From 960c8dcb4af8b8e9aa74248b50e35e280e2396c3 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 15 Nov 2018 14:17:01 +0200 Subject: [PATCH 1/6] s --- .../exposed-apis-odata-samples.md | 54 +++++++++++++++++-- 1 file changed, 49 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index a7384d989f..6908d2a23b 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -21,11 +21,55 @@ ms.date: 09/24/2018 > If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/) -> ** Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.** -> ** [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.** +- ** Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. ** +- ** [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. ** ### Example 1 +**Get all the machines with the tag 'ExampleTag' ** + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba", + "computerDnsName": "examples.dev.corp.microsoft.com", + "firstSeen": "2018-03-07T11:19:11.7234147Z", + "lastSeen": "2018-11-15T11:23:38.3196947Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "123.17.255.241", + "lastExternalIpAddress": "123.220.196.180", + "agentVersion": "10.6400.18282.1001", + "osBuild": 18282, + "healthStatus": "Active", + "isAadJoined": true, + "machineTags": [ + "ExampleTag" + ], + "rbacGroupId": 5, + "rbacGroupName": "MiddleEast", + "riskScore": "North", + "aadDeviceId": null + }, + . + . + . + ] +} +``` + +### Example 2 + **Get all the machines with 'High' 'RiskScore'** ``` @@ -66,7 +110,7 @@ Content-type: application/json } ``` -### Example 2 +### Example 3 **Get top 100 machines with 'HealthStatus' not equals to 'Active'** @@ -108,7 +152,7 @@ Content-type: application/json } ``` -### Example 3 +### Example 4 **Get all the machines that last seen after 2018-10-20** @@ -150,7 +194,7 @@ Content-type: application/json } ``` -### Example 4 +### Example 5 **Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP** From 338298af58ddea79631eef0184b5698f74854c1f Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 15 Nov 2018 14:28:35 +0200 Subject: [PATCH 2/6] d --- .../windows-defender-atp/exposed-apis-list.md | 2 +- ...-alerts-windows-defender-advanced-threat-protection-new.md | 4 ++-- ...achines-windows-defender-advanced-threat-protection-new.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md index aaf42956c2..101b345a77 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md @@ -38,7 +38,7 @@ ms.date: 30/07/2018 > To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts -> If you don't specify any version ( without /v1.0/ ) you will get to the latest version. +> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index e109d17851..df5abdbe22 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -41,7 +41,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/users/{id}/alerts ``` -**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/alerts** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** ## Request headers @@ -54,7 +54,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and user and alert exists - 200 OK. If user or alerts does not exist - 404 Not Found. +If successful and user and alert exist - 200 OK. If user or alerts do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 35a87d200a..ecf23df07d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -41,7 +41,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine GET /api/users/{id}/machines ``` -**Note that the id is not the Full UPN, its only the user name. For example, for user1@contoso.com you will need to send /api/users/user1/machines** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** ## Request headers From c63c5ddcf5b4eadf6edd61b75284dd03d77133ca Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 15 Nov 2018 15:06:27 +0200 Subject: [PATCH 3/6] s --- .../exposed-apis-odata-samples.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index 6908d2a23b..fe3f9c3dd7 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -21,8 +21,8 @@ ms.date: 09/24/2018 > If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/) -- ** Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. ** -- ** [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. ** +- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. +- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. ### Example 1 @@ -42,7 +42,7 @@ Content-type: application/json "value": [ { "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba", - "computerDnsName": "examples.dev.corp.microsoft.com", + "computerDnsName": "examples.dev.corp.Contoso.com", "firstSeen": "2018-03-07T11:19:11.7234147Z", "lastSeen": "2018-11-15T11:23:38.3196947Z", "osPlatform": "Windows10", @@ -57,7 +57,7 @@ Content-type: application/json "ExampleTag" ], "rbacGroupId": 5, - "rbacGroupName": "MiddleEast", + "rbacGroupName": "Developers", "riskScore": "North", "aadDeviceId": null }, @@ -86,7 +86,7 @@ Content-type: application/json "value": [ { "id": "e3a77eeddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.microsoft.com", + "computerDnsName": "examples.dev.corp.Contoso.com", "firstSeen": "2016-11-02T23:26:03.7882168Z", "lastSeen": "2018-11-12T10:27:08.708723Z", "osPlatform": "Windows10", @@ -99,7 +99,7 @@ Content-type: application/json "isAadJoined": true, "machineTags": [], "rbacGroupId": 5, - "rbacGroupName": "North", + "rbacGroupName": "Developers", "riskScore": "High", "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" }, @@ -128,7 +128,7 @@ Content-type: application/json "value": [ { "id": "1113333ddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.microsoft.com", + "computerDnsName": "examples.dev.corp.Contoso.com", "firstSeen": "2016-11-02T23:26:03.7882168Z", "lastSeen": "2018-11-12T10:27:08.708723Z", "osPlatform": "Windows10", @@ -141,7 +141,7 @@ Content-type: application/json "isAadJoined": true, "machineTags": [], "rbacGroupId": 5, - "rbacGroupName": "North", + "rbacGroupName": "Developers", "riskScore": "Medium", "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" }, @@ -182,8 +182,8 @@ Content-type: application/json "healthStatus": "Active", "isAadJoined": false, "machineTags": [], - "rbacGroupId": 4, - "rbacGroupName": "East", + "rbacGroupId": 5, + "rbacGroupName": "Developers", "riskScore": "None", "aadDeviceId": null }, From 7251d23c14423f1195bb9520a0a11621650f15b5 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 15 Nov 2018 15:32:14 +0200 Subject: [PATCH 4/6] s --- .../windows-defender-atp/exposed-apis-odata-samples.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index fe3f9c3dd7..7562900100 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -19,7 +19,7 @@ ms.date: 09/24/2018 [!include[Prerelease information](prerelease.md)] -> If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/) +- If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/) - Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. - [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. From 5c3f565742f31fa679e429a6aa9531d9cf066c58 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Thu, 15 Nov 2018 16:07:57 +0200 Subject: [PATCH 5/6] s --- .../windows-defender-atp/exposed-apis-odata-samples.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index 7562900100..ed1ef8273e 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -70,7 +70,7 @@ Content-type: application/json ### Example 2 -**Get all the machines with 'High' 'RiskScore'** +- Get all the machines with 'High' 'RiskScore' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High' @@ -112,7 +112,7 @@ Content-type: application/json ### Example 3 -**Get top 100 machines with 'HealthStatus' not equals to 'Active'** +- Get top 100 machines with 'HealthStatus' not equals to 'Active' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100 @@ -154,7 +154,7 @@ Content-type: application/json ### Example 4 -**Get all the machines that last seen after 2018-10-20** +- Get all the machines that last seen after 2018-10-20 ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z @@ -196,7 +196,7 @@ Content-type: application/json ### Example 5 -**Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP** +- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP ``` HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' From 88962add9cd6fc1d766a021a0278e20734863298 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 15 Nov 2018 12:58:09 -0800 Subject: [PATCH 6/6] minor edits --- .../windows-defender-atp/exposed-apis-odata-samples.md | 8 ++++---- ...-alerts-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index ed1ef8273e..dfc82df1d8 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/24/2018 +ms.date: 11/15/2018 --- # OData queries with Windows Defender ATP @@ -19,14 +19,14 @@ ms.date: 09/24/2018 [!include[Prerelease information](prerelease.md)] -- If you are not familiar with OData queries, please see: [OData V4 queries](https://www.odata.org/documentation/) +- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) - Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. - [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. ### Example 1 -**Get all the machines with the tag 'ExampleTag' ** +**Get all the machines with the tag 'ExampleTag'** ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') @@ -196,7 +196,7 @@ Content-type: application/json ### Example 5 -- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using WDATP +- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP ``` HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index 6ea6b78d52..ec40578526 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/08/2017 +ms.date: 11/15/2018 --- # Get user related alerts API (deprecated)