
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.
>
>This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)

49
windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 08/25/2017
ms.date: 09/07/2017
---
@ -56,21 +56,56 @@ This topic includes the following instructions for setting up and running Window
- [Configure automatic exclusions](#BKMK_DefExclusions)
<a name="BKMK_UsingDef"></a>
## Enable the interface
By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs.
## Enable or disable the interface on Windows Server 2016
By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required.
You can enable or disable the interface by using the **Add Roles and Features Wizard** or PowerShellCmdlets, as described in the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic.
If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option.
The following PowerShell cmdlet will enable the interface:
![](images/server-add-gui.png)
See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard.
The following PowerShell cmdlet will also enable the interface:
```PowerShell
Install-WindowsFeature -Name Windows-Defender-GUI
```
The following cmdlet will disable the interface:
To hide the interface, use the **Remove Roles and Features Wizard** and deselect the **GUI for Windows Defender** option at the **Features** step, or use the following PowerShell cmdlet:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender-GUI
```
>[!IMPORTANT]
> Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
## Install or uninstall Windows Defender AV on Windows Server 2016
You can also uninstall Windows Defender AV completely with the **Remove Roles and Features Wizard** by deselecting the **Windows Defender Features** option at the **Features** step in the wizard.
>[!NOTE]
>Deselecting **Windows Defender** on its own under the **Windows Defender Features** section will automatically prompt you to remove the interface option **GUI for Windows Defender**.
The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016:
```PS
Uninstall-WindowsFeature -Name Windows-Server-Antimalware
Uninstall-WindowsFeature -Name Windows-Defender
```
To install Windows Defender AV again, use the **Add Roles and Features Wizard** and ensure the **Windows Defender** feature is selected. You can also enable the interface by selecting the **GUID for Windows Defender** option.
You can also use the following PowerShell cmdlet to install Windows Defender AV:
```PS
Install-WindowsFeature -Name Windows-Defender
```
> [!TIP]

4
windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -38,11 +38,11 @@ In Windows 10, version 1703 (also known as the Creators Update), the Windows Def
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
> [!IMPORTANT]
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a 3rd party antivirus or firewall product is installed and kept up to date.
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These will be disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
> [!WARNING]
> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated 3rd party antivirus, or if you uninstall any 3rd party antivirus products you may have previously installed.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.

3
windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
View File

@ -8,7 +8,6 @@ ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Configure Windows Defender Application Guard policy settings
@ -40,7 +39,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
|-----------|------------------|-----------|-------|
|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.|
|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|

1
windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -8,7 +8,6 @@ ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Frequently asked questions - Windows Defender Application Guard

1
windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md
View File

@ -8,7 +8,6 @@ ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Prepare and install Windows Defender Application Guard

1
windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
View File

@ -8,7 +8,6 @@ ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# System requirements for Windows Defender Application Guard

1
windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md
View File

@ -8,7 +8,6 @@ ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Testing scenarios using Windows Defender Application Guard in your business or organization

6
windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
View File

@ -8,7 +8,6 @@ ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 08/11/2017
localizationpriority: high
---
# Windows Defender Application Guard overview
@ -20,7 +19,6 @@ The threat landscape is continually evolving. While hackers are busy developing
Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete.
## What is Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
@ -40,8 +38,8 @@ Application Guard has been created to target 3 types of enterprise systems:
## In this section
|Topic |Description |
|------|------------|
|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. |
|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. |
|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.|
|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|

9
windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,9 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Turn on advanced features in Windows Defender ATP
**Applies to:**
@ -21,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
@ -32,7 +38,7 @@ If your organization satisfies these conditions, the feature is enabled by defau
## Show user details
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
- Dashboard
- Security operations dashboard
- Alert queue
- Machine details page
@ -57,3 +63,4 @@ When you enable this feature, you'll be able to incorporate data from Office 365
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

13
windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
Alerts are organized in queues by their workflow status or assignment:
@ -30,6 +35,7 @@ Alerts are organized in queues by their workflow status or assignment:
- **In progress**
- **Resolved**
- **Assigned to me**
- **Suppression rules**
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
@ -112,13 +118,14 @@ Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together
![Alerts queue bulk edit](images/alerts-q-bulk.png)
## Related topics
- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

277
windows/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Windows Defender ATP alert API fields
@ -22,6 +23,11 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
@ -33,249 +39,48 @@ The ArcSight field column contains the default mapping between the Windows Defen
Field numbers match the numbers in the images below.
<table style="table-layout:fixed;width:100%" >
<tr>
<th class>Portal label</th>
<th class>SIEM field name</th>
<th class>ArcSight field</th>
<th class>Example value</th>
<th class>Description</th>
<th class></th>
</tr>
<tr>
<td class>1</td>
<td class>AlertTitle</td>
<td class>name</td>
<td class>A dll was unexpectedly loaded into a high integrity process without a UAC prompt</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>2</td>
<td class>Severity</td>
<td class>deviceSeverity</td>
<td class>Medium</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>3</td>
<td class>Category</td>
<td class>deviceEventCategory</td>
<td class>Privilege Escalation</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>4</td>
<td class>Source</td>
<td class>sourceServiceName</td>
<td class>WindowsDefenderATP</td>
<td class>Windows Defender Antivirus or Windows Defender ATP. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>5</td>
<td class>MachineName</td>
<td class>sourceHostName</td>
<td class>liz-bean</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>6</td>
<td class>FileName</td>
<td class>fileName</td>
<td class>Robocopy.exe</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>7</td>
<td class>FilePath</td>
<td class>filePath</td>
<td class>C:\Windows\System32\Robocopy.exe</td>
<td class>Available for alerts associated with a file or process. \</td>
<td class></td>
</tr>
<tr>
<td class>8</td>
<td class>UserDomain</td>
<td class>sourceNtDomain</td>
<td class>contoso</td>
<td class>The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>9</td>
<td class>UserName</td>
<td class>sourceUserName</td>
<td class>liz-bean</td>
<td class>The user context running the activity, available for Windows Defender ATP behavioral based alerts.</td>
<td class></td>
</tr>
<tr>
<td class>10</td>
<td class>Sha1</td>
<td class>fileHash</td>
<td class>5b4b3985339529be3151d331395f667e1d5b7f35</td>
<td class>Available for alerts associated with a file or process.</td>
<td class></td>
</tr>
<tr>
<td class>11</td>
<td class>Md5</td>
<td class>deviceCustomString5</td>
<td class>55394b85cb5edddff551f6f3faa9d8eb</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>12</td>
<td class>Sha256</td>
<td class>deviceCustomString6</td>
<td class>9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>13</td>
<td class>ThreatName</td>
<td class>eviceCustomString1</td>
<td class>Trojan:Win32/Skeeyah.A!bit</td>
<td class>Available for Windows Defender AV alerts.</td>
<td class></td>
</tr>
<tr>
<td class>14</td>
<td class>IpAddress</td>
<td class>sourceAddress</td>
<td class>218.90.204.141</td>
<td class>Available for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>15</td>
<td class>Url</td>
<td class>requestUrl</td>
<td class>down.esales360.cn</td>
<td class>Availabe for alerts associated to network events. For example, 'Communication to a malicious network destination'.</td>
<td class></td>
</tr>
<tr>
<td class>16</td>
<td class>RemediationIsSuccess</td>
<td class>deviceCustomNumber2</td>
<td class>TRUE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>17</td>
<td class>WasExecutingWhileDetected</td>
<td class>deviceCustomNumber1</td>
<td class>FALSE</td>
<td class>Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE.</td>
<td class></td>
</tr>
<tr>
<td class>18</td>
<td class>AlertId</td>
<td class>externalId</td>
<td class>636210704265059241_673569822</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>19</td>
<td class>LinkToWDATP</td>
<td class>flexString1</td>
<td class>`https://securitycenter.windows.com/alert/636210704265059241_673569822`</td>
<td class>Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>20</td>
<td class>AlertTime</td>
<td class>deviceReceiptTime</td>
<td class>2017-05-07T01:56:59.3191352Z</td>
<td class>The time the activity relevant to the alert occurred. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>21</td>
<td class>MachineDomain</td>
<td class>sourceDnsDomain</td>
<td class>contoso.com</td>
<td class>Domain name not relevant for AAD joined machines. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class>22</td>
<td class>Actor</td>
<td class>deviceCustomString4</td>
<td class></td>
<td class>Available for alerts related to a known actor group.</td>
<td class></td>
</tr>
<tr>
<td class>21+5</td>
<td class>ComputerDnsName</td>
<td class>No mapping</td>
<td class>liz-bean.contoso.com</td>
<td class>The machine fully qualified domain name. Value available for every alert.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>LogOnUsers</td>
<td class>sourceUserId</td>
<td class>contoso\liz-bean; contoso\jay-hardee</td>
<td class>The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available.</td>
<td class></td>
</tr>
<tr>
<td class>Internal field</td>
<td class>LastProcessedTimeUtc</td>
<td class>No mapping</td>
<td class>2017-05-07T01:56:58.9936648Z</td>
<td class>Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVendor</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Microsoft'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceProduct</td>
<td class></td>
<td class>Static value in the ArcSight mapping - 'Windows Defender ATP'.</td>
<td class></td>
</tr>
<tr>
<td class></td>
<td class>Not part of the schema</td>
<td class>deviceVersion</td>
<td class></td>
<td class>Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.</td>
<td class></td>
</tr>
</table>
> [!div class="mx-tableFixed"]
| Portal label | SIEM field name | ArcSight field | Example value | Description |
|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
| 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
| 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. |
| 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
| 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
| 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
| 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
| 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
| 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
| 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
| 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
| 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
| 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
| 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
| 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
| | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
| | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
| | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
| Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
| | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. |
| | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
![Image of alert with numbers](images/atp-alert-page.png)
![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
![Image of alert timeline with numbers](images/atp-siem-mapping3.png)
![Image of artifact timeline with numbers](images/atp-siem-mapping3.png)
![Image of alert timeline with numbers](images/atp-siem-mapping4.png)
![Image of artifact timeline with numbers](images/atp-siem-mapping4.png)
![Image machine view](images/atp-mapping6.png)

6
windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Assign user access to the Windows Defender ATP portal
@ -23,6 +24,8 @@ ms.localizationpriority: high
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
## Assign user access using Azure PowerShell
@ -79,3 +82,6 @@ For more information see, [Manage Azure AD group and role membership](https://te
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)

8
windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Check the health state of the sensor in Windows Defender ATP
description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication
keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Check sensor health state in Windows Defender ATP
@ -22,6 +23,9 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
The sensor health tile provides information on the individual endpoints ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
@ -49,7 +53,7 @@ You can filter the health state list by the following status:
- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
- **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
- **Impaired communication** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
- **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
You can view the machine details when you click on a misconfigured or inactive machine. Youll see more specific machine information when you click the information icon.

5
windows/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure HP ArcSight to pull Windows Defender ATP alerts
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
## Before you begin

6
windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure email notifications in Windows Defender ATP
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
> [!NOTE]
@ -74,3 +79,4 @@ This section lists various issues that you may encounter when using email notifi
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

11
windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure endpoints using Group Policy
@ -23,13 +24,19 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
> [!NOTE]
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
## Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** on the **Navigation pane**.
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Group Policy**, click **Download package** and save the .zip file.
@ -49,6 +56,7 @@ ms.localizationpriority: high
9. Click **OK** and close any open GPMC windows.
## Additional Windows Defender ATP configuration settings
For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
@ -150,4 +158,5 @@ With Group Policy there isnt an option to monitor deployment of policies on t
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

13
windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure endpoints using Mobile Device Management tools
@ -22,10 +23,19 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Before you begin
If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
@ -106,7 +116,7 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Select **Endpoint management** > **Client management** on the **Navigation pane**.
a. Select **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
@ -203,4 +213,5 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

6
windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure endpoints using System Center Configuration Manager
@ -23,6 +24,10 @@ ms.localizationpriority: high
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- System Center 2012 Configuration Manager or later versions
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
<span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
@ -169,4 +174,5 @@ For more information about System Center Configuration Manager Compliance see [C
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

6
windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure endpoints using a local script
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
> [!NOTE]
@ -121,4 +126,5 @@ Monitoring can also be done directly on the portal, or by using the different de
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

87
windows/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,87 @@
---
title: Configure non-persistent virtual desktop infrastructure (VDI) machines
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure non-persistent virtual desktop infrastructure (VDI) machines
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
## Onboard non-persistent virtual desktop infrastructure (VDI) machines
Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
- Instant early onboarding of a short living session
- A session should be onboarded to Windows Defender ATP prior to the actual provisioning.
- Machine name persistence
- The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name.
You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
>[!WARNING]
> For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding.
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **VDI onboarding scripts for non-persistent endpoints** then click **Download package** and save the .zip file.
2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each machine: <br>
**For single entry for each machine**:<br>
a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
**For single entry for each machine**:<br>
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
**For multiple entries for each machine**:<br>
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
6. Test your solution:
a. Create a pool with one machine.
b. Logon to machine.
c. Logoff from machine.
d. Logon to machine with another user.
e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br>
**For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
7. Click **Machines list** on the Navigation pane.
8. Use the search function by entering the machine name and select **Machine** as search type.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

15
windows/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Configure Windows Defender ATP endpoints
description: Configure endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
title: Configure Windows Defender ATP client endpoints
description: Configure client endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure client endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -10,9 +10,10 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure Windows Defender ATP endpoints
# Configure Windows Defender ATP client endpoints
**Applies to:**
@ -22,6 +23,8 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Windows Defender ATP supports the following deployment tools and methods:
@ -38,3 +41,7 @@ Topic | Description
[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints.
[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)

5
windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
@ -23,6 +24,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.

89
windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Configure Windows Defender ATP server endpoints
description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
ms.date: 09/05/2017
---
# Configure Windows Defender ATP server endpoints
**Applies to:**
- Windows Server 2012 R2
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
## Onboard server endpoints
To onboard your servers to Windows Defender ATP, youll need to:
- Turn on server monitoring from the Windows Defender Security Center portal.
- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
### Turn on Server monitoring from the Windows Defender Security Center portal
1. In the navigation pane, select **Endpoint management** > **Server management**.
2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
![Image of server onboarding](images/atp-server-onboarding.png)
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
- [Manually install the agent using setup](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
Once completed, you should see onboarded servers in the portal within an hour.
### Configure server endpoint proxy and Internet connectivity settings
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
| Agent Resource | Ports |
|------------------------------------|-------------|
| *.oms.opinsights.azure.com | 443 |
| *.blob.core.windows.net | 443 |
| *.azure-automation.net | 443 |
| *.ods.opinsights.azure.com | 443 |
| winatp-gw-cus.microsoft.com | 443 |
| winatp-gw-eus.microsoft.com | 443 |
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
### Offboard server endpoints
To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
>[!NOTE]
>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
## Related topics
- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

5
windows/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Pull alerts to your SIEM tools
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Pull alerts using supported security information and events management (SIEM) tools
Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.

5
windows/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Configure Splunk to pull Windows Defender ATP alerts
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
## Before you begin

5
windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Create custom alerts using the threat intelligence (TI) application program interface (API)
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
## Before you begin

16
windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: View the Windows Defender Advanced Threat Protection Dashboard
title: Windows Defender Advanced Threat Protection Security operations dashboard
description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
search.product: eADQiWindows 10XVcnh
@ -10,9 +10,10 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# View the Windows Defender Advanced Threat Protection Dashboard
# View the Windows Defender Advanced Threat Protection Security operations dashboard
**Applies to:**
@ -22,7 +23,11 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
The **Dashboard** displays a snapshot of:
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
The **Security operations dashboard** displays a snapshot of:
- The latest active alerts on your network
- Daily machines reporting
@ -34,7 +39,7 @@ The **Dashboard** displays a snapshot of:
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
@ -113,6 +118,9 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb
![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
## Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)

12
windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Windows Defender ATP data storage and privacy
@ -22,6 +23,7 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> [!NOTE]
@ -71,5 +73,11 @@ Your data will be kept for a period of at least 90 days, during which it will be
## Can Microsoft help us maintain regulatory compliance?
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsofts compliance standards.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service.
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001).
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink)

5
windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Windows Defender compatibility
@ -23,6 +24,10 @@ ms.localizationpriority: high
- Windows Defender
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.

5
windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Enable the custom threat intelligence API in Windows Defender ATP
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
1. In the navigation pane, select **Preference Setup** > **Threat intel API**.

5
windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Enable SIEM integration in Windows Defender ATP
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Preferences setup** > **SIEM integration**.

9
windows/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
@ -24,16 +25,18 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
For example, if endpoints are not appearing in the **Machines list**, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
**Open Event Viewer and find the Windows Defender ATP service event log:**
1. Click **Start**, type **Event Viewer**, and press **Enter**.
1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
open the log.
@ -331,7 +334,7 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
</tbody>
</table>
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)

4
windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Experiment with custom threat intelligence (TI) alerts
@ -22,6 +23,9 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-experimentcustomti-abovefoldlink)
With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.

102
windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,102 @@
---
title: Use the Windows Defender Advanced Threat Protection exposed APIs
description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Use the Windows Defender ATP exposed APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, youll need to take the following steps to use the APIs:
- Create an app
- Get an access token
- Run queries on the graph API
### Before you begin
Before using the APIs, youll need to create an app that youll use to authenticate against the graph. Youll need to create a native app to use for the adhoc queries.
## Create an app
1. Log on to [Azure](https://portal.azure.com).
2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
3. In the Create window, enter the following information then click **Create**.
![Image of Create application window](images/atp-azure-create.png)
- **Name:** WinATPGraph
- **Application type:** Native
- **Redirect URI:** `https://localhost`
4. Navigate and select the newly created application.
![Image of new app in Azure](images/atp-azure-atp-app.png)
5. Click **All settings** > **Required permissions** > **Add**.
![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
6. Click **Select an API** > **Microsoft Graph**, then click **Select**.
![Image of API access and API selection](images/atp-azure-api-access.png)
7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
![Image of select permissions](images/atp-azure-select-permissions.png)
You can now use the code snippets in the following sections to query the API using the created app ID.
## Get an access token
1. Get the Client ID from the application you created.
2. Use the **Client ID**. For example:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
```
## Query the graph
Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
```
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
// sample endpoint
string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
## Related topics
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)

72
windows/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Find machine information by interal IP API
description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or interal IP.
keywords: apis, graph api, supported apis, find machine, machine information, IP
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Find machine information by interal IP
Find a machine entity around a specific timestamp by FQDN or internal IP.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine exists - 200 OK.
If no machine found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
"computerDnsName": "",
"firstSeen": "2017-07-06T01:25:04.9480498Z",
"osPlatform": "Windows10",
}
```

13
windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Fix unhealthy sensors in Windows Defender ATP
description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine.
keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communication, communication
keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Fix unhealthy sensors in Windows Defender ATP
@ -22,6 +23,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
## Inactive machines
@ -41,13 +46,13 @@ Do you expect a machine to be in Active status? [Open a support ticket tic
## Misconfigured machines
Misconfigured machines can further be classified to:
- Impaired communication
- Impaired communications
- No sensor data
### Impaired communication
### Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired communication:
The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.

6
windows/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md
View File

@ -10,6 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Update general Windows Defender ATP settings
@ -21,6 +22,10 @@ ms.localizationpriority: high
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
1. In the navigation pane, select **Preferences setup** > **General**.
@ -39,3 +44,4 @@ During the onboarding process, a wizard takes you through the general settings o
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

67
windows/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Get actor information API
description: Retrieves an actor information report.
keywords: apis, graph api, supported apis, get, actor, information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get actor information
Retrieves an actor information report.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and actor exists - 200 OK.
If actor does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

77
windows/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Get actor related alerts API
description: Retrieves all alerts related to a given actor.
keywords: apis, graph api, supported apis, get, actor, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get actor related alerts
Retrieves all alerts related to a given actor.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If actor does not exist or no related alerts - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 3,
"value": [
{
"id": "636390437845006321_-1646055784",
"severity": "Medium",
"status": "Resolved",
"description": "Malware associated with ZINC has been detected.",
"recommendedAction": "1.\tContact your incident response team.",
"alertCreationTime": "2017-08-23T00:09:43.9057955Z",
"category": "Malware",
"title": "Malware associated with the activity group ZINC was discovered",
}
```

73
windows/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get alert information by ID API
description: Retrieves an alert by its ID.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert information by ID
Retrieves an alert by its ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If alert not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity",
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope.",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

69
windows/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Get alert related actor information API
description: Retrieves the actor information related to the specific alert.
keywords: apis, graph api, supported apis, get, alert, actor, information, related
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related actor information
Retrieves the actor information related to the specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/actor
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and actor exist - 200 OK.
If alert not found or actor not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

71
windows/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Get alert related domain information
description: Retrieves all domains related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related domain
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related domain information
Retrieves all domains related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/domains
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and domain exist - 200 OK.
If alert not found or domain not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains",
"value": [
{
"host": "www.example.com"
}
]
}
```

73
windows/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get alert related files information
description: Retrieves all files related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related files
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related files information
Retrieves all files related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/files
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and files exist - 200 OK.
If alert not found or files not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files",
"value": [
{
"sha1": "121c7060dada38275d7082a4b9dc62641b255c36",
"sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94",
"md5": "776c970dfd92397b3c7d74401c85cd40",
"globalPrevalence": null,
"globalFirstObserved": null,
}
```

73
windows/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get alert related IP information
description: Retrieves all IPs related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related ip
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related IP information
Retrieves all IPs related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/ips
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and an IP exist - 200 OK.
If alert not found or IPs not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
```

68
windows/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Get alert related machine information
description: Retrieves all machines related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related machine
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related machine information
Retrieves all machines related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/machine
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and machine exist - 200 OK.
If alert not found or machine not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "207575116e44741d2b22b6a81429b3ca4fd34608",
"computerDnsName": "machine1-corp.contoso.com",
"firstSeen": "2015-12-01T11:31:53.7016691Z",
}
```

71
windows/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Get alert related user information
description: Retrieves the user associated to a specific alert.
keywords: apis, graph api, supported apis, get, alert, information, related, user
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alert related user information
Retrieves the user associated to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/user
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and a user exists - 200 OK.
If alert not found or user not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountSid": null,
"accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4",
}
```

75
windows/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Get alerts API
description: Retrieves top recent alerts.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get alerts
Retrieves top recent alerts.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alerts exists - 200 OK.
If no recent alerts found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000",
"value": [
{
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

74
windows/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get domain related alerts API
description: Retrieves a collection of alerts related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get domain related alerts
Retrieves a collection of alerts related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and alert exists - 200 OK.
If domain or alert does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get domain related machines API
description: Retrieves a collection of machines related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get domain related machines
Retrieves a collection of machines related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and machine exists - 200 OK.
If domain or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

69
windows/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Get domain statistics API
description: Retrieves the prevalence for the given domain.
keywords: apis, graph api, supported apis, get, domain, domain related machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get domain statistics
Retrieves the prevalence for the given domain.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
```

70
windows/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Get file information API
description: Retrieves a file by identifier Sha1, Sha256, or MD5.
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file information
Retrieves a file by identifier Sha1, Sha256, or MD5.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a",
"md5": "d387a06cd4bf5fcc1b50c3882f41a44e",
"globalPrevalence": 40790196,
}
```

74
windows/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get file related alerts API
description: Retrieves a collection of alerts related to a given file hash.
keywords: apis, graph api, supported apis, get, file, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file related alerts
Retrieves a collection of alerts related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and alert exists - 200 OK.
If file or alerts do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get file related machines API
description: Retrieves a collection of machines related to a given file hash.
keywords: apis, graph api, supported apis, get, machines, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file related machines
Retrieves a collection of machines related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and machines exists - 200 OK.
If file or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

73
windows/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get file statistics API
description: Retrieves the prevalence for the given file.
keywords: apis, graph api, supported apis, get, file, statistics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get file statistics
Retrieves the prevalence for the given file.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"orgPrevalence": "106398",
"orgFirstSeen": "2017-07-30T13:29:50Z",
"orgLastSeen": "2017-08-29T13:29:31Z",
"topFileNames": [
"chrome.exe",
"old_chrome.exe"
]
}
```

74
windows/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get IP related alerts API
description: Retrieves a collection of alerts related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get IP related alerts
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and alert exists - 200 OK.
If IP and alerts do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get IP related machines API
description: Retrieves a collection of machines related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get IP related machines
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and machines exists - 200 OK.
If IP or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

69
windows/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Get IP statistics API
description: Retrieves the prevalence for the given IP.
keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get IP statistics
Retrieves the prevalence for the given IP.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "192.168.1.1",
"orgPrevalence": "63515",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
```

72
windows/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get machine by ID API
description: Retrieves a machine entity by ID.
keywords: apis, graph api, supported apis, get, machines, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machine by ID
Retrieves a machine entity by ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine exists - 200 OK.
If no machine found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

71
windows/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,71 @@
---
title: Get machine log on users API
description: Retrieves a collection of logged on users.
keywords: apis, graph api, supported apis, get, machine, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machine log on users
Retrieves a collection of logged on users.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/logonusers
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and user exist - 200 OK.
If no machine found or no users found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users",
"value": [
{
"id": "m",
"accountSid": null,
"accountName": "",
"accountDomainName": "northamerica",
}
```

73
windows/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Get machine related alerts API
description: Retrieves a collection of alerts related to a given machine ID.
keywords: apis, graph api, supported apis, get, machines, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machine related alerts
Retrieves a collection of alerts related to a given machine ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and alert exists - 200 OK.
If no machine or no alerts found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 1,
"value": [
{
"id": "636396066728379047_-395412459",
"severity": "Medium",
"status": "New",
"description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.",
}
```

76
windows/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Get machines API
description: Retrieves a collection of recently seen machines.
keywords: apis, graph api, supported apis, get, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get machines
Retrieves a collection of recently seen machines.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machines exists - 200 OK.
If no recent machines - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000",
"value": [
{
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

70
windows/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Get user information API
description: Retrieve a User entity by key such as user name or domain.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get user information
Retrieve a User entity by key (user name or domain\user).
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "",
"accountSid": null,
"accountName": "",
"accountDomainName": "",
}
```

74
windows/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Get user related alerts API
description: Retrieves a collection of alerts related to a given user ID.
keywords: apis, graph api, supported apis, get, user, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get user related alerts
Retrieves a collection of alerts related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and alert exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get user related machines API
description: Retrieves a collection of machines related to a given user ID.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 09/05/2017
---
# Get user related machines
Retrieves a collection of machines related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and machine exists - 200 OK.
If user or machine does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

BIN
windows/threat-protection/windows-defender-atp/images/atp-action-block-file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 67 KiB

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-action-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-actions-run-av.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-add-application-name.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-add-application.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-alert-timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 79 KiB

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-app-restriction.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-application-information.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-av-scan-notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-azure-api-access.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-azure-atp-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-azure-create.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.4 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-azure-new-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-azure-required-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/threat-protection/windows-defender-atp/images/atp-azure-select-permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 73 KiB

Some files were not shown because too many files have changed in this diff Show More