From 20a4c1d66002f08b5a4306a3449d6301becd93aa Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 12:09:47 +0300 Subject: [PATCH 01/14] Suggested fix for isolation --- ...-windows-defender-advanced-threat-protection-new.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index 604f6fe959..aa65623516 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,9 @@ ms.date: 12/08/2017 Isolates a machine from accessing external network. +>[!Note] +> This page focus on activating machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -29,6 +32,13 @@ Permission type | Permission | Permission display name Application | Machine.Isolate | 'Isolate machine' Delegated (work or school account) | Machine.Isolate | 'Isolate machine' +>[!Note] +> When obtaining a token using user credentials: +>- The user need to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user have access to this machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + + >[!IMPORTANT] >- Full isolation is available for machines on Windows 10, version 1703. >- Selective isolation is available for machines on Windows 10, version 1709 or later. From d180a05566a97594490a9ce35ca9ddfa74dc7ea0 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 12:51:59 +0300 Subject: [PATCH 02/14] small fix --- ...hine-windows-defender-advanced-threat-protection-new.md | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index aa65623516..4123a2d5c8 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -35,14 +35,9 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: >- The user need to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user have access to this machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user need to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ->[!IMPORTANT] ->- Full isolation is available for machines on Windows 10, version 1703. ->- Selective isolation is available for machines on Windows 10, version 1709 or later. - ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/isolate From 1ed3b286d6751c7232bf578b7ecba1101f6da9eb Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 13:25:48 +0300 Subject: [PATCH 03/14] Add machine actions link to all machine actions API --- ...ge-windows-defender-advanced-threat-protection-new.md | 4 ++-- ...ne-windows-defender-advanced-threat-protection-new.md | 9 ++++----- .../windows-defender-atp/machineactionsnote.md | 5 +++++ ...pi-windows-defender-advanced-threat-protection-new.md | 2 ++ ...alerts-windows-defender-advanced-threat-protection.md | 4 ++-- ...on-windows-defender-advanced-threat-protection-new.md | 2 ++ ...an-windows-defender-advanced-threat-protection-new.md | 2 ++ ...on-windows-defender-advanced-threat-protection-new.md | 4 ++-- 8 files changed, 21 insertions(+), 11 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/machineactionsnote.md diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index 0070c9376a..adb088ebb4 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -19,10 +19,10 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - Collect investigation package from a machine. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index 4123a2d5c8..33e7130f36 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -21,8 +21,7 @@ ms.date: 12/08/2017 Isolates a machine from accessing external network. ->[!Note] -> This page focus on activating machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. +[!include[Machine actions note](machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -34,8 +33,8 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: ->- The user need to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user need to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request @@ -60,7 +59,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S **IsolationType** controls the type of isolation to perform and can be one of the following: - Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details) ## Response diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md new file mode 100644 index 0000000000..ecc1cebee3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -0,0 +1,5 @@ +--- +ms.date: 08/28/2017 +--- +>[!Note] +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index b40d39cbc3..c766797e14 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Offboard machine from WDATP. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 064fb37360..132ae5943b 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -181,7 +181,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. @@ -197,7 +197,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne ![Image of isolate machine](images/atp-actions-isolate-machine.png) -3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation'). ![Image of isolation confirmation](images/atp-confirm-isolate.png) diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 962dad7581..2f72e196ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 85c37a2cc6..10db12f264 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Initiate Windows Defender Antivirus scan on a machine. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index 4deeaa4646..b449ad9983 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -19,10 +19,10 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - Enable execution of any application on the machine. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) From 4bc3a56d7c03de2ba56f48a191815eb59482f8c2 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 15:13:10 +0300 Subject: [PATCH 04/14] Add data about roles to all documentation pages --- ...age-windows-defender-advanced-threat-protection-new.md | 6 ++++-- ...nce-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...-ip-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...nfo-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...nfo-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...nfo-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...nfo-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...rts-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...rts-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...nes-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...ics-windows-defender-advanced-threat-protection-new.md | 4 ++++ ...ion-windows-defender-advanced-threat-protection-new.md | 8 +++++--- ...rts-windows-defender-advanced-threat-protection-new.md | 8 +++++--- ...nes-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...ics-windows-defender-advanced-threat-protection-new.md | 4 ++++ ...rts-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...nes-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...ics-windows-defender-advanced-threat-protection-new.md | 4 ++++ ...-id-windows-defender-advanced-threat-protection-new.md | 6 ++++++ ...ers-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...rts-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...ect-windows-defender-advanced-threat-protection-new.md | 4 ++++ ...ion-windows-defender-advanced-threat-protection-new.md | 4 ++++ ...nes-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...uri-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...api-windows-defender-advanced-threat-protection-new.md | 6 ++++-- ...ion-windows-defender-advanced-threat-protection-new.md | 7 ++++--- .../windows-defender-atp/run-advanced-query-api.md | 5 +++++ ...can-windows-defender-advanced-threat-protection-new.md | 7 ++++--- ...ine-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...ion-windows-defender-advanced-threat-protection-new.md | 5 +++++ ...ert-windows-defender-advanced-threat-protection-new.md | 5 +++++ 32 files changed, 152 insertions(+), 16 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index adb088ebb4..7783e25c09 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -31,8 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.CollectForensics | 'Collect forensics' Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' ->[!IMPORTANT] -> This response action is available for machines on Windows 10, version 1703 or later. +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index e5e7d337a8..bdf5be889f 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Permission type | Permission | Permission display name Application | Alerts.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` POST /api/CreateAlertByReference diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index 15d829c27a..61c158ed1b 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -33,6 +33,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp}) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index 6e7721ecde..6ed27e2648 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | URL.Read.All | 'Read URLs' Delegated (work or school account) | URL.Read.All | 'Read URLs' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/domains diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index 7fe0e0b9d5..951363752e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read file profiles' Delegated (work or school account) | File.Read.All | 'Read file profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/files diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 20d5a2ffac..2aaf342cae 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/machine diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index abdd6ee9d9..8e6501fcf1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,11 @@ Permission type | Permission | Permission display name Application | User.Read.All | 'Read user profiles' Delegated (work or school account) | User.Read.All | 'Read user profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/user diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index a05d4dba9b..520380e0fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index b8b7730bad..fc469816ef 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -36,6 +36,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/domains/{domain}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index a039d49807..e1d21e0582 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -35,6 +35,11 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ``` GET /api/domains/{domain}/machines ``` +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Only machines that the user can access, based on machine group settings will be listed (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## Request headers diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index 1625a17a50..7bfd097dd2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,10 @@ Permission type | Permission | Permission display name Application | URL.Read.All | 'Read URLs' Delegated (work or school account) | URL.Read.All | 'Read URLs' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/domains/{domain}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index c817a1c653..63aabdd191 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -21,9 +21,6 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - - Retrieves a file by identifier Sha1, Sha256, or MD5. ## Permissions @@ -34,6 +31,11 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read all file profiles' Delegated (work or school account) | File.Read.All | 'Read all file profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + + ## HTTP request ``` GET /api/files/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 3c3605bebb..284cb68225 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -22,9 +22,6 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - - Retrieves a collection of alerts related to a given file hash. ## Permissions @@ -37,6 +34,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/files/{id}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index e977dc59f9..ca74749c35 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/files/{id}/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index e8a8ede6fd..a53c06b80a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,10 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read file profiles' Delegated (work or school account) | File.Read.All | 'Read file profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/files/{id}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 4d83cb3d73..92ca8d53d4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/ips/{ip}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index c2e1dcab6e..f68e1e12b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/ips/{ip}/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index 990bd3f852..cdeaa1e441 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,10 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/ips/{ip}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index 4683167dfb..ed3fde05b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,12 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + ## HTTP request ``` GET /api/machines/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index 61cb0e8c02..5dad09904f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,11 @@ Permission type | Permission | Permission display name Application | User.Read.All | 'Read user profiles' Delegated (work or school account) | User.Read.All | 'Read user profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/machines/{id}/logonusers diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 16fef6228a..0a8170f0fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/machines/{id}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index bcdbd711ec..17e20f0b73 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,10 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index e11cd96856..d057cb5c85 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,10 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index d114cf97cb..8f2008c14a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index b59b11034b..bf4cb3c934 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | Machine.CollectForensics | 'Collect forensics' Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index c766797e14..13b8574222 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -31,8 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.Offboard | 'Offboard machine' Delegated (work or school account) | Machine.Offboard | 'Offboard machine' ->[!IMPORTANT] -> This response action is available for machines on Windows 10, version 1703 or later. +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to 'Global Admin' AD role +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 2f72e196ee..90321fb7ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -31,9 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.RestrictExecution | 'Restrict code execution' Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' ->[!IMPORTANT] -> - This action is available for machines on Windows 10, version 1709 or later. -> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index 7e312d08e8..86899b1396 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -39,6 +39,11 @@ Permission type | Permission | Permission display name Application | AdvancedQuery.Read.All | 'Run advanced queries' Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to 'Global Admin' AD role +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` POST /advancedqueries/query diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 10db12f264..f8a0432c1d 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -31,9 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.Scan | 'Scan machine' Delegated (work or school account) | Machine.Scan | 'Scan machine' ->[!IMPORTANT] ->- This action is available for machines on Windows 10, version 1709 or later. ->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index 5aaccd64f1..205ee3432c 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | Machine.Isolate | 'Isolate machine' Delegated (work or school account) | Machine.Isolate | 'Isolate machine' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index b449ad9983..fd0479fd8a 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,11 @@ Permission type | Permission | Permission display name Application | Machine.RestrictExecution | 'Restrict code execution' Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 81c8f8d9ac..762ae2251a 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,11 @@ Permission type | Permission | Permission display name Application | Alerts.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` PATCH /api/alerts/{id} From 504faf5b34dec29bdbb54fab4538051f4693c209 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 16:00:20 +0300 Subject: [PATCH 05/14] self review 1 --- ...rence-windows-defender-advanced-threat-protection-new.md | 6 ------ ...lerts-windows-defender-advanced-threat-protection-new.md | 2 +- .../windows-defender-atp/machineactionsnote.md | 1 + 3 files changed, 2 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index bdf5be889f..94288d30d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -30,12 +30,6 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- Application | Alerts.ReadWrite.All | 'Read and write all alerts' -Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' - ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 520380e0fd..205805378d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -36,7 +36,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) >- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md index ecc1cebee3..fcbd68ecec 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -1,5 +1,6 @@ --- ms.date: 08/28/2017 +author: zavidor --- >[!Note] > This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. From b7b38cf0c294b96f431a90ee0c8aa76ca86dd2b5 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 16:13:42 +0300 Subject: [PATCH 06/14] Revert "self review 1" This reverts commit 504faf5b34dec29bdbb54fab4538051f4693c209. --- ...rence-windows-defender-advanced-threat-protection-new.md | 6 ++++++ ...lerts-windows-defender-advanced-threat-protection-new.md | 2 +- .../windows-defender-atp/machineactionsnote.md | 1 - 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 94288d30d6..bdf5be889f 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,12 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 205805378d..520380e0fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -36,7 +36,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) >- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md index fcbd68ecec..ecc1cebee3 100644 --- a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -1,6 +1,5 @@ --- ms.date: 08/28/2017 -author: zavidor --- >[!Note] > This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. From 432eaf711ac8e67c5f6c43c1c34f3fa4b9e0c46f Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 16:13:47 +0300 Subject: [PATCH 07/14] Revert "Add data about roles to all documentation pages" This reverts commit 4bc3a56d7c03de2ba56f48a191815eb59482f8c2. --- ...age-windows-defender-advanced-threat-protection-new.md | 6 ++---- ...nce-windows-defender-advanced-threat-protection-new.md | 5 ----- ...-ip-windows-defender-advanced-threat-protection-new.md | 5 ----- ...nfo-windows-defender-advanced-threat-protection-new.md | 5 ----- ...nfo-windows-defender-advanced-threat-protection-new.md | 5 ----- ...nfo-windows-defender-advanced-threat-protection-new.md | 5 ----- ...nfo-windows-defender-advanced-threat-protection-new.md | 5 ----- ...rts-windows-defender-advanced-threat-protection-new.md | 5 ----- ...rts-windows-defender-advanced-threat-protection-new.md | 5 ----- ...nes-windows-defender-advanced-threat-protection-new.md | 5 ----- ...ics-windows-defender-advanced-threat-protection-new.md | 4 ---- ...ion-windows-defender-advanced-threat-protection-new.md | 8 +++----- ...rts-windows-defender-advanced-threat-protection-new.md | 8 +++----- ...nes-windows-defender-advanced-threat-protection-new.md | 5 ----- ...ics-windows-defender-advanced-threat-protection-new.md | 4 ---- ...rts-windows-defender-advanced-threat-protection-new.md | 5 ----- ...nes-windows-defender-advanced-threat-protection-new.md | 5 ----- ...ics-windows-defender-advanced-threat-protection-new.md | 4 ---- ...-id-windows-defender-advanced-threat-protection-new.md | 6 ------ ...ers-windows-defender-advanced-threat-protection-new.md | 5 ----- ...rts-windows-defender-advanced-threat-protection-new.md | 5 ----- ...ect-windows-defender-advanced-threat-protection-new.md | 4 ---- ...ion-windows-defender-advanced-threat-protection-new.md | 4 ---- ...nes-windows-defender-advanced-threat-protection-new.md | 5 ----- ...uri-windows-defender-advanced-threat-protection-new.md | 5 ----- ...api-windows-defender-advanced-threat-protection-new.md | 6 ++---- ...ion-windows-defender-advanced-threat-protection-new.md | 7 +++---- .../windows-defender-atp/run-advanced-query-api.md | 5 ----- ...can-windows-defender-advanced-threat-protection-new.md | 7 +++---- ...ine-windows-defender-advanced-threat-protection-new.md | 5 ----- ...ion-windows-defender-advanced-threat-protection-new.md | 5 ----- ...ert-windows-defender-advanced-threat-protection-new.md | 5 ----- 32 files changed, 16 insertions(+), 152 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index 7783e25c09..adb088ebb4 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -31,10 +31,8 @@ Permission type | Permission | Permission display name Application | Machine.CollectForensics | 'Collect forensics' Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>[!IMPORTANT] +> This response action is available for machines on Windows 10, version 1703 or later. ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index bdf5be889f..e5e7d337a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -32,11 +32,6 @@ Permission type | Permission | Permission display name Application | Alerts.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` POST /api/CreateAlertByReference diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index 61c158ed1b..15d829c27a 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -33,11 +33,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp}) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index 6ed27e2648..6e7721ecde 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -29,11 +29,6 @@ Permission type | Permission | Permission display name Application | URL.Read.All | 'Read URLs' Delegated (work or school account) | URL.Read.All | 'Read URLs' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/alerts/{id}/domains diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index 951363752e..7fe0e0b9d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -29,11 +29,6 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read file profiles' Delegated (work or school account) | File.Read.All | 'Read file profiles' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/alerts/{id}/files diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 2aaf342cae..20d5a2ffac 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -31,11 +31,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/alerts/{id}/machine diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index 8e6501fcf1..abdd6ee9d9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -30,11 +30,6 @@ Permission type | Permission | Permission display name Application | User.Read.All | 'Read user profiles' Delegated (work or school account) | User.Read.All | 'Read user profiles' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/alerts/{id}/user diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 520380e0fd..a05d4dba9b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -34,11 +34,6 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index fc469816ef..b8b7730bad 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -36,11 +36,6 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/domains/{domain}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index e1d21e0582..a039d49807 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -35,11 +35,6 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ``` GET /api/domains/{domain}/machines ``` ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Only machines that the user can access, based on machine group settings will be listed (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## Request headers diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index 7bfd097dd2..1625a17a50 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -30,10 +30,6 @@ Permission type | Permission | Permission display name Application | URL.Read.All | 'Read URLs' Delegated (work or school account) | URL.Read.All | 'Read URLs' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/domains/{domain}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index 63aabdd191..c817a1c653 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,9 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] + + + Retrieves a file by identifier Sha1, Sha256, or MD5. ## Permissions @@ -31,11 +34,6 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read all file profiles' Delegated (work or school account) | File.Read.All | 'Read all file profiles' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) - - ## HTTP request ``` GET /api/files/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 284cb68225..3c3605bebb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -22,6 +22,9 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] + + + Retrieves a collection of alerts related to a given file hash. ## Permissions @@ -34,11 +37,6 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/files/{id}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index ca74749c35..e977dc59f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -32,11 +32,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/files/{id}/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index a53c06b80a..e8a8ede6fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -34,10 +34,6 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read file profiles' Delegated (work or school account) | File.Read.All | 'Read file profiles' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/files/{id}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 92ca8d53d4..4d83cb3d73 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -32,11 +32,6 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/ips/{ip}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index f68e1e12b1..c2e1dcab6e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -32,11 +32,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/ips/{ip}/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index cdeaa1e441..990bd3f852 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -32,10 +32,6 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/ips/{ip}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index ed3fde05b1..4683167dfb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -32,12 +32,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - - ## HTTP request ``` GET /api/machines/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index 5dad09904f..61cb0e8c02 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -30,11 +30,6 @@ Permission type | Permission | Permission display name Application | User.Read.All | 'Read user profiles' Delegated (work or school account) | User.Read.All | 'Read user profiles' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/machines/{id}/logonusers diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 0a8170f0fd..16fef6228a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -32,11 +32,6 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET /api/machines/{id}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 17e20f0b73..bcdbd711ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -31,10 +31,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index d057cb5c85..e11cd96856 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -34,10 +34,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 8f2008c14a..d114cf97cb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -34,11 +34,6 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index bf4cb3c934..b59b11034b 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -29,11 +29,6 @@ Permission type | Permission | Permission display name Application | Machine.CollectForensics | 'Collect forensics' Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index 13b8574222..c766797e14 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -31,10 +31,8 @@ Permission type | Permission | Permission display name Application | Machine.Offboard | 'Offboard machine' Delegated (work or school account) | Machine.Offboard | 'Offboard machine' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to 'Global Admin' AD role ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>[!IMPORTANT] +> This response action is available for machines on Windows 10, version 1703 or later. ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 90321fb7ff..2f72e196ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -31,10 +31,9 @@ Permission type | Permission | Permission display name Application | Machine.RestrictExecution | 'Restrict code execution' Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>[!IMPORTANT] +> - This action is available for machines on Windows 10, version 1709 or later. +> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index 86899b1396..7e312d08e8 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -39,11 +39,6 @@ Permission type | Permission | Permission display name Application | AdvancedQuery.Read.All | 'Run advanced queries' Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to 'Global Admin' AD role ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` POST /advancedqueries/query diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index f8a0432c1d..10db12f264 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -31,10 +31,9 @@ Permission type | Permission | Permission display name Application | Machine.Scan | 'Scan machine' Delegated (work or school account) | Machine.Scan | 'Scan machine' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>[!IMPORTANT] +>- This action is available for machines on Windows 10, version 1709 or later. +>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index 205ee3432c..5aaccd64f1 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -29,11 +29,6 @@ Permission type | Permission | Permission display name Application | Machine.Isolate | 'Isolate machine' Delegated (work or school account) | Machine.Isolate | 'Isolate machine' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index fd0479fd8a..b449ad9983 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -31,11 +31,6 @@ Permission type | Permission | Permission display name Application | Machine.RestrictExecution | 'Restrict code execution' Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 762ae2251a..81c8f8d9ac 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -30,11 +30,6 @@ Permission type | Permission | Permission display name Application | Alerts.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - ## HTTP request ``` PATCH /api/alerts/{id} From 94d76a391c354eff889cdae1201667dd57e6d95e Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 16:13:54 +0300 Subject: [PATCH 08/14] Revert "Add machine actions link to all machine actions API" This reverts commit 1ed3b286d6751c7232bf578b7ecba1101f6da9eb. --- ...ge-windows-defender-advanced-threat-protection-new.md | 4 ++-- ...ne-windows-defender-advanced-threat-protection-new.md | 9 +++++---- .../windows-defender-atp/machineactionsnote.md | 5 ----- ...pi-windows-defender-advanced-threat-protection-new.md | 2 -- ...alerts-windows-defender-advanced-threat-protection.md | 4 ++-- ...on-windows-defender-advanced-threat-protection-new.md | 2 -- ...an-windows-defender-advanced-threat-protection-new.md | 2 -- ...on-windows-defender-advanced-threat-protection-new.md | 4 ++-- 8 files changed, 11 insertions(+), 21 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-atp/machineactionsnote.md diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index adb088ebb4..0070c9376a 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -19,9 +19,9 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] -Collect investigation package from a machine. -[!include[Machine actions note](machineactionsnote.md)] + +Collect investigation package from a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index 33e7130f36..4123a2d5c8 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,8 @@ ms.date: 12/08/2017 Isolates a machine from accessing external network. -[!include[Machine actions note](machineactionsnote.md)] +>[!Note] +> This page focus on activating machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -33,8 +34,8 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user need to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user need to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request @@ -59,7 +60,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S **IsolationType** controls the type of isolation to perform and can be one of the following: - Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details) +- Selective – Restrict only limited set of applications from accessing the network ## Response diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md deleted file mode 100644 index ecc1cebee3..0000000000 --- a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -ms.date: 08/28/2017 ---- ->[!Note] -> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index c766797e14..b40d39cbc3 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -21,8 +21,6 @@ ms.date: 12/08/2017 Offboard machine from WDATP. -[!include[Machine actions note](machineactionsnote.md)] - ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 132ae5943b..064fb37360 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -181,7 +181,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. @@ -197,7 +197,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne ![Image of isolate machine](images/atp-actions-isolate-machine.png) -3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation'). +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. ![Image of isolation confirmation](images/atp-confirm-isolate.png) diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 2f72e196ee..962dad7581 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -21,8 +21,6 @@ ms.date: 12/08/2017 Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) -[!include[Machine actions note](machineactionsnote.md)] - ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 10db12f264..85c37a2cc6 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -21,8 +21,6 @@ ms.date: 12/08/2017 Initiate Windows Defender Antivirus scan on a machine. -[!include[Machine actions note](machineactionsnote.md)] - ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index b449ad9983..4deeaa4646 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -19,9 +19,9 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] -Enable execution of any application on the machine. -[!include[Machine actions note](machineactionsnote.md)] + +Enable execution of any application on the machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) From 6bbb70af367a0e4e7117d27905a6b7108cc3da18 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 16:13:59 +0300 Subject: [PATCH 09/14] Revert "small fix" This reverts commit d180a05566a97594490a9ce35ca9ddfa74dc7ea0. --- ...hine-windows-defender-advanced-threat-protection-new.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index 4123a2d5c8..aa65623516 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -35,9 +35,14 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: >- The user need to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user need to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The user have access to this machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +>[!IMPORTANT] +>- Full isolation is available for machines on Windows 10, version 1703. +>- Selective isolation is available for machines on Windows 10, version 1709 or later. + ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/isolate From 01e839ad12a37f4ebf84011822cb4f9052a4ea78 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 16:14:05 +0300 Subject: [PATCH 10/14] Revert "Suggested fix for isolation" This reverts commit 20a4c1d66002f08b5a4306a3449d6301becd93aa. --- ...-windows-defender-advanced-threat-protection-new.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index aa65623516..604f6fe959 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -21,9 +21,6 @@ ms.date: 12/08/2017 Isolates a machine from accessing external network. ->[!Note] -> This page focus on activating machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. - ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -32,13 +29,6 @@ Permission type | Permission | Permission display name Application | Machine.Isolate | 'Isolate machine' Delegated (work or school account) | Machine.Isolate | 'Isolate machine' ->[!Note] -> When obtaining a token using user credentials: ->- The user need to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user have access to this machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - - - >[!IMPORTANT] >- Full isolation is available for machines on Windows 10, version 1703. >- Selective isolation is available for machines on Windows 10, version 1709 or later. From c456731193fa5ad666d17f613b1cb6eac45c9a8a Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 16:17:11 +0300 Subject: [PATCH 11/14] add roles info to docs --- ...indows-defender-advanced-threat-protection-new.md | 10 ++++++---- ...indows-defender-advanced-threat-protection-new.md | 1 - ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 4 ++++ ...indows-defender-advanced-threat-protection-new.md | 8 +++++--- ...indows-defender-advanced-threat-protection-new.md | 8 +++++--- ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 4 ++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 4 ++++ ...indows-defender-advanced-threat-protection-new.md | 6 ++++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 4 ++++ ...indows-defender-advanced-threat-protection-new.md | 4 ++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 12 ++++++++---- .../windows-defender-atp/machineactionsnote.md | 6 ++++++ ...indows-defender-advanced-threat-protection-new.md | 8 ++++++-- ...ts-windows-defender-advanced-threat-protection.md | 4 ++-- ...indows-defender-advanced-threat-protection-new.md | 9 ++++++--- .../windows-defender-atp/run-advanced-query-api.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 9 ++++++--- ...indows-defender-advanced-threat-protection-new.md | 5 +++++ ...indows-defender-advanced-threat-protection-new.md | 9 +++++++-- ...indows-defender-advanced-threat-protection-new.md | 5 +++++ 35 files changed, 173 insertions(+), 27 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/machineactionsnote.md diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md index 0070c9376a..7783e25c09 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -19,10 +19,10 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - Collect investigation package from a machine. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -31,8 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.CollectForensics | 'Collect forensics' Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' ->[!IMPORTANT] -> This response action is available for machines on Windows 10, version 1703 or later. +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index e5e7d337a8..94288d30d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -30,7 +30,6 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- Application | Alerts.ReadWrite.All | 'Read and write all alerts' -Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index 15d829c27a..61c158ed1b 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -33,6 +33,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp}) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md index 6e7721ecde..6ed27e2648 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | URL.Read.All | 'Read URLs' Delegated (work or school account) | URL.Read.All | 'Read URLs' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/domains diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md index 7fe0e0b9d5..951363752e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read file profiles' Delegated (work or school account) | File.Read.All | 'Read file profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/files diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 20d5a2ffac..2aaf342cae 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/machine diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md index abdd6ee9d9..8e6501fcf1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,11 @@ Permission type | Permission | Permission display name Application | User.Read.All | 'Read user profiles' Delegated (work or school account) | User.Read.All | 'Read user profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/user diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index a05d4dba9b..205805378d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index b8b7730bad..fc469816ef 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -36,6 +36,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/domains/{domain}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index a039d49807..e1d21e0582 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -35,6 +35,11 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ``` GET /api/domains/{domain}/machines ``` +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Only machines that the user can access, based on machine group settings will be listed (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## Request headers diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md index 1625a17a50..7bfd097dd2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,10 @@ Permission type | Permission | Permission display name Application | URL.Read.All | 'Read URLs' Delegated (work or school account) | URL.Read.All | 'Read URLs' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/domains/{domain}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md index c817a1c653..63aabdd191 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -21,9 +21,6 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - - Retrieves a file by identifier Sha1, Sha256, or MD5. ## Permissions @@ -34,6 +31,11 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read all file profiles' Delegated (work or school account) | File.Read.All | 'Read all file profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + + ## HTTP request ``` GET /api/files/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index 3c3605bebb..284cb68225 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -22,9 +22,6 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - - Retrieves a collection of alerts related to a given file hash. ## Permissions @@ -37,6 +34,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/files/{id}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index e977dc59f9..ca74749c35 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/files/{id}/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md index e8a8ede6fd..a53c06b80a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,10 @@ Permission type | Permission | Permission display name Application | File.Read.All | 'Read file profiles' Delegated (work or school account) | File.Read.All | 'Read file profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/files/{id}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 4d83cb3d73..92ca8d53d4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/ips/{ip}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index c2e1dcab6e..f68e1e12b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/ips/{ip}/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md index 990bd3f852..cdeaa1e441 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,10 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/ips/{ip}/stats diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index 4683167dfb..ed3fde05b1 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,12 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + ## HTTP request ``` GET /api/machines/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md index 61cb0e8c02..5dad09904f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,11 @@ Permission type | Permission | Permission display name Application | User.Read.All | 'Read user profiles' Delegated (work or school account) | User.Read.All | 'Read user profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/machines/{id}/logonusers diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 16fef6228a..0a8170f0fd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -32,6 +32,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/machines/{id}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index bcdbd711ec..17e20f0b73 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,10 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index e11cd96856..d057cb5c85 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,10 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index d114cf97cb..8f2008c14a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -34,6 +34,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machines diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md index b59b11034b..bf4cb3c934 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | Machine.CollectForensics | 'Collect forensics' Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md index 604f6fe959..33e7130f36 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Isolates a machine from accessing external network. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -29,9 +31,11 @@ Permission type | Permission | Permission display name Application | Machine.Isolate | 'Isolate machine' Delegated (work or school account) | Machine.Isolate | 'Isolate machine' ->[!IMPORTANT] ->- Full isolation is available for machines on Windows 10, version 1703. ->- Selective isolation is available for machines on Windows 10, version 1709 or later. +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` @@ -55,7 +59,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S **IsolationType** controls the type of isolation to perform and can be one of the following: - Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details) ## Response diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md new file mode 100644 index 0000000000..fcbd68ecec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -0,0 +1,6 @@ +--- +ms.date: 08/28/2017 +author: zavidor +--- +>[!Note] +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md index b40d39cbc3..13b8574222 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Offboard machine from WDATP. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -29,8 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.Offboard | 'Offboard machine' Delegated (work or school account) | Machine.Offboard | 'Offboard machine' ->[!IMPORTANT] -> This response action is available for machines on Windows 10, version 1703 or later. +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to 'Global Admin' AD role +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 064fb37360..132ae5943b 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -181,7 +181,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. @@ -197,7 +197,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne ![Image of isolate machine](images/atp-actions-isolate-machine.png) -3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation'). ![Image of isolation confirmation](images/atp-confirm-isolate.png) diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md index 962dad7581..90321fb7ff 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -29,9 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.RestrictExecution | 'Restrict code execution' Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' ->[!IMPORTANT] -> - This action is available for machines on Windows 10, version 1709 or later. -> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index 7e312d08e8..86899b1396 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -39,6 +39,11 @@ Permission type | Permission | Permission display name Application | AdvancedQuery.Read.All | 'Run advanced queries' Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to 'Global Admin' AD role +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` POST /advancedqueries/query diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md index 85c37a2cc6..f8a0432c1d 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Initiate Windows Defender Antivirus scan on a machine. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -29,9 +31,10 @@ Permission type | Permission | Permission display name Application | Machine.Scan | 'Scan machine' Delegated (work or school account) | Machine.Scan | 'Scan machine' ->[!IMPORTANT] ->- This action is available for machines on Windows 10, version 1709 or later. ->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index 5aaccd64f1..205ee3432c 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,11 @@ Permission type | Permission | Permission display name Application | Machine.Isolate | 'Isolate machine' Delegated (work or school account) | Machine.Isolate | 'Isolate machine' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md index 4deeaa4646..fd0479fd8a 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -19,10 +19,10 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] - - Enable execution of any application on the machine. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) @@ -31,6 +31,11 @@ Permission type | Permission | Permission display name Application | Machine.RestrictExecution | 'Restrict code execution' Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 81c8f8d9ac..762ae2251a 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,11 @@ Permission type | Permission | Permission display name Application | Alerts.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` PATCH /api/alerts/{id} From 6c54e6e8ccc8d261a7bd7a35cef749ae03b1dc5e Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Thu, 4 Oct 2018 17:53:49 +0300 Subject: [PATCH 12/14] self review 1 --- ...windows-defender-advanced-threat-protection-new.md | 4 ++++ ...windows-defender-advanced-threat-protection-new.md | 5 +++++ ...windows-defender-advanced-threat-protection-new.md | 5 +++++ ...windows-defender-advanced-threat-protection-new.md | 2 +- ...windows-defender-advanced-threat-protection-new.md | 11 +++++------ ...windows-defender-advanced-threat-protection-new.md | 2 +- ...windows-defender-advanced-threat-protection-new.md | 2 +- ...windows-defender-advanced-threat-protection-new.md | 5 +++++ ...windows-defender-advanced-threat-protection-new.md | 5 +++++ ...windows-defender-advanced-threat-protection-new.md | 4 ++++ ...windows-defender-advanced-threat-protection-new.md | 4 ++++ 11 files changed, 40 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md index 65ac87525b..db36c8aa7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -29,6 +29,10 @@ Permission type | Permission | Permission display name Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index dc9498c8f0..2ad984ccf6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id} diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md index 29f7b7ed3e..45eca676f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,11 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/alerts/{id}/ips diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 205805378d..4d4e5e0cb0 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -37,7 +37,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index e1d21e0582..6542d0bebd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -31,16 +31,15 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/domains/{domain}/machines ``` ->[!Note] -> When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Only machines that the user can access, based on machine group settings will be listed (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) - - ## Request headers Name | Type | Description diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index ed3fde05b1..335b6efcb7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -35,7 +35,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 0a8170f0fd..2fd9e07d99 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -35,7 +35,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index 7bbc0c5ccb..bca064ca3f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,11 @@ Application | Alert.ReadWrite.All | 'Read and write all alerts' Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/users/{id}/alerts diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 676602504f..2198203628 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,11 @@ Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/users/{id}/machines diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md index e3fc93951d..22bf9eb5a9 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,10 @@ Permission type | Permission | Permission display name Application | Url.Read.All | 'Read URLs' Delegated (work or school account) | URL.Read.All | 'Read URLs' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/domains/{domain} diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md index 575b792100..b976177106 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -31,6 +31,10 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + ## HTTP request ``` GET /api/ips/{ip} From c5dfea4a7990991d9ad11bbc484641bd12d60e35 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Sun, 7 Oct 2018 11:34:28 +0300 Subject: [PATCH 13/14] dalaufer's comment --- ...-machines-windows-defender-advanced-threat-protection-new.md | 1 + .../windows-defender-atp/run-advanced-query-api.md | 2 +- ...e-machine-windows-defender-advanced-threat-protection-new.md | 2 ++ ...ate-alert-windows-defender-advanced-threat-protection-new.md | 2 +- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index 6542d0bebd..f1fd36c675 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -40,6 +40,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine ``` GET /api/domains/{domain}/machines ``` + ## Request headers Name | Type | Description diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md index 86899b1396..775c140d57 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -41,7 +41,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' >[!Note] > When obtaining a token using user credentials: ->- The user needs to 'Global Admin' AD role +>- The user needs to have 'Global Admin' AD role >- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md index 205ee3432c..237350b465 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -21,6 +21,8 @@ ms.date: 12/08/2017 Undo isolation of a machine. +[!include[Machine actions note](machineactionsnote.md)] + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](exposed-apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 762ae2251a..7d7bc5537c 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -32,7 +32,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) >- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request From bd20e7864cdacead08670d14f6bd29b3fbc3ed23 Mon Sep 17 00:00:00 2001 From: Zvi Avidor Date: Mon, 8 Oct 2018 14:03:52 +0300 Subject: [PATCH 14/14] add documentation for createalert support with delegated creds --- ...rence-windows-defender-advanced-threat-protection-new.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 94288d30d6..46747a3c0d 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -30,6 +30,12 @@ One of the following permissions is required to call this API. To learn more, in Permission type | Permission | Permission display name :---|:---|:--- Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) ## HTTP request ```