From f06b05d246a40d9a1b2bccfdde72a37dc4752852 Mon Sep 17 00:00:00 2001 From: jcaparas Date: Tue, 29 Aug 2017 13:40:54 -0700 Subject: [PATCH] remove apis --- ...ows-defender-advanced-threat-protection.md | 68 ------------ ...ows-defender-advanced-threat-protection.md | 77 -------------- ...ows-defender-advanced-threat-protection.md | 100 ------------------ ...ows-defender-advanced-threat-protection.md | 67 ------------ ...ows-defender-advanced-threat-protection.md | 67 ------------ ...ows-defender-advanced-threat-protection.md | 67 ------------ ...ows-defender-advanced-threat-protection.md | 83 --------------- ...ows-defender-advanced-threat-protection.md | 78 -------------- ...ows-defender-advanced-threat-protection.md | 76 ------------- ...ows-defender-advanced-threat-protection.md | 85 --------------- ...ows-defender-advanced-threat-protection.md | 78 -------------- ...ows-defender-advanced-threat-protection.md | 67 ------------ ...ows-defender-advanced-threat-protection.md | 77 -------------- ...ows-defender-advanced-threat-protection.md | 78 -------------- 14 files changed, 1068 deletions(-) delete mode 100644 windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md delete mode 100644 windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md diff --git a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 9ae13f3020..0000000000 --- a/windows/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Block file API -description: Use this API to create calls related to blocking files from being executed in the organization. -keywords: apis, graph api, supported apis, block file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Block file -Prevent a file from being executed in the organization using Windows Defender. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/files/{sha1}/block -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/7327b54fd718525cbca07dacde913b5ac3c85673/block -Content-type: application/json -{ - "Comment": "Block file due to alert 32123" -} - -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -``` diff --git a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 4cd36dd259..0000000000 --- a/windows/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Collect investigation package API -description: Use this API to create calls related to the collecting an investigation package from a machine. -keywords: apis, graph api, supported apis, collect investigation package -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Collect investigation package -Collect investigation package from a machine. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/collectInvestigationPackage -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | Text | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json -{ - "Comment": "Collect forensics due to alert 1234" -} -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "CollectInvestigationPackage", - "status": "InProgress", - "error": "Unknown" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 259f35f8eb..0000000000 --- a/windows/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: Use the Windows Defender Advanced Threat Protection exposed APIs -description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. -keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Use the Windows Defender ATP exposed APIs - -**Applies to:** - -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). - -In general, you’ll need to take the following steps to use the APIs: -- Create an app -- Get an access token -- Run queries on the graph API - -### Before you begin -Before using the APIs, you’ll need to create an app that you’ll use to authenticate against the graph. You’ll need to create a native app to use for the adhoc queries. - -## Create an app - -1. Log on to [Azure](https://portal.azure.com). - -2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. - - ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) - -3. In the Create window, enter the following information then click **Create**. - - ![Image of Create application window](images/atp-azure-create.png) - - - **Name:** WinATPGraph - - **Application type:** Native - - **Redirect URI:** `https://localhost` - - -4. Navigate and select the newly created application. - ![Image of new app in Azure](images/atp-azure-atp-app.png) - -5. Click **All settings** > **Required permissions** > **Add**. - - ![Image of All settings, then required permissions](images/atp-azure-required-permissions.png) - -6. Click **Select an API** > **Microsoft Graph**, then click **Select**. - - ![Image of API access and API selection](images/atp-azure-api-access.png) - - -7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**. - - ![Image of select permissions](images/atp-azure-select-permissions.png) - -You can now use the code snippets in the following sections to query the API using the created app ID. - -## Get an access token -1. Get the Client ID from the application you created. - -2. Use the **Client ID**. For example: - ``` - private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"; - private const string resourceId = "https://graph.microsoft.com"; - private const string clientId = "{YOUR CLIENT ID/APP ID HERE}"; - private const string redirect = "https://localhost"; - HttpClient client = new HttpClient(); - AuthenticationContext auth = new AuthenticationContext(authority); - var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result; - client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken); - ``` - -## Query the graph -Once the bearer token is retrieved, you can easily invoke the graph APIs. For example: - -``` -client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json")); -// sample endpoint -string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5"; -HttpResponseMessage response = client.GetAsync(ep).Result; -string resp = response.Content.ReadAsStringAsync().Result; -Console.WriteLine($"response for: {ep} \r\n {resp}"); -``` - - -## Related topics -- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md deleted file mode 100644 index b5a267b9d1..0000000000 --- a/windows/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Get FileMachineAction object API -description: Use this API to create calls related to get machineaction object -keywords: apis, graph api, supported apis, filemachineaction object -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Get MachineAction object -Get MachineAction object - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -GET /testwdatppreview/filemachineactions/{id} -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful, this method returns 200, Ok response code with the *FileMachineAction* object. - - -## Example - -Request - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/filemachineactions/7327b54fd718525cbca07dacde913b5ac3c85673 -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "stopAndQuarantineFile", - "status": "Success", - "error": "Unknown" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 1fcfb04357..0000000000 --- a/windows/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Get MachineAction object API -description: Use this API to create calls related to get machineaction object -keywords: apis, graph api, supported apis, machineaction object -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Get MachineAction object -Get MachineAction object - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -GET /testwdatppreview/machineactions/{id} -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful, this method returns 200, Ok response code with the *MachineAction* object. - - -## Example - -Request - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673 -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "UnrestrictExecution", - "status": "Success", - "error": "Unknown" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 5c62aa0f2a..0000000000 --- a/windows/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Get package SAS URI API -description: Use this API to get a URI that allows downloading an investigation package. -keywords: apis, graph api, supported apis, get package, sas, uri -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Get package SAS URI -Get a Uri that allows downloading an investigation package. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machineactions/{id}/getPackageUri -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - - -## Request body -Empty - -## Response -If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage. - - -## Example - -Request - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -Content-type: application/json - -{ - "@odata.context": "https://graph.microsoft.com/testrespver1/$metadata#Edm.String", - "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md deleted file mode 100644 index bdc4be053b..0000000000 --- a/windows/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: Isolate machine API -description: Use this API to create calls related isolating a machine. -keywords: apis, graph api, supported apis, isolate machine -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Isolate machine -Isolates a machine from accessing external network. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/isolate -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -IsolationType | IsolationType | Full or selective isolation - -**IsolationType** controls the type of isolation to perform and can be one of the following: -- Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network - - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/isolate -Content-type: application/json -{ - "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” -} - -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "Isolate", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md deleted file mode 100644 index c876bcf8f0..0000000000 --- a/windows/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Request sample API -description: Use this API to create calls related to requesting a sample from a machine. -keywords: apis, graph api, supported apis, request sample -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Request sample -Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/requestSample -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -SHA1 | String | SHA1 of the file to upload to the secure storage. **Required**. - -## Response -If successful, this method returns 201, Created response code and *FileMachineAction* object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution -Content-type: application/json -{ - "Comment": "Stop and quarantine file on machine due to alert 32123", - “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” -} -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "RequestSample", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 6b9299e944..0000000000 --- a/windows/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Restrict app execution API -description: Use this API to create calls related to restricting an application from executing. -keywords: apis, graph api, supported apis, collect investigation package -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Restrict app execution -Restrict execution of set of predefined applications. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/restrictCodeExecution -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/restrictCodeExecution -Content-type: application/json -{ - "Comment": "Restrict code execution due to alert 1234" -} - -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "RestrictExecution", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 110a43b208..0000000000 --- a/windows/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: Run antivirus scan API -description: Use this API to create calls related to running an antivirus scan on a machine. -keywords: apis, graph api, supported apis, remove machine from isolation -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Run antivirus scan -Initiate Windows Defender Antivirus scan on the machine. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/runAntiVirusScan -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -ScanType| ScanType | Defines the type of the Scan. **Required**. - -**ScanType** controls the type of isolation to perform and can be one of the following: - -- **Quick** – Perform quick scan on the machine -- **Full** – Perform full scan on the machine - - - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/runAntiVirusScan -Content-type: application/json -{ - "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” -} -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "RunAntiVirusScan", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 96789ddeb9..0000000000 --- a/windows/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Stop and quarantine file API -description: Use this API to create calls related to stopping and quarantining a file. -keywords: apis, graph api, supported apis, stop, quarantine, file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Stop and quarantine file -Stop execution of a file on a machine and ensure it’s not executed again on that machine. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/stopAndQuarantineFile -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. -SHA1 | String | SHA1 of the file to stop and quarantine on the machine. **Required**. - -## Response -If successful, this method returns 201, Created response code and _FileMachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution -Content-type: application/json -{ - "Comment": "Stop and quarantine file on machine due to alert 32123", - “Sha1”: “7327b54fd718525cbca07dacde913b5ac3c85673” -} -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "StopAndQuarantineFile", - "status": "InProgress", - "error": "Unknown" -} -``` diff --git a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 0b5317d48a..0000000000 --- a/windows/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: Unblock file API -description: Use this API to create calls related to allowing a file to be executed in the organization -keywords: apis, graph api, supported apis, unblock file -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Unblock file -Allow a file to be executed in the organization, using Windows Defender. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/files/{sha1}/unblock -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - - -## Response -If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/unblock -Content-type: application/json -{ - "Comment": "Unblock file since alert 1234 was investigated and discovered to be false alarm", -} -``` - -Response - -Here is an example of the response. - - -``` -HTTP/1.1 200 Ok -``` diff --git a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 5fbb90a186..0000000000 --- a/windows/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Unisolate machine API -description: Use this API to create calls related to removing a machine from isolation. -keywords: apis, graph api, supported apis, remove machine from isolation -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Unisolate machine -Remove machine from isolation. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/unisolate -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unisolate -Content-type: application/json -{ - "Comment": "Unisolate machine since it was clean and validated" -} - -``` -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "Unisolate", - "status": "InProgress", - "error": "Unknown" -} - -``` diff --git a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md deleted file mode 100644 index 65989bb731..0000000000 --- a/windows/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -title: Unrestrict code execution API -description: Use this API to create calls related to removing a restriction from applications from executing. -keywords: apis, graph api, supported apis, remove machine from isolation -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: high -ms.date: 09/01.2017 ---- - -# Unrestrict code execution -Remove code execution restriction. - -## Permissions -User needs to have “secop” permissions. - -## HTTP request -``` -POST /testwdatppreview/machines/{id}/unrestrictCodeExecution -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. Required. -Content-Type | application/json - -## Request body -In the request body, supply a JSON object with the following parameters: - -Parameter | Type | Description -:---|:---|:--- -Comment | String | Comment to associate with the action. **Required**. - -## Response -If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. - - -## Example - -Request - -Here is an example of the request. - -``` -POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/unrestrictCodeExecution -Content-type: application/json -{ - "Comment": "Unrestrict code execution since machine was cleaned and validated" -} - -``` - -Response - -Here is an example of the response. - ->[!NOTE] ->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. - -``` -HTTP/1.1 201 Created -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity", - "id": "ac19aae7-4146-4a13-a786-eb43d8557f7c", - "type": "UnrestrictExecution", - "status": "InProgress", - "error": "Unknown" -} - -```