From 085bb5da8c59e7f525c0eca1cfbc6626a8320d4f Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Mon, 26 Nov 2018 20:58:01 +0200 Subject: [PATCH 01/13] s --- ...defender-advanced-threat-protection-new.md | 61 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 4 +- 3 files changed, 37 insertions(+), 32 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md index b1cde1afaf..da80f7bb7e 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -37,45 +37,48 @@ Method|Return Type |Description # Properties Property | Type | Description :---|:---|:--- -id | String | Alert ID -severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'. -status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +id | String | Alert ID. +incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. +assignedTo | String | Owner of the alert. +severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. +status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. +investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . +classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' . +detectionSource | string | Detection source. +threatFamilyName | string | Threat family. +title | string | Alert title. description | String | Description of the threat, identified by the alert. recommendedAction | String | Action recommended for handling the suspected threat. alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. -category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. -title | string | Alert title -threatFamilyName | string | Threat family -detectionSource | string | Detection source -assignedTo | String | Owner of the alert -classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. -determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' -resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. # JSON representation ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md index 53054cc36b..88f5545da4 100644 --- a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' ## HTTP request ``` -POST https://api.securitycenter.windows.com/api/CreateAlertByReference +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference ``` ## Request headers @@ -77,7 +77,7 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/CreateAlertByReference +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference Content-Length: application/json { diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 02ebbe143c..de8091bda2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -21,7 +21,9 @@ ms.date: 12/08/2017 [!include[Prerelease information](prerelease.md)] -Retrieves top recent alerts. +- Retrieves a collection of Alerts. +- Supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". ## Permissions From 0e1e123204288bb3b7114683dcf812bd70c91cad Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Mon, 26 Nov 2018 21:43:02 +0200 Subject: [PATCH 02/13] s --- .../exposed-apis-odata-samples.md | 59 +++++++++++++-- ...defender-advanced-threat-protection-new.md | 39 +++++----- ...defender-advanced-threat-protection-new.md | 74 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 74 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 37 +++++----- ...defender-advanced-threat-protection-new.md | 37 +++++----- ...defender-advanced-threat-protection-new.md | 37 +++++----- ...defender-advanced-threat-protection-new.md | 10 +-- ...defender-advanced-threat-protection-new.md | 74 ++++++++++--------- ...defender-advanced-threat-protection-new.md | 41 +++++----- 10 files changed, 271 insertions(+), 211 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index dfc82df1d8..2892815b80 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -21,8 +21,13 @@ ms.date: 11/15/2018 - If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) -- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries. -- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter. +- Not all properties are filterable. + +### Properties that supports $filter: + +- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. +- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. +- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type and CreationDateTimeUtc. ### Example 1 @@ -70,6 +75,50 @@ Content-type: application/json ### Example 2 +- Get all the alerts that created after 2018-10-20 00:00:00 + +``` +HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + . + . + . + ] +} +``` + +### Example 3 + - Get all the machines with 'High' 'RiskScore' ``` @@ -110,7 +159,7 @@ Content-type: application/json } ``` -### Example 3 +### Example 4 - Get top 100 machines with 'HealthStatus' not equals to 'Active' @@ -152,7 +201,7 @@ Content-type: application/json } ``` -### Example 4 +### Example 5 - Get all the machines that last seen after 2018-10-20 @@ -194,7 +243,7 @@ Content-type: application/json } ``` -### Example 5 +### Example 6 - Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md index d2187f343b..88cda0c956 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -64,7 +64,7 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442 ``` **Response** @@ -75,24 +75,25 @@ Here is an example of the response. ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index de8091bda2..baf2f17c9a 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -88,44 +88,46 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" }, { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 2", - "recommendedAction": "Some recommended action 2", - "alertCreationTime": "2018-08-04T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 2", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-03T07:02:52.0894451Z", - "firstEventTime": "2018-08-03T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md index b1e8502727..39c7ea3379 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -84,44 +84,46 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" }, { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 2", - "recommendedAction": "Some recommended action 2", - "alertCreationTime": "2018-08-04T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 2", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-03T07:02:52.0894451Z", - "firstEventTime": "2018-08-03T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md index e34b9d8c77..b8db356dde 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -82,24 +82,25 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636692391408655573_2010598859", - "severity": "Low", - "status": "New", - "description": "test alert", - "recommendedAction": "do this and that", - "alertCreationTime": "2018-08-07T11:45:40.0199932Z", - "category": "None", - "title": "test alert", - "threatFamilyName": null, - "detectionSource": "CustomerTI", - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2018-08-03T16:45:21.7115182Z", - "firstEventTime": "2018-08-03T16:45:21.7115182Z", - "actorName": null, - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md index 981c022145..601886b8ec 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -81,24 +81,25 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636692391408655573_2010598859", - "severity": "Low", - "status": "New", - "description": "test alert", - "recommendedAction": "do this and that", - "alertCreationTime": "2018-08-07T11:45:40.0199932Z", - "category": "None", - "title": "test alert", - "threatFamilyName": null, - "detectionSource": "CustomerTI", - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2018-08-03T16:45:21.7115182Z", - "firstEventTime": "2018-08-03T16:45:21.7115182Z", - "actorName": null, - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md index 65ee88ebb5..191f30cfc2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -81,24 +81,25 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636692391408655573_2010598859", - "severity": "Low", - "status": "New", - "description": "test alert", - "recommendedAction": "do this and that", - "alertCreationTime": "2018-08-07T11:45:40.0199932Z", - "category": "None", - "title": "test alert", - "threatFamilyName": null, - "detectionSource": "CustomerTI", - "classification": null, - "determination": null, - "assignedTo": null, - "resolvedTime": null, - "lastEventTime": "2018-08-03T16:45:21.7115182Z", - "firstEventTime": "2018-08-03T16:45:21.7115182Z", - "actorName": null, - "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 5d41431d83..063919c244 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -15,15 +15,15 @@ ms.date: 12/08/2017 # List machines API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. -Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). -The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId" +[!include[Prerelease information](prerelease.md)] + +- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. +- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md index 86bbb39785..139d24daf4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -81,44 +81,46 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 1", - "recommendedAction": "Some recommended action 1", - "alertCreationTime": "2018-08-03T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 1", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-02T07:02:52.0894451Z", - "firstEventTime": "2018-08-02T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369f" + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" }, { - "id": "636688558380765161_2136280442", - "severity": "Informational", - "status": "InProgress", - "description": "Some alert description 2", - "recommendedAction": "Some recommended action 2", - "alertCreationTime": "2018-08-04T01:17:17.9516179Z", - "category": "General", - "title": "Some alert title 2", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": "TruePositive", - "determination": null, - "assignedTo": "best secop ever", - "resolvedTime": null, - "lastEventTime": "2018-08-03T07:02:52.0894451Z", - "firstEventTime": "2018-08-03T07:02:52.0894451Z", - "actorName": null, - "machineId": "ff0c3800ed8d66738a514971cd6867166809369d" + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md index 1ce73605cf..4e69de458e 100644 --- a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -72,10 +72,10 @@ Here is an example of the request. [!include[Improve request performance](improverequestperformance-new.md)] ``` -PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442 +PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442 Content-Type: application/json { - "assignedTo": "Our designated secop" + "assignedTo": "secop2@contoso.com" } ``` @@ -86,23 +86,24 @@ Here is an example of the response. ``` { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", - "id": "636688558380765161_2136280442", - "severity": "Medium", - "status": "InProgress", - "description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.", - "recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.", - "alertCreationTime": "2018-08-07T10:18:04.2665329Z", - "category": "Installation", - "title": "Possible sensor tampering in memory", - "threatFamilyName": null, - "detectionSource": "WindowsDefenderAtp", - "classification": null, - "determination": null, - "assignedTo": "Our designated secop", - "resolvedTime": null, - "lastEventTime": "2018-08-07T10:14:35.470671Z", - "firstEventTime": "2018-08-07T10:14:35.470671Z", - "actorName": null, - "machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857" + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop2@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "recommendedAction": "Some recommended action" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" } ``` From 4ace29b0392f1a8c2eef071c1b6d116629f9babf Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 10:23:18 +0200 Subject: [PATCH 03/13] s --- .../windows-defender-atp/exposed-apis-odata-samples.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index 2892815b80..e91e3db930 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -31,7 +31,7 @@ ms.date: 11/15/2018 ### Example 1 -**Get all the machines with the tag 'ExampleTag'** +- Get all the machines with the tag 'ExampleTag' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') From 0d436b7d431ab89b8bba3ff3729c2a42feb68281 Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 14:00:54 +0200 Subject: [PATCH 04/13] s --- windows/security/threat-protection/TOC.md | 6 +- .../windows-defender-atp/TOC.md | 6 +- ...defender-advanced-threat-protection-new.md | 42 +++---- .../exposed-apis-odata-samples.md | 118 +++++++++--------- ...defender-advanced-threat-protection-new.md | 37 +++--- ...defender-advanced-threat-protection-new.md | 28 ++--- ...defender-advanced-threat-protection-new.md | 5 +- ...defender-advanced-threat-protection-new.md | 60 +++++---- ...defender-advanced-threat-protection-new.md | 27 ++-- ...defender-advanced-threat-protection-new.md | 20 ++- ...defender-advanced-threat-protection-new.md | 16 +-- ...defender-advanced-threat-protection-new.md | 4 +- ...defender-advanced-threat-protection-new.md | 13 +- ...defender-advanced-threat-protection-new.md | 24 ++-- ...defender-advanced-threat-protection-new.md | 21 ++-- ...defender-advanced-threat-protection-new.md | 17 +-- 16 files changed, 223 insertions(+), 221 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index ea1d8e22a6..1c777923ed 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -265,7 +265,7 @@ ######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) ####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) -######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) +######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) ######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) ######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) ######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) @@ -274,8 +274,8 @@ ####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) -######## [List MachineActions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -######## [Get MachineAction](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) ######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) ######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) ######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index f8ba6e6e36..b7634537bd 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -262,7 +262,7 @@ ####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) ###### [Machine](machine-windows-defender-advanced-threat-protection-new.md) -####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md) +####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md) ####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) ####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) ####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) @@ -270,8 +270,8 @@ ####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) ###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) -####### [List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) -####### [Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) ####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) ####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) ####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md index e28bac587b..0fa51e3bfb 100644 --- a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -15,10 +15,12 @@ ms.date: 12/08/2017 # Add or Remove Machine Tags API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + [!include[Prerelease information](prerelease.md)] -**Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - Adds or remove tag to a specific machine. ## Permissions @@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag. [!include[Improve request performance](improverequestperformance-new.md)] ``` -POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags Content-type: application/json { - "Value" : "Test Tag", + "Value" : "test Tag 2", "Action": "Add" } @@ -85,26 +87,24 @@ HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity", - "id": "863fed4b174465c703c6e412965a31b5e1884cc4", - "computerDnsName": "mymachine55.contoso.com", - "firstSeen": "2018-07-31T14:20:55.8223496Z", - "lastSeen": "2018-09-27T08:44:05.6228836Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "lastIpAddress": "10.248.240.38", - "lastExternalIpAddress": "167.220.2.166", - "agentVersion": "10.3720.16299.98", - "osBuild": 16299, + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [ - "Test Tag" - ], - "rbacGroupId": 75, - "riskScore": "Medium", - "aadDeviceId": null + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ``` -To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file +- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index e91e3db930..ba26088a19 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -46,25 +46,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba", - "computerDnsName": "examples.dev.corp.Contoso.com", - "firstSeen": "2018-03-07T11:19:11.7234147Z", - "lastSeen": "2018-11-15T11:23:38.3196947Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "lastIpAddress": "123.17.255.241", - "lastExternalIpAddress": "123.220.196.180", - "agentVersion": "10.6400.18282.1001", - "osBuild": 18282, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [ - "ExampleTag" - ], - "rbacGroupId": 5, - "rbacGroupName": "Developers", - "riskScore": "North", - "aadDeviceId": null + "rbacGroupId": 140, + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . @@ -134,23 +131,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "e3a77eeddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.Contoso.com", - "firstSeen": "2016-11-02T23:26:03.7882168Z", - "lastSeen": "2018-11-12T10:27:08.708723Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "lastIpAddress": "123.123.10.33", - "lastExternalIpAddress": "124.124.160.172", - "agentVersion": "10.6300.18279.1001", - "osBuild": 18279, - "healthStatus": "ImpairedCommunication", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 5, - "rbacGroupName": "Developers", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, "riskScore": "High", - "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . @@ -176,23 +172,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "1113333ddb83d581238792387b1239b01286b2f", - "computerDnsName": "examples.dev.corp.Contoso.com", - "firstSeen": "2016-11-02T23:26:03.7882168Z", - "lastSeen": "2018-11-12T10:27:08.708723Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "lastIpAddress": "123.123.10.33", - "lastExternalIpAddress": "124.124.160.172", - "agentVersion": "10.6300.18279.1001", - "osBuild": 18279, - "healthStatus": "ImpairedCommunication", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 5, - "rbacGroupName": "Developers", - "riskScore": "Medium", - "aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a" + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . @@ -206,7 +201,7 @@ Content-type: application/json - Get all the machines that last seen after 2018-10-20 ``` -HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z ``` **Response:** @@ -218,23 +213,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "83113465ffceca4a731234e5dcde3357e026e873", - "computerDnsName": "examples-vm10", - "firstSeen": "2018-11-12T16:07:50.1706168Z", - "lastSeen": "2018-11-12T16:07:50.1706168Z", - "osPlatform": "WindowsServer2019", - "osVersion": null, - "lastIpAddress": "10.123.72.35", - "lastExternalIpAddress": "123.220.2.3", - "agentVersion": "10.6300.18281.1000", - "osBuild": 18281, + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": false, - "machineTags": [], - "rbacGroupId": 5, - "rbacGroupName": "Developers", - "riskScore": "None", - "aadDeviceId": null + "rbacGroupId": 140, + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] }, . . diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index 495830551e..fc21244a6e 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -15,11 +15,12 @@ ms.date: 12/08/2017 # Find machines by internal IP API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + - Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp - The given timestamp must be in the past 30 days. @@ -83,22 +84,22 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "863fed4b174465c703c6e412965a31b5e1884cc4", - "computerDnsName": "mymachine33.contoso.com", - "firstSeen": "2018-07-31T14:20:55.8223496Z", - "lastSeen": null, - "osPlatform": "Windows10", - "osVersion": null, - "lastIpAddress": "10.248.240.38", - "lastExternalIpAddress": "167.220.2.166", - "agentVersion": "10.3720.16299.98", - "osBuild": 16299, - "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 75, - "riskScore": "Medium", - "aadDeviceId": null + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-09-22T08:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "10.248.240.38", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index 33075d8e93..cee30245d6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -14,12 +14,13 @@ ms.date: 12/08/2017 --- # Get alert related machine information API + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)] -Retrieves machine that is related to a specific alert. +- Retrieves machine that is related to a specific alert. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -77,22 +78,21 @@ HTTP/1.1 200 OK Content-type: application/json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity", - "id": "ff0c3800ed8d66738a514971cd6867166809369f", - "computerDnsName": "amazingmachine.contoso.com", - "firstSeen": "2017-12-10T07:47:34.4269783Z", - "lastSeen": "2017-12-10T07:47:34.4269783Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", "osVersion": "10.0.0.0", - "systemProductName": null, - "lastIpAddress": "172.17.0.0", - "lastExternalIpAddress": "167.220.0.0", - "agentVersion": "10.5830.17732.1001", - "osBuild": 17732, + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 75, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9" + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index baf2f17c9a..63051a6de3 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -24,7 +24,7 @@ ms.date: 12/08/2017 - Retrieves a collection of Alerts. - Supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". - +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -132,3 +132,6 @@ Here is an example of the response. ] } ``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index f5ac6e74f8..35230abcc7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -80,43 +80,41 @@ Content-type: application/json "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", "value": [ { - "id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5", - "computerDnsName": "testMachine1", - "firstSeen": "2018-07-30T20:12:00.3708661Z", - "lastSeen": "2018-07-30T20:12:00.3708661Z", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, - "lastIpAddress": "10.209.67.177", - "lastExternalIpAddress": "167.220.1.210", - "agentVersion": "10.5830.18208.1000", - "osBuild": 18208, - "healthStatus": "Inactive", - "isAadJoined": false, - "machineTags": [], - "rbacGroupId": 75, + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { - "id": "02efb9a9b85f07749a018fbf3f962b4700b3b949", - "computerDnsName": "testMachine2", - "firstSeen": "2018-07-30T19:50:47.3618349Z", - "lastSeen": "2018-07-30T19:50:47.3618349Z", + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, - "lastIpAddress": "10.209.70.231", - "lastExternalIpAddress": "167.220.0.28", - "agentVersion": "10.5830.18208.1000", - "osBuild": 18208, + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": false, - "machineTags": [], - "rbacGroupId": 75, - "riskScore": "None", - "aadDeviceId": null - } + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } ] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md index 79aaefa954..75017123a4 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,13 +14,14 @@ ms.date: 12/08/2017 --- # Get file related machines API + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)] -Retrieves a collection of machines related to a given file hash. +- Retrieves a collection of machines related to a given file hash. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -83,39 +84,37 @@ Content-type: application/json "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lasttSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", "computerDnsName": "mymachine2.contoso.com", "firstSeen": "2018-07-09T13:22:45.1250071Z", - "lasttSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index 3c68f72daf..f4061af62e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -85,18 +85,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", @@ -104,18 +103,17 @@ Content-type: application/json "firstSeen": "2018-07-09T13:22:45.1250071Z", "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index 4211bbbb1f..e29196545f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -15,12 +15,13 @@ ms.date: 12/08/2017 # Get machine by ID API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Retrieves a machine entity by ID. + +[!include[Prerelease information](prerelease.md)] + +- Retrieves a machine entity by ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -85,18 +86,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] } ``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md index 96a4953581..bfda8dcbcd 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -14,12 +14,14 @@ ms.date: 12/08/2017 --- # Get machineAction API + **Applies to:** + - Windows Defender Advanced Threat Protection (Windows Defender ATP) [!include[Prerelease information](prerelease.md)] -Get action performed on a machine. +- Get action performed on a machine. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 5a137cb5a8..018818ec82 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -15,14 +15,16 @@ ms.date: 12/08/2017 # List MachineActions API -[!include[Prerelease information](prerelease.md)] - **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) - Gets collection of actions done on machines. - Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +[!include[Prerelease information](prerelease.md)] + +- Gets collection of actions done on machines. +- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type" and "CreationDateTimeUtc". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) @@ -167,3 +169,6 @@ Content-type: application/json ] } ``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 063919c244..13aadfafc7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -24,6 +24,7 @@ ms.date: 12/08/2017 - Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. - Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions @@ -87,18 +88,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", @@ -106,19 +106,21 @@ Content-type: application/json "firstSeen": "2018-07-09T13:22:45.1250071Z", "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } ``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 9e0f217156..873cd7bfe6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -14,6 +14,7 @@ ms.date: 12/08/2017 --- # Get user related machines API + **Applies to:** - Windows Defender Advanced Threat Protection (Windows Defender ATP) @@ -87,18 +88,17 @@ Content-type: application/json "firstSeen": "2018-08-02T14:55:03.7791856Z", "lastSeen": "2018-08-02T14:55:03.7791856Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "172.17.230.209", "lastExternalIpAddress": "167.220.196.71", "agentVersion": "10.5830.18209.1001", "osBuild": 18209, "healthStatus": "Active", - "isAadJoined": true, - "machineTags": [], "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] }, { "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", @@ -106,18 +106,17 @@ Content-type: application/json "firstSeen": "2018-07-09T13:22:45.1250071Z", "lastSeen": "2018-07-09T13:22:45.1250071Z", "osPlatform": "Windows10", - "osVersion": null, - "systemProductName": null, + "osVersion": "10.0.0.0", "lastIpAddress": "192.168.12.225", "lastExternalIpAddress": "79.183.65.82", "agentVersion": "10.5820.17724.1000", "osBuild": 17724, "healthStatus": "Inactive", - "isAadJoined": true, - "machineTags": [], - "rbacGroupId": 140, + "rbacGroupId": 140, "riskScore": "Low", - "aadDeviceId": null + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] } ] } diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md index 8c70bf4419..4d6a156ac0 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. osPlatform | String | OS platform. osVersion | String | OS Version. -lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). -lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. agentVersion | String | Version of WDATP agent. -osBuild | Int | OS build number. +osBuild | Nullable long | OS build number. healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" -isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. -machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. -rbacGroupId | Int | Group ID. -riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). \ No newline at end of file +rbacGroupId | Int | RBAC Group ID. +rbacGroupName | String | RBAC Group Name. +riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. +aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). +machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. \ No newline at end of file From 9d48a52a98c6c7c91aa172bdd927a53606186cda Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 15:16:12 +0200 Subject: [PATCH 05/13] s --- .../exposed-apis-odata-samples.md | 2 +- ...defender-advanced-threat-protection-new.md | 2 +- ...defender-advanced-threat-protection-new.md | 104 ++++++++++++++++++ 3 files changed, 106 insertions(+), 2 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index ba26088a19..f9f2b40f78 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -27,7 +27,7 @@ ms.date: 11/15/2018 - [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. - [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. -- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type and CreationDateTimeUtc. +- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc. ### Example 1 diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md index 018818ec82..1e956940fa 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -23,7 +23,7 @@ ms.date: 12/08/2017 - Gets collection of actions done on machines. - Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). -- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type" and "CreationDateTimeUtc". +- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". - See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) ## Permissions diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..08cea6c72e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,104 @@ +--- +title: Stop and quarantine file API +description: Use this API to stop and quarantine file. +keywords: apis, graph api, supported apis, stop and quarantine file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Stop and quarantine file API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +- Stop execution of a file on a machine and delete it. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.StopAndQuarantine | 'Stop And Quarantine' +Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" +} + +``` +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "141408d1-384c-4c19-8b57-ba39e378011a", + "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "relatedFileInfo": { + "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", + "fileIdentifierType": "Sha1" + } +} + +``` + From a76117b42c5503c652ca2088ceb7ae241d8281ca Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 15:26:00 +0200 Subject: [PATCH 06/13] s --- ...et-alerts-windows-defender-advanced-threat-protection-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md index 63051a6de3..7cf854cf6f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -83,7 +83,7 @@ Here is an example of the response. >The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. -``` +```json { "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", "value": [ From 722bd9136102df382dec2aac5d05bd723e6cc11f Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 15:32:29 +0200 Subject: [PATCH 07/13] s --- windows/security/threat-protection/TOC.md | 1 + windows/security/threat-protection/windows-defender-atp/TOC.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1c777923ed..ff9215a0cb 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -284,6 +284,7 @@ ######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) ######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) ######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) ####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) ######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index b7634537bd..9ecf24c3a5 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -280,7 +280,7 @@ ####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) ####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) ####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) - +####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) ###### [User](user-windows-defender-advanced-threat-protection-new.md) ####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) From 6b9611358bd4f4b3c0aac33884748668f8b1773e Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 17:11:57 +0200 Subject: [PATCH 08/13] s --- ...ne-tags-windows-defender-advanced-threat-protection-new.md | 1 + .../windows-defender-atp/exposed-apis-odata-samples.md | 4 ++++ ...s-by-ip-windows-defender-advanced-threat-protection-new.md | 1 + ...ne-info-windows-defender-advanced-threat-protection-new.md | 1 + ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ ...e-by-id-windows-defender-advanced-threat-protection-new.md | 1 + ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ ...achines-windows-defender-advanced-threat-protection-new.md | 2 ++ 9 files changed, 16 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md index 0fa51e3bfb..b9f697e5af 100644 --- a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -99,6 +99,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md index f9f2b40f78..37c5a9f1d7 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -58,6 +58,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -143,6 +144,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -184,6 +186,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -225,6 +228,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "High", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md index fc21244a6e..83d5cedfe0 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -96,6 +96,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md index cee30245d6..05bf63bda9 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -90,6 +90,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md index 35230abcc7..60229ac888 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -92,6 +92,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -110,6 +111,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md index f4061af62e..628d8def35 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -93,6 +93,7 @@ Content-type: application/json "healthStatus": "Active", "rbacGroupId": 140, "riskScore": "Low", + "rbacGroupName": "The-A-Team", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", "machineTags": [ "test tag 1", "test tag 2" ] @@ -110,6 +111,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md index e29196545f..9c3d3c0eeb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -93,6 +93,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md index 13aadfafc7..15817d675c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -95,6 +95,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -113,6 +114,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md index 873cd7bfe6..da315671ca 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -95,6 +95,7 @@ Content-type: application/json "osBuild": 18209, "healthStatus": "Active", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": true, "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", @@ -113,6 +114,7 @@ Content-type: application/json "osBuild": 17724, "healthStatus": "Inactive", "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", "riskScore": "Low", "isAadJoined": false, "aadDeviceId": null, From 9fefd9fd98e9dd6123db0f16794887deb7977e4d Mon Sep 17 00:00:00 2001 From: Ben Alfasi Date: Tue, 27 Nov 2018 17:13:39 +0200 Subject: [PATCH 09/13] s --- ...ntine-file-windows-defender-advanced-threat-protection-new.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md index 08cea6c72e..9b50c9bf1d 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -55,6 +55,7 @@ In the request body, supply a JSON object with the following parameters: Parameter | Type | Description :---|:---|:--- Comment | String | Comment to associate with the action. **Required**. +Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**. ## Response If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. From 0bcab775c93210e1c06e12418cf9bcf644533847 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Tue, 27 Nov 2018 18:38:42 +0000 Subject: [PATCH 10/13] All ASR rules honor exclusions. --- .../customize-attack-surface-reduction.md | 40 +++++++++---------- 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 8bbe633287..557b83c494 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 10/17/2018 +ms.date: 11/27/2018 --- # Customize attack surface reduction rules @@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. +You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. This could potentially allow unsafe files to run and infect your devices. @@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. +Exclusions apply to all attack surface reduction rules. ->[!IMPORTANT] ->Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). - - -Rule description | Rule honors exclusions | GUID +Rule description | GUID -|:-:|- -Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D -Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 2f1be5f0a0a449d0dce9bbdc6db1c6c1b74ef3a5 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Tue, 27 Nov 2018 18:40:25 +0000 Subject: [PATCH 11/13] All ASR rules honor exclusions. --- .../attack-surface-reduction-exploit-guard.md | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 13d105b946..d90ef31aa2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 11/19/2018 +ms.date: 11/27/2018 --- # Reduce attack surfaces with attack surface reduction rules @@ -64,9 +64,6 @@ This rule blocks the following file types from being run or launched from an ema - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. @@ -88,18 +85,12 @@ Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block execution of potentially obfuscated scripts Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. @@ -132,9 +123,6 @@ This rule provides an extra layer of protection against ransomware. Executable f Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - >[!NOTE] >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. From 76126673ce6200665fc11cf164661e8e3589a176 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 27 Nov 2018 10:42:17 -0800 Subject: [PATCH 12/13] clarified descriptions based on reader question --- .../how-wip-works-with-labels.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index 67d918b484..b1005f382d 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 10/12/2018 +ms.date: 11/28/2018 --- # How Windows Information Protection protects files with a sensitivity label @@ -27,13 +27,15 @@ Microsoft information protection technologies work together as an integrated sol Microsoft information protection technologies include: -- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use. +- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. - [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps. -- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: +- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. - ![Sensitivity labels](images/sensitivity-labels.png) +End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: + +![Sensitivity labels](images/sensitivity-labels.png) ## Default WIP behaviors for a sensitivity label From bea09fe94b31c8d48c85177fea4bc928b9e3bd85 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 27 Nov 2018 11:24:07 -0800 Subject: [PATCH 13/13] edits --- .../windows-defender-application-control.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 2c07c12e12..27e5ec8d90 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jsuther1974 -ms.date: 05/03/2018 +ms.date: 11/28/2018 --- # Windows Defender Application Control @@ -17,6 +17,7 @@ ms.date: 05/03/2018 - Windows 10 - Windows Server 2016 +- Windows Server 2019 With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. @@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements -WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016. +WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. -Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016. +Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality