deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 21:33:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

moved WD atp files

Browse Source
This commit is contained in:
Justin Hall
2018-02-01 12:39:25 -08:00
parent 7247c5533e
commit fba3bef5e0
397 changed files with 575 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,68 @@
---
title: Turn on advanced features in Windows Defender ATP
description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
keywords: advanced features, preferences setup, block file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Turn on advanced features in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
## Block file
This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
## Show user details
When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
- Security operations dashboard
- Alert queue
- Machine details page
For more information, see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
## Skype for Business integration
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
## Enable advanced features
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

147
windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,147 @@
---
title: View and organize the Windows Defender ATP Alerts queue
description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts.
keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/09/2017
---
# View and organize the Windows Defender Advanced Threat Protection Alerts queue
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In each queue, you'll see details such as the severity of alerts and the number of machines the alerts were raised on.
Alerts are organized in queues by their workflow status or assignment:
- **New**
- **In progress**
- **Resolved**
- **Assigned to me**
- **Suppression rules**
To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane.
> [!NOTE]
> By default, alerts in the queues are sorted from newest to oldest.
![Image of alerts queue](images/atp-alertsq2.png)
## Sort, filter, and group the alerts list
You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order.
### Time period
- 1 day
- 3 days
- 7 days
- 30 days
- 6 months
### OS Platform
- Windows 10
- Windows Server 2012 R2
- Windows Server 2016
- Other
### Severity
Alert severity | Description
:---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints.
#### Understanding alert severity
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Windows Defender ATP alert severities are different because they represent different scopes.
The Windows Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected.
The Windows Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
So, for example:
- The severity of a Windows Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
### Detection source
- Windows Defender AV
- Windows Defender ATP
- Windows Defender SmartScreen
- Others
>[!NOTE]
>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender Antivirus as the default real-time protection antimalware product.
### View
- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top.
- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together.
The grouped view allows for efficient alert triage and management.
### Use the Alert management pane
Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert.
![Image of an alert selected](images/atp-alerts-selected.png)
You can take immediate action on an alert and see details about an alert in the **Alert management** pane:
- Change the status of an alert from new, to in progress, or resolved.
- Specify the alert classification from true alert or false alert by selecting **In progress**.
Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert:
- APT
- Malware
- Security personnel
- Security testing
- Unwanted software
- Other
- Assign the alert to yourself if the alert is not yet assigned.
- View related activity on the machine.
- Add and view comments about the alert.
>[!NOTE]
>You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section.
### Use the User details pane
Selecting a user brings up the **User details** pane where you can see information such as machine details, related alerts, last IP address, when the machine was first and last seen reporting to the service, and information on the logged on users.
![Alerts queue with numbers](images/atp-alerts-queue-user.png)
### Bulk edit alerts
Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action.
![Alerts queue bulk edit](images/alerts-q-bulk.png)
## Related topics
- [View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md)
- [View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

97
windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Windows Defender ATP alert API fields
description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Windows Defender ATP alert API fields
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
## Alert API fields and portal mapping
The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Windows Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
Field numbers match the numbers in the images below.
> [!div class="mx-tableFixed"]
| Portal label | SIEM field name | ArcSight field | Example value | Description |
|------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | AlertTitle | name | A dll was unexpectedly loaded into a high integrity process without a UAC prompt | Value available for every alert. |
| 2 | Severity | deviceSeverity | Medium | Value available for every alert. |
| 3 | Category | deviceEventCategory | Privilege Escalation | Value available for every alert. |
| 4 | Source | sourceServiceName | WindowsDefenderATP | Windows Defender Antivirus or Windows Defender ATP. Value available for every alert. |
| 5 | MachineName | sourceHostName | liz-bean | Value available for every alert. |
| 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
| 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
| 8 | UserDomain | sourceNtDomain | contoso | The domain of the user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 9 | UserName | sourceUserName | liz-bean | The user context running the activity, available for Windows Defender ATP behavioral based alerts. |
| 10 | Sha1 | fileHash | 5b4b3985339529be3151d331395f667e1d5b7f35 | Available for alerts associated with a file or process. |
| 11 | Md5 | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb | Available for Windows Defender AV alerts. |
| 12 | Sha256 | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5 | Available for Windows Defender AV alerts. |
| 13 | ThreatName | eviceCustomString1 | Trojan:Win32/Skeeyah.A!bit | Available for Windows Defender AV alerts. |
| 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
| 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
| 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
| 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
| 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
| 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
| 22 | Actor | deviceCustomString4 | | Available for alerts related to a known actor group. |
| 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
| | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
| | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
| | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
| Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
| | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
| | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Windows Defender ATP'. |
| | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
![Image of alert with numbers](images/atp-alert-page.png)
![Image of alert details pane with numbers](images/atp-siem-mapping13.png)
![Image of artifact timeline with numbers](images/atp-siem-mapping3.png)
![Image of artifact timeline with numbers](images/atp-siem-mapping4.png)
![Image machine view](images/atp-mapping6.png)
![Image browser URL](images/atp-mapping5.png)
![Image actor alert](images/atp-mapping7.png)
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

89
windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Assign user access to the Windows Defender ATP portal
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Assign user access to the Windows Defender ATP portal
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Azure Active Directory
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
## Assign user access using Azure PowerShell
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read only access
### Before you begin
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
**Full access** <br>
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
**Read only access** <br>
Users with read only access can log in, view all alerts, and related information.
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
Use the following steps to assign security roles:
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
- For **read only** access, assign users to the security reader role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”
```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
## Assign user access using the Azure portal
1. Go to the [Azure portal](https://portal.azure.com).
2. Select **Azure Active Directory**.
3. Select **Manage** > **Users and groups**.
4. Select **Manage** > **All users**.
5. Search or select the user you want to assign the role to.
6. Select **Manage** > **Directory role**.
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portalaccess-belowfoldlink)

91
windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Block file API
description: Use this API to blocking files from being running in the organization.
keywords: apis, graph api, supported apis, block file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Block file API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Prevent a file from being executed in the organization using Windows Defender Antivirus.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/files/{sha1}/block
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 200, Ok response code with empty body, which indicates that block message was sent to Windows Defender deployed in the organization.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/files/7327b54fd718525cbca07dacde913b5ac3c85673/block
Content-type: application/json
{
"Comment": "Block file due to alert 32123"
}
```
Response
Here is an example of the response.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"fileIdentifier": "7327b54fd718525cbca07dacde913b5ac3c85673",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z"
}
```

70
windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Check the health state of the sensor in Windows Defender ATP
description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Check sensor health state in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
The sensor health tile provides information on the individual endpoints ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
![Windows Defender ATP sensor health tile](images/atp-portal-sensor.png)
There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
Clicking any of the groups directs you to Machines list, filtered according to your choice.
![Windows Defender ATP sensor filter](images/atp-sensor-filter.png)
<!--
![Windows Defender ATP sensor filter](images/atp-machines-list-misconfigured.png)
Filter the **Machines list** by time period, **OS Platform**, **Health**, or **Malware category alerts** to focus on certain sets of machines, according to the desired criteria.
-->
You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md).
You can filter the health state list by the following status:
- **Active** - Machines that are actively reporting to the Windows Defender ATP service.
- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
- **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
- **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service.
You can view the machine details when you click on a misconfigured or inactive machine. Youll see more specific machine information when you click the information icon.
![Windows Defender ATP sensor filter](images/atp-machine-health-details.png)
In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page.
>[!NOTE]
>Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
## Related topic
- [Fix unhealthy sensors in Windows Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)

90
windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,90 @@
---
title: Collect investigation package API
description: Use this API to create calls related to the collecting an investigation package from a machine.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Collect investigation package API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Collect investigation package from a machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machines/{id}/collectInvestigationPackage
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. Required.
Content-Type | application/json
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | Text | Comment to associate with the action. **Required**.
## Response
If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
## Example
Request
Here is an example of the request.
```
POST https://graph.microsoft.com/testwdatppreview/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
Content-type: application/json
{
"Comment": "Collect forensics due to alert 1234"
}
```
Response
Here is an example of the response.
>[!NOTE]
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "c9042f9b-8483-4526-87b5-35e4c2532223",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com ",
"requestorComment": " Collect forensics due to alert 1234",
"status": "InProgress",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:09:24.1785079Z",
"lastUpdateTimeUtc": "2017-12-04T12:09:24.1785079Z"
}
```

39
windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Access the Windows Defender ATP Community Center
description: Access the Windows Defender ATP Community Center to share experiences, engange, and learn about the product.
keywords: community, community center, tech community, conversation, announcements
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/30/2017
---
# Access the Windows Defender ATP Community Center
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
The Windows Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
There are several spaces you can explore to learn about specific information:
- Announcements
- What's new
- Threat Intelligence
There are several ways you can access the Community Center:
- In the Windows Defender ATP portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page.
- Access the community through the [Windows Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
You can instantly view and read conversations that have been posted in the community.
To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15).

191
windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,191 @@
---
title: Configure HP ArcSight to pull Windows Defender ATP alerts
description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal.
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Configure HP ArcSight to pull Windows Defender ATP alerts
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
## Before you begin
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
- Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- OAuth 2.0 Token refresh URL
- OAuth 2.0 Client ID
- OAuth 2.0 Client secret
- Have the following configuration files ready:
- WDATP-connector.properties
- WDATP-connector.jsonparser.properties
You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
- Make sure you generate the following tokens and have them ready:
- Access token
- Refresh token
You can generate these tokens from the **SIEM integration** setup section of the portal.
## Install and configure HP ArcSight SmartConnector
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
2. Follow the installation wizard through the following tasks:
- Introduction
- Choose Install Folder
- Choose Install Set
- Choose Shortcut Folder
- Pre-Installation Summary
- Installing...
You can keep the default values for each of these tasks or modify the selection to suit your requirements.
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example:
- WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
- WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
NOTE:
You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
<table>
<tbody style="vertical-align:top;">
<tr>
<th>Field</th>
<th>Value</th>
</tr>
<tr>
<td>Configuration File</td>
<td>Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.</td>
</tr>
<td>Events URL</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
</br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
<tr>
<td>Authentication Type</td>
<td>OAuth 2</td>
</tr>
<td>OAuth 2 Client Properties file</td>
<td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td>
<tr>
<td>Refresh Token</td>
<td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d. A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
</td>
</tr>
</tr>
</table>
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. </br></br>
If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. </br></br> If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
13. Select **Install as a service** and click **Next**.
14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
13. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
14. Finish the installation by selecting **Exit** and **Next**.
## Install and configure the HP ArcSight console
1. Follow the installation wizard through the following tasks:
- Introduction
- License Agreement
- Special Notice
- Choose ArcSight installation directory
- Choose Shortcut Folder
- Pre-Installation Summary
2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
4. Select **Use direct connection**, then click **Next**.
5. Select **Password Based Authentication**, then click **Next**.
6. Select **This is a single user installation. (Recommended)**, then click **Next**.
7. Click **Done** to quit the installer.
8. Login to the HP ArcSight console.
9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
10. Set **Device Product = Windows Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
You can now run queries in the HP ArcSight console.
Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Troubleshooting HP ArcSight connection
**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
**Symptom:** You get the following error message:
`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
**Solution:**
1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
`reauthenticate=true`.
3. Restart the connector by running the following command: `arcsight.bat connectors`.
A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
> [!NOTE]
> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

82
windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Configure email notifications in Windows Defender ATP
description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions.
keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Configure email notifications in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
You can configure Windows Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
> [!NOTE]
> Only users with full access can configure email notifications.
You can set the alert severity levels that trigger notifications. When you turn enable the email notifications feature, its set to high and medium alerts by default.
You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md).
The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
## Set up email notifications for alerts
The email notifications feature is turned off by default. Turn it on to start receiving email notifications.
1. On the navigation pane, select **Preferences setup** > **Email Notifications**.
2. Toggle the setting between **On** and **Off**.
3. Select the alert severity level that youd like your recipients to receive:
- **High** Select this level to send notifications for high-severity alerts.
- **Medium** Select this level to send notifications for medium-severity alerts.
- **Low** - Select this level to send notifications for low-severity alerts.
- **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of.
4. In **Email recipients to notify on new alerts**, type the email address then select the + sign.
5. Click **Save preferences** when youve completed adding all the recipients.
Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email.
Here's an example email notification:
![Image of example email notification](images/atp-example-email-notification.png)
## Remove email recipients
1. Select the trash bin icon beside the email address youd like to remove.
2. Click **Save preferences**.
## Troubleshoot email notifications for alerts
This section lists various issues that you may encounter when using email notifications for alerts.
**Problem:** Intended recipients report they are not getting the notifications.
**Solution:** Make sure that the notifications are not blocked by email filters:
1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
2. Check that your email security product is not blocking the email notifications from Windows Defender ATP.
3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications.
## Related topics
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

165
windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,165 @@
---
title: Configure Windows Defender ATP endpoints using Group Policy
description: Use Group Policy to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using group policy, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, group policy
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/06/2017
---
# Configure endpoints using Group Policy
**Applies to:**
- Group Policy
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
> [!NOTE]
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
## Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
9. Click **OK** and close any open GPMC windows.
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Additional Windows Defender ATP configuration settings
For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
### Configure sample collection settings
1. On your GP management machine, copy the following files from the
configuration package:
a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
2. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
4. Click **Policies**, then **Administrative templates**.
5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your endpoints.
>[!NOTE]
> If you don't set a value, the default value is to enable sample collection.
### Configure reporting frequency settings
Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance.
In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency.
> [!NOTE]
> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
The configuration is set through the following registry key entry:
```
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "latency"
Value: Normal or Expedite
```
Where:<br>
Key type is a string. <br>
Possible values are:
- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance
- Expedite - sets reporting frequency from the endpoint to Expedite mode
The default value in case the registry key doesnt exist is Normal.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Click the **Endpoint offboarding** section.
c. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
9. Click **OK** and close any open GPMC windows.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor endpoint configuration
With Group Policy there isnt an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor endpoints using the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that endpoints are appearing.
> [!NOTE]
> It can take several days for endpoints to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

164
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,164 @@
---
title: Configure endpoints using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/06/2017
---
# Configure endpoints using Mobile Device Management tools
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Before you begin
If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints using the classic Intune console
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Select **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
a. Select **Policy** > **Configuration Policies** > **Add**.
![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png)
b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**. <br>
![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
c. Type a name and description for the policy. <br>
![Microsoft Intune Create Policy](images/atp-intune-policy-name.png)
d. Under OMA-URI settings, select **Add...**. <br>
![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
e. Type the following values then select **OK**:
![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
- **Setting name**: Type a name for the setting.
- **Setting description**: Type a description for the setting.
- **Data type**: Select **String**.
- **OMA-URI**: *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
- **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
f. Save the policy.
![Microsoft Intune save policy](images/atp-intune-save-policy.png)
g. Deploy the policy.
![Microsoft Intune deploy policy](images/atp-intune-deploy-policy.png)
h. Select the device group to deploy the policy to:
![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png)
When the policy is deployed and is propagated, endpoints will be shown in the **Machines list**.
You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
> [!div class="mx-tableFixed"]
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
Configuration for onboarded machines: diagnostic data reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 <br> 1: Normal (default)<br><br> 2: Expedite | Windows Defender ATP diagnostic data reporting
> [!NOTE]
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
> - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
### Offboard and monitor endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Click the **Endpoint offboarding** section.
c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
- Offboarding
- Health Status for offboarded machines
- Configuration for offboarded machines
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

72
windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Configure non-Windows endpoints in Windows Defender ATP
description: Configure non-Winodws endpoints so that they can send sensor data to the Windows Defender ATP service.
keywords: configure endpoints non-Windows endpoints, macos, linux, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
ms.date: 12/12/2017
---
# Configure non-Windows endpoints
**Applies to:**
- macOS X
- Linux
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink)
[!include[Prerelease information](prerelease.md)]
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products sensor data.
You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work.
## Onboard non-Windows endpoints
You'll need to take the following steps to oboard non-Windows endpoints:
1. Turn on third-party integration
2. Run a detection test
### Turn on third-party integration
1. In Windows Defender Security Center portal, select **Endpoint management** > **Clients** > **Non-Windows**. Make sure the third-party solution is listed.
2. Toggle the third-party provider switch button to turn on the third-party solution integration.
3. Click **Generate access token** button and then **Copy**.
4. Youll need to copy and paste the token to the third-party solution youre using. The implementation may vary depending on the solution.
>[!WARNING]
>The access token has a limited validity period. If needed, regenerate the token close to the time you need to share it with the third-party solution.
### Run detection test
Create an EICAR test file by saving the string displayed on the portal in an empty text file. Then, introduce the test file to a machine running the third-party antivirus solution.
The file should trigger a detection and a corresponding alert on Windows Defender ATP.
### Offboard non-Windows endpoints
To effectively offboard the endpoints from the service, you'll need to disable the data push on the third-party portal first then switch the toggle to off in Windows Defender Security Center. The toggle in the portal only blocks the data inbound flow.
1. Follow the third-party documentation to opt-out on the third-party service side.
2. In Windows Defender Security Center portal, select **Endpoint management**> **Non-Windows**.
3. Toggle the third-party provider switch button to turn stop diagnostic data from endpoints.
>[!WARNING]
>If you decide to turn on the third-party integration again after disabling the integration, you'll need to regenerate the token and reapply it on endpoints.
## Related topics
- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

181
windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,181 @@
---
title: Configure endpoints using System Center Configuration Manager
description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/06/2017
---
# Configure endpoints using System Center Configuration Manager
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- System Center 2012 Configuration Manager or later versions
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink)
<span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (SCCM) (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682).
>[!NOTE]
> If youre using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version.
<span id="sccm1602"/>
## Configure endpoints using System Center Configuration Manager earlier versions
You can use existing System Center Configuration Manager functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
- System Center Configuration Manager (current branch), version 1511
- System Center Configuration Manager (current branch), version 1602
### Onboard endpoints
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
> [!NOTE]
> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
### Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
The configuration is set through the following registry key entry:
```
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "AllowSampleCollection"
Value: 0 or 1
```
Where:<br>
Key type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this endpoint
- 1 - allows sharing of all file types from this endpoint
The default value in case the registry key doesnt exist is 1.
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
### Configure reporting frequency settings
Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance.
In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency.
> [!NOTE]
> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal.
The configuration is set through the following registry key entry:
```
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "latency"
Value: Normal or Expedite
```
Where:<br>
Key type is a string. <br>
Possible values are:
- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance
- Expedite - sets reporting frequency from the endpoint to Expedite mode
The default value in case the registry key doesnt exist is Normal.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Click the **Endpoint offboarding** section.
c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
### Monitor endpoint configuration
Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
**To confirm the configuration package has been correctly deployed:**
1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
2. Click **Overview** and then **Deployments**.
3. Click on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
**Check that the endpoints are compliant with the Windows Defender ATP service:**<br>
You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
Monitor the following registry key entry:
```
Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
Name: “OnboardingState”
Value: “1”
```
For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx).
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

135
windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Configure Windows Defender ATP endpoints using a local script
description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/06/2017
---
# Configure endpoints using a local script
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
> [!NOTE]
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
## Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **Local Script**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
5. Press the **Enter** key or click **OK**.
For information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry:
```
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "AllowSampleCollection"
Value: 0 or 1
```
Where:<br>
Name type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this endpoint
- 1 - allows sharing of all file types from this endpoint
The default value in case the registry key doesnt exist is 1.
## Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** on the **Navigation pane**.
b. Click the **Endpoint offboarding** section.
c. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
5. Press the **Enter** key or click **OK**.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor endpoint configuration
You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor endpoints using the portal
1. Go to the Windows Defender ATP portal.
2. Click **Machines list**.
3. Verify that endpoints are appearing.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

87
windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,87 @@
---
title: Configure non-persistent virtual desktop infrastructure (VDI) machines
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Configure non-persistent virtual desktop infrastructure (VDI) machines
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
## Onboard non-persistent virtual desktop infrastructure (VDI) machines
Windows Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
- Instant early onboarding of a short living session
- A session should be onboarded to Windows Defender ATP prior to the actual provisioning.
- Machine name persistence
- The machine names are typically reused for new sessions. One may ask to have them as a single machine entry while others may prefer to have multiple entries per machine name.
You can onboard VDI machines using a single entry or multiple entries for each machine. The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
>[!WARNING]
> For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding.
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint management** > **Clients** on the **Navigation pane**.
b. Select **VDI onboarding scripts for non-persistent endpoints** then click **Download package** and save the .zip file.
2. Copy the extracted files from the .zip into `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. You should have a folder called `WindowsDefenderATPOnboardingPackage` containing the file `WindowsDefenderATPOnboardingScript.cmd`.
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each machine: <br>
**For single entry for each machine**:<br>
a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
**For single entry for each machine**:<br>
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
**For multiple entries for each machine**:<br>
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
6. Test your solution:
a. Create a pool with one machine.
b. Logon to machine.
c. Logoff from machine.
d. Logon to machine with another user.
e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br>
**For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
7. Click **Machines list** on the Navigation pane.
8. Use the search function by entering the machine name and select **Machine** as search type.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

47
windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Configure Windows Defender ATP client endpoints
description: Configure client endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure client endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Configure Windows Defender ATP client endpoints
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Windows Defender ATP supports the following deployment tools and methods:
- Group Policy
- System Center Configuration Manager
- Mobile Device Management (including Microsoft Intune)
- Local script
## In this section
Topic | Description
:---|:---
[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints.
[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on endpoints.
[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Configure non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)

139
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,139 @@
---
title: Configure endpoint proxy and Internet connection settings
description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Configure endpoint proxy and Internet connectivity settings
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
The Windows Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- Auto-discovery methods:
- Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special endpoint configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
- Manual static proxy configuration:
- Registry based configuration
- WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format:
```text
<server name or ip>:<port>
```
For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
## Configure the proxy server manually using netsh command
Use netsh to configure a system-wide static proxy.
> [!NOTE]
> - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
1. Open an elevated command-line:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
4. Enter the following command and press **Enter**:
```
netsh winhttp set proxy <proxy>:<port>
```
For example: netsh winhttp set proxy 10.0.0.6:8080
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
Service location | .Microsoft.com DNS record
:---|:---
US |```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com```<br> ```us.vortex-win.data.microsoft.com```<br> ```winatp-gw-cus.microsoft.com``` <br> ```winatp-gw-eus.microsoft.com```
Europe |```*.blob.core.windows.net```<br>```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br> ```eu.vortex-win.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br> ```winatp-gw-weu.microsoft.com```<br>
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.
## Verify client connectivity to Windows Defender ATP service URLs
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on.
2. Extract the contents of WDATPConnectivityAnalyzer on the endpoint.
3. Open an elevated command-line:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
4. Enter the following command and press **Enter**:
```
HardDrivePath\WDATPConnectivityAnalyzer.cmd
```
Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example
```
C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd
```
5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example:
```text
Testing URL : https://xxx.microsoft.com/xxx
1 - Default proxy: Succeeded (200)
2 - Proxy auto discovery (WPAD): Succeeded (200)
3 - Proxy disabled: Succeeded (200)
4 - Named proxy: Doesn't exist
5 - Command line proxy: Doesn't exist
```
If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method. <br><br>
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

95
windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,95 @@
---
title: Configure Windows Defender ATP server endpoints
description: Configure server endpoints so that they can send sensor data to the Windows Defender ATP sensor.
keywords: configure server endpoints, server, server onboarding, endpoint management, configure Windows ATP server endpoints, configure Windows Defender Advanced Threat Protection server endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
localizationpriority: high
ms.date: 11/30/2017
---
# Configure Windows Defender ATP server endpoints
**Applies to:**
- Windows Server 2012 R2
- Windows Server 2016
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configserver-abovefoldlink)
Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
## Onboard server endpoints
To onboard your servers to Windows Defender ATP, youll need to:
- Turn on server monitoring from the Windows Defender Security Center portal.
- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
### Turn on Server monitoring from the Windows Defender Security Center portal
1. In the navigation pane, select **Endpoint management** > **Servers**.
2. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
![Image of server onboarding](images/atp-server-onboarding.png)
<span id="server-mma"/>
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server:
- [Manually install the agent using setup](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) <br>
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
Once completed, you should see onboarded servers in the portal within an hour.
<span id="server-proxy"/>
### Configure server endpoint proxy and Internet connectivity settings
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
| Agent Resource | Ports |
|------------------------------------|-------------|
| *.oms.opinsights.azure.com | 443 |
| *.blob.core.windows.net | 443 |
| *.azure-automation.net | 443 |
| *.ods.opinsights.azure.com | 443 |
| winatp-gw-cus.microsoft.com | 443 |
| winatp-gw-eus.microsoft.com | 443 |
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
### Offboard server endpoints
To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP.
For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
>[!NOTE]
>Offboarding causes the server to stop sending sensor data to the portal but data from the server, including reference to any alerts it has had will be retained for up to 6 months.
## Related topics
- [Configure Windows Defender ATP client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure non-Windows endpoints](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

64
windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Protection
description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Pull alerts to your SIEM tools
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Pull alerts using supported security information and events management (SIEM) tools
Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Windows Defender ATP currently supports the following SIEM tools:
- Splunk
- HP ArcSight
To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Configure the supported SIEM tool:
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
## Pull Windows Defender ATP alerts using REST API
Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
## In this section
Topic | Description
:---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.

147
windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,147 @@
---
title: Configure Splunk to pull Windows Defender ATP alerts
description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Configure Splunk to pull Windows Defender ATP alerts
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- Have the refresh token that you generated from the SIEM integration feature ready.
## Configure Splunk
1. Login in to Splunk.
2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
3. Click **REST** under **Local inputs**.
NOTE:
This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
4. Click **New**.
5. Type the following values in the required fields, then click **Save**:
NOTE:
All other values in the form are optional and can be left blank.
<table>
<tbody style="vertical-align:top;">
<tr>
<th>Field</th>
<th>Value</th>
</tr>
<tr>
<td>Endpoint URL</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`</br>**For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts`
</tr>
<tr>
<td>HTTP Method</td>
<td>GET</td>
</tr>
<td>Authentication Type</td>
<td>oauth2</td>
<tr>
<td>OAuth 2 Access token</td>
<td>Use the value that you generated when you enabled the SIEM integration feature. </br></br> NOTE: The access token expires after an hour. </td>
</tr>
<tr>
<td>OAuth 2 Refresh Token</td>
<td>Use the value that you generated when you enabled the **SIEM integration** feature.</td>
</tr>
<tr>
<td>OAuth 2 Token Refresh URL</td>
<td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
</tr>
<tr>
<td>OAuth 2 Client ID</td>
<td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
</tr>
<tr>
<td>OAuth 2 Client Secret</td>
<td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
</tr>
<tr>
<td>Response type</td>
<td>Json</td>
</tr>
<tr>
<td>Response Handler</td>
<td>JSONArrayHandler</td>
</tr>
<tr>
<td>Polling Interval</td>
<td>Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.</td>
</tr>
<tr>
<td>Set sourcetype</td>
<td>From list</td>
</tr>
<tr>
<td>Source type</td>
<td>\_json</td>
</tr>
</tr>
</table>
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
## View alerts using Splunk solution explorer
Use the solution explorer to view alerts in Splunk.
1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
2. Select **New**.
3. Enter the following details:
- Destination app: Select Search & Reporting (search)
- Search name: Enter a name for the query
- Search: Enter a query, for example:</br>
`source="rest://windows atp alerts"|spath|table*`
Other values are optional and can be left with the default values.
4. Click **Save**. The query is saved in the list of searches.
5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

402
windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,402 @@
---
title: Create custom alerts using the threat intelligence API
description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions.
keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Create custom alerts using the threat intelligence (TI) application program interface (API)
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-customti-abovefoldlink)
You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization.
## Before you begin
Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
### Use the threat intelligence REST API to create custom threat intelligence alerts
You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource:
- GET
- POST
- PATCH
- PUT (used for managing entities relations only)
- DELETE
All threat intelligence API requests use the following basic URL pattern:
```
https://TI.SecurityCenter.Windows.com/{version}/{resource}?[query_parameters]
```
For this URL:
- `https://TI.SecurityCenter.Windows.com` is the threat intelligence API endpoint.
- `{version}` is the target service version. Currently, the only supported version is: v1.0.
- `{resource}` is resource segment or path, such as:
- AlertDefinitions (for specific single resource, add: (id))
- IndicatorsOfCompromise (for specific single resource, add: (id))
- `[query_parameters]` represents additional query parameters such as $filter and $select.
**Quotas**</br>
Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage).
## Request an access token from the token issuing endpoint
Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Preferences settings** page and click the **Generate Token** button. However, if youd like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4).
For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow).
Make an HTTP POST request to the token issuing endpoint with the following parameters, replacing `<ClientId>`, `<ClientSecret>`, and `<AuthorizationServerUrl>` with your app's client ID, client secret and authorization server URL.
>[!NOTE]
> The authorization server URL is `https://login.windows.net/<AADTenantID>/oauth2/token`. Replace `<AADTenantID>` with your Azure Active Directory tenant ID.
>[!NOTE]
> The `<ClientId>`, `<ClientSecret>`, and the `<AuthorizationServerUrl>` are all provided to you when enabling the custom threat intelligence application. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
```
POST <AuthorizationServerUrl> HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
&client_id=<ClientId>
&client_secret=<ClientSecret>
&resource=https://graph.microsoft.com
```
The response will include an access token and expiry information.
```json
{
"token_type": "Bearer",
"expires_in": "3599",
"ext_expires_in": "0",
"expires_on": "1449685363",
"not_before": "1449681463",
"resource": "https://graph.microsoft.com",
"access_token": "<token>"
}
```
## Threat intelligence API metadata
The metadata document ($metadata) is published at the service root.
For example, you can view the service document for the v1.0 version using the following URL:
```
https://TI.SecurityCenter.Windows.com/v1.0/$metadata
```
The metadata allows you to see and understand the data model of the custom threat intelligence, including the entity types and sets, complex types, and enums that make up the request and response packets sent to and from the threat intelligence API.
You can use the metadata to understand the relationships between entities in the custom threat intelligence and establish URLs that navigate between entities.
The following sections show a few basic programming pattern calls to the threat intelligence API.
## Create new resource
Typically, you'd need to create an alert definition to start creating custom threat intelligence. An ID is created for that alert definition.
You can then proceed to create an indicator of compromise and associate it to the ID of the alert definition.
### Create a new alert definition
```json
POST https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json;
{
"Name": " The name of the alert definition. Does not appear in the portal. Max length: 100 ",
"Severity": "Low",
"InternalDescription": "Internal description for the alert definition. Does not appear in the portal. Max length: 350",
"Title": "A short, one sentence, description of the alert definition. Max length: 120",
"UxDescription": "Max length: 500",
"RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000",
"Category": "Category from the metadata",
"Enabled": true
}
```
The following values correspond to the alert sections surfaced on the Windows Defender ATP portal:
![Image of alert from the portal](images/atp-custom-ti-mapping.png)
Highlighted section | JSON key name
:---:|:---
1 | Title
2 | Severity
3 | Category
4 | UX description
5 | Recommended Action
If successful, you should get a 201 CREATED response containing the representation of the newly created alert definition, for example:
```json
"Name": "Connection to restricted company IP address",
"Severity": "Low",
"InternalDescription": "Unusual connection to restricted IP from production machine",
"Title": "Connection to restricted company IP address",
"UxDescription": "Any connection to this IP address from a production machine should be suspicious. Only special build machines should access this IP address.",
"RecommendedAction": "Isolate machine immediately and contact machine owner for awareness.",
"Category": "Trojan",
"Id": 2,
"CreatedAt": "2017-02-01T10:46:22.08Z",
"CreatedBy": "User1",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
```
### Create a new indicator of compromise
```json
POST https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json;
{
"Type": "SHA1",
"Value": "8311e8b377736fb93b18b15372355f3f26c4cd29",
"DetectionFunction": "Equals",
"Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinitions(1)"
}
```
If successful, you should get a 201 CREATED response containing the representation of the newly created indicators of compromise in the payload.
## Bulk upload of alert definitions and IOCs
Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`. </br>
>[!WARNING]
>- This operation is atomic. The entire operation can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail.
>- If your upload exceeds the IOCs or alert definitions quota, the entire operation will fail. Consider limiting your uploads.
The requests body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertDefinitions` and in the case of IOC is `iocs`. This fields value should contain a list of the desired entities.
For example:
Sending an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload
JSON Body:
```json
{
"iocs": [{
"Type": "SHA1",
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"DetectionFunction": "Equals",
"Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinitions(1)"
},
{
"Type": "SHA1",
"Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793",
"DetectionFunction": "Equals",
"Enabled": true,
"AlertDefinition@odata.bind": "AlertDefinitions(1)"
}
]
}
```
>[!NOTE]
> - Max bulk size is 5000 entities
## Read existing data
### Get a specific resource
```json
GET https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
Authorization: Bearer <access_token>
Accept: application/json;odata.metadata=none
```
If successful, you should get a 200 OK response containing a single indicator of compromise representation (for the specified ID) in the payload, as shown as follows:
```json
HTTP/1.1 200 OK
content - type: application/json;odata.metadata = none
{
"value": [{
"Type": "SHA1",
"Value": "abcdeabcde1212121212abcdeabcde1212121212",
"DetectionFunction": "Equals",
"ExpiresAt": null,
"Id": 1,
"CreatedAt": "2016-12-05T15:51:02Z",
"CreatedBy": "user2@Company1.contoso.com",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
}]
}
```
### Get the entire collection of entities of a given resource
```
GET https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1
Authorization: Bearer <access_token>
```
If successful, you should get a 200 OK response containing the collection of alert definitions representation in the payload, as shown as follows:
```json
HTTP/1.1 200 OK
content - type: application / json;odata.metadata = none
{
"@odata.context": "https://TI.SecurityCenter.Windows.com/V1.0/$metadata#AlertDefinitions",
"value": [{
"Name": "Demo alert definition",
"Severity": "Medium",
"InternalDescription": "Some description",
"Title": "Demo short ux description",
"UxDescription": "Demo ux description",
"RecommendedAction": "Actions",
"Category": "Malware",
"Id": 1,
"CreatedAt": "2016-12-05T15:50:53Z",
"CreatedBy": "user@Company1.contoso.com",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
},
{
"Name": "Demo alert definition 2",
"Severity": "Low",
"InternalDescription": "Some description",
"Title": "Demo short ux description2",
"UxDescription": "Demo ux description2",
"RecommendedAction": null,
"Category": "Malware",
"Id": 2,
"CreatedAt": "2016-12-06T13:30:00Z",
"CreatedBy": "user2@Company1.contoso.com",
"LastModifiedAt": null,
"LastModifiedBy": null,
"Enabled": true
}
]
}
```
## Update an existing resource
You can use the same pattern for both full and partial updates.
```json
PATCH https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(2) HTTP/1.1
Authorization: Bearer <access_token>
Content-Type: application/json;
Accept: application/json;odata.metadata=none
{
"Category": "Backdoor",
"Enabled": false
}
```
If successful, you should get a 200 OK response containing the updated alert definition representation (per the specified ID) in the payload.
## Update the association (relation) between an indicator of compromise to a different alert definition
```json
PUT https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(3)/AlertDefinition/$ref HTTP/1.1
Authorization : Bearer <access_token>
Content-Type: application/json;
{
"@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)"
}
```
## Delete a resource
```
DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1
Authorization: Bearer <access_token>
```
If successful, you should get a 204 NO CONTENT response.
>[!NOTE]
> - Deleting an alert definition also deletes its corresponding IOCs.
> - Deleting an IOC or an alert definition will not delete or hide past alerts matching the alert definition. However, deleting an alert definition and creating a new one with the exact same metadata will result in new alerts in the portal. It's not advised to delete an alert definition and create a new one with the same content.
## Delete all
You can use the HTTP DELETE method sent to the relevant source to delete all resources.
```
DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1
Authorization : Bearer <access_token>
```
If successful, you should get a 204 NO CONTENT response.
## Delete all IOCs connected to a given alert definition
This action will delete all the IOCs associated with a given alert definition without deleting the alert definition itself.
For example, deleting all of the IOCs associated with the alert definition with ID `1` deletes all those IOCs without deleting the alert definition itself.
Send an HTTP POST to `https://TI.SecurityCenter.Windows.com/V1.0/AlertDefinitions(1)/Actions.DeleteIOCs`.
Upon a successful request the response will be HTTP 204.
>[!NOTE]
> As with all OData actions, this action is sending an HTTP POST request not DELETE.
## Windows Defender ATP optional query parameters
The Windows Defender ATP threat intelligence API provides several optional query parameters that you can use to specify and control the amount of data returned in a response. The threat intelligence API supports the following query options:
Name | Value | Description
:---|:---|:--
$select | string | Comma-separated list of properties to include in the response.
$expand | string | Comma-separated list of relationships to expand and include in the response.
$orderby | string | Comma-separated list of properties that are used to sort the order of items in the response collection.
$filter | string | Filters the response based on a set of criteria.
$top | int | The number of items to return in a result set.
$skip | int | The number of items to skip in a result set.
$count | boolean | A collection and the number of items in the collection.
These parameters are compatible with the [OData V4 query language](http://docs.oasis-open.org/odata/odata/v4.0/errata03/os/complete/part2-url-conventions/odata-v4.0-errata03-os-part2-url-conventions-complete.html#_Toc453752356).
## Code examples
The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence API in several programming languages:
- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)

138
windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Windows Defender Advanced Threat Protection Security operations dashboard
description: Use the Dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts.
keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/01/2017
---
# View the Windows Defender Advanced Threat Protection Security operations dashboard
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
The **Security operations dashboard** displays a snapshot of:
- The latest active alerts on your network
- Daily machines reporting
- Machines at risk
- Users at risk
- Machines with active malware alerts
- Sensor health
- Service health
You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators.
It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
## Active alerts
You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**.
![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp-alerts-tile.png)
Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
The **Latest active alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md).
## Daily machines reporting
The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day.
![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png)
## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png)
Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md).
You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md).
## Users at risk
The tile shows you a list of user accounts with the most active alerts.
![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts](images/atp-users-at-risk.png)
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
## Machines with active malware detections
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender Antivirus.
Active malware is defined as threats that were actively executing at the time of detection.
Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/atp-machines-active-threats-tile.png)
The chart is sorted into five categories:
- **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access.
- **Credential theft** - threats that attempt to steal credentials.
- **Exploit** - threats that use software vulnerabilities to infect machines.
- **Backdoor** - threats that gives a malicious hacker access to and control of machines.
- **General** - threats that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft.
- **PUA** - applications that install and perform undesirable activity without adequate user consent.
Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk.
Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
> [!NOTE]
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
## Sensor health
The **Sensor health** tile provides information on the individual endpoints ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
![Sensor health tile](images/atp-tile-sensor-health.png)
There are two status indicators that provide information on the number of machines that are not reporting properly to the service:
- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
- **Misconfigured** These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected.
When you click any of the groups, youll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
## Service health
The **Service health** tile informs you if the service is active or if there are issues.
![The Service health tile shows an overall indicator of the service](images/status-tile.png)
For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md).
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
## Related topics
- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md)
- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md)
- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md)
- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md)
- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md)
- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md)
- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md)

79
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Windows Defender ATP data storage and privacy
description: Learn about how Windows Defender ATP handles privacy and data that it collects.
keywords: Windows Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/14/2017
---
# Windows Defender ATP data storage and privacy
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP.
> [!NOTE]
> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information.
## What data does Windows Defender ATP collect?
Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
Microsoft uses this data to:
- Proactively identify indicators of attack (IOAs) in your organization
- Generate alerts if a possible attack was detected
- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
Microsoft does not use your data for advertising or for any other purpose other than providing you the service.
## Do I have the flexibility to select where to store my data?
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How does Microsoft prevent malicious insider activities and abuse of high privilege roles?
Microsoft developers and administrators have, by design, been given sufficient privileges to carry out their assigned duties to operate and evolve the service. Microsoft deploys combinations of preventive, detective, and reactive controls including the following mechanisms to help protect against unauthorized developer and/or administrative activity:
- Tight access control to sensitive data
- Combinations of controls that greatly enhance independent detection of malicious activity
- Multiple levels of monitoring, logging, and reporting
Additionally, Microsoft conducts background verification checks of certain operations personnel, and limits access to applications, systems, and network infrastructure in proportion to the level of background verification. Operations personnel follow a formal process when they are required to access a customers account or related information in the performance of their duties.
## Is data shared with other customers?
No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which dont contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
## How long will Microsoft store my data? What is Microsofts data retention policy?
**At service onboarding**<br>
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. Theres a flexibility of choosing in the range of 1 month to six months to meet your companys regulatory compliance needs.
**At contract termination or expiration**<br>
Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
## Can Microsoft help us maintain regulatory compliance?
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
For more information on the Windows Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/en-us/trustcenter/compliance/iso-iec-27001).
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-datastorage-belowfoldlink)

44
windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,44 @@
---
title: Windows Defender Antivirus compatibility with Windows Defender ATP
description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used.
keywords: windows defender compatibility, defender, windows defender atp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/28/2017
---
# Windows Defender Antivirus compatibility with Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.
>[!IMPORTANT]
>Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings.
You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).

54
windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,54 @@
---
title: Enable the custom threat intelligence API in Windows Defender ATP
description: Learn how to setup the custom threat intelligence application in Windows Defender ATP to create custom threat intelligence (TI).
keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Enable the custom threat intelligence API in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
![Image of threat intel API menu](images/atp-threat-intel-api.png)
2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values.
3. Copy the individual values or select **Save details to file** to download a file that contains all the values.
>[!WARNING]
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place. <br>
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
4. Select **Generate tokens** to get an access and refresh token.
Youll need to use the access token in the Authorization header when doing REST API calls.
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)

49
windows/security/threat-protection/windows-defender-atp/enable-security-analytics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,49 @@
---
title: Enable Security Analytics in Windows Defender ATP
description: Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard.
keywords: enable security analytics, baseline, calculation, analytics, score, security analytics dashboard, dashboard
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Enable Security Analytics security controls
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Set the baselines for calculating the score of Windows Defender security controls on the Security Analytics dashboard. If you use third-party solutions, consider excluding the corresponding controls from the calculations.
>[!NOTE]
>Changes might take up to a few hours to reflect on the dashboard.
1. In the navigation pane, select **Preferences setup** > **Security Analytics**.
![Image of Security Analytics controls from Preferences setup menu](images/atp-enable-security-analytics.png)
2. Select the security control, then toggle the setting between **On** and **Off**.
3. Click **Save preferences**.
## Related topics
- [View the Security Analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

67
windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,67 @@
---
title: Enable SIEM integration in Windows Defender ATP
description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
keywords: enable siem connector, siem, connector, security information and events
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/21/2017
---
# Enable SIEM integration in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
![Image of SIEM integration from Preferences setup menu](images/atp-siem-integration.png)
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
> [!WARNING]
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
3. Choose the SIEM type you use in your organization.
> [!NOTE]
> If you select HP ArcSight, you'll need to save these two configuration files:<br>
- WDATP-connector.jsonparser.properties
- WDATP-connector.properties <br>
If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
5. Select **Generate tokens** to get an access and refresh token.
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
## Related topics
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)

342
windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,342 @@
---
title: Review events and errors on endpoints with Event Viewer
description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Review events and errors on endpoints with Event Viewer
**Applies to:**
- Event Viewer
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
For example, if endpoints are not appearing in the **Machines list**, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
**Open Event Viewer and find the Windows Defender ATP service event log:**
1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
open the log.
a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
> [!NOTE]
> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
<table>
<tbody style="vertical-align:top;">
<tr>
<th>Event ID</th>
<th>Message</th>
<th>Description</th>
<th>Action</th>
</tr>
<tr>
<td>1</td>
<td>Windows Defender Advanced Threat Protection service started (Version ```variable```).</td>
<td>Occurs during system start up, shut down, and during onbboarding.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>2</td>
<td>Windows Defender Advanced Threat Protection service shutdown.</td>
<td>Occurs when the endpoint is shut down or offboarded.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>3</td>
<td>Windows Defender Advanced Threat Protection service failed to start. Failure code: ```variable```.</td>
<td>Service did not start.</td>
<td>Review other messages to determine possible cause and troubleshooting steps.</td>
</tr>
<tr>
<td>4</td>
<td>Windows Defender Advanced Threat Protection service contacted the server at ```variable```.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
This URL will match that seen in the Firewall or network activity.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>5</td>
<td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>6</td>
<td>Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Onboarding must be run before starting the service.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>7</td>
<td>Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.</td>
<td>Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>8</td>
<td>Windows Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```.</td>
<td>**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
</td>
<td>**Onboarding:** No action required. <br><br> **Offboarding:** Reboot the system.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>9</td>
<td>Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.</td>
<td>**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>10</td>
<td>Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>11</td>
<td>Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.</td>
<td>The endpoint onboarded correctly.</td>
<td>Normal operating notification; no action required.<br>
It may take several hours for the endpoint to appear in the portal.</td>
</tr>
<tr>
<td>12</td>
<td>Windows Defender Advanced Threat Protection failed to apply the default configuration.</td>
<td>Service was unable to apply the default configuration.</td>
<td>This error should resolve after a short period of time.</td>
</tr>
<tr>
<td>13</td>
<td>Windows Defender Advanced Threat Protection machine ID calculated: ```variable```.</td>
<td>Normal operating process.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>15</td>
<td>Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.</td>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](configure-proxy-internet-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>17</td>
<td>Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>18</td>
<td>OOBE (Windows Welcome) is completed.</td>
<td>Service will only start after any Windows updates have finished installing.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>19</td>
<td>OOBE (Windows Welcome) has not yet completed.</td>
<td>Service will only start after any Windows updates have finished installing.</td>
<td>Normal operating notification; no action required.<br>
If this error persists after a system restart, ensure all Windows updates have full installed.</td>
</tr>
<tr>
<td>20</td>
<td>Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```.</td>
<td>Internal error.</td>
<td>If this error persists after a system restart, ensure all Windows updates have full installed.</td>
</tr>
<tr>
<td>25</td>
<td>Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>26</td>
<td>Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly.<br>
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>27</td>
<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
<td>28</td>
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>30</td>
<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
<td>31</td>
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.</td>
<td>[Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).</td>
</tr>
<tr>
<td>32</td>
<td>Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1</td>
<td>An error occurred during offboarding.</td>
<td>Reboot the machine.</td>
</tr>
<tr>
<td>33</td>
<td>Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.</td>
<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
If the identifier does not persist, the same machine might appear twice in the portal.</td>
<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
</tr>
<tr>
<td>34</td>
<td>Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>35</td>
<td>Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```.</td>
<td>An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
</td>
<td>Check for errors with the Windows diagnostic data service.</td>
</tr>
<tr>
<td>36</td>
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.</td>
<td>Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>37</td>
<td>Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
<td>The machine has almost used its allocated quota of the current 24-hour window. Its about to be throttled.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>38</td>
<td>Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>The machine is using a metered/paid network and will be contacting the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>39</td>
<td>Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>The machine is not using a metered/paid connection and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>40</td>
<td>Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>The machine has low battery level and will contact the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>41</td>
<td>Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>The machine doesnt have low battery level and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>42</td>
<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4</td>
<td>Internal error. The service failed to start.</td>
<td>If this error persists, contact Support.</td>
</tr>
<tr>
<td>43</td>
<td>Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5</td>
<td>Internal error. The service failed to start.</td>
<td>If this error persists, contact Support.</td>
</tr>
<tr>
<td>44</td>
<td>Offboarding of Windows Defender Advanced Threat Protection service completed.</td>
<td>The service was offboarded.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>45</td>
<td>Failed to register and to start the event trace session [%1]. Error code: %2</td>
<td>An error occurred on service startup while creating ETW session. This caused service start-up failure.</td>
<td>If this error persists, contact Support.</td>
</tr>
<tr>
<td>46</td>
<td>Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.</td>
<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.</td>
<td>Normal operating notification; no action required. The service will try to start the session every minute.</td>
</tr>
<tr>
<td>47</td>
<td>Successfully registered and started the event trace session - recovered after previous failed attempts.</td>
<td>This event follows the previous event after successfully starting of the ETW session.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>48</td>
<td>Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.</td>
<td>Failed to add a provider to ETW session. As a result, the provider events arent reported.</td>
<td>Check the error code. If the error persists contact Support.</td>
</tr>
</tr>
</tbody>
</table>
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

159
windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,159 @@
---
title: Experiment with custom threat intelligence alerts
description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API.
keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 11/09/2017
---
# Experiment with custom threat intelligence (TI) alerts
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-experimentcustomti-abovefoldlink)
With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.
For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md).
This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API.
You'll be guided through sample steps so you can experience how the threat intelligence API feature works. Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how triggered custom TI alerts look like.
## Step 1: Enable the threat intelligence API and obtain authentication details
To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
This step is required to generate security credentials that you need to use while working with the API.
## Step 2: Create a sample alert definition and IOCs
This step will guide you in creating an alert definition and an IOC for a malicious IP.
1. Open a Windows PowerShell ISE.
2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert.
NOTE:
Make sure you replace the authUrl, clientId, and clientSecret values with your details which you saved in when you enabled the threat intelligence application.
~~~~
$authUrl = 'Your Authorization URL'
$clientId = 'Your Client ID'
$clientSecret = 'Your Client Secret'
Try
{
$tokenPayload = @{
"resource" = 'https://graph.windows.net'
"client_id" = $clientId
"client_secret" = $clientSecret
"grant_type"='client_credentials'}
"Fetching an access token"
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
$token = $response.access_token
"Token fetched successfully"
$headers = @{
"Content-Type" = "application/json"
"Accept" = "application/json"
"Authorization" = "Bearer {0}" -f $token }
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
$alertDefinitionPayload = @{
"Name" = "Test Alert"
"Severity" = "Medium"
"InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
"Title" = "Test alert."
"UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
"RecommendedAction" = "No recommended action for this test alert."
"Category" = "SuspiciousNetworkTraffic"
"Enabled" = "true"}
"Creating an Alert Definition"
$alertDefinition =
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
"Alert Definition created successfully"
$alertDefinitionId = $alertDefinition.Id
$iocPayload = @{
"Type"="IpAddress"
"Value"="52.184.197.12"
"DetectionFunction"="Equals"
"Enabled"="true"
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
"Creating an Indicator of Compromise"
$ioc =
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
"Indicator of Compromise created successfully"
"All done!"
}
Catch
{
"Something went wrong! Got the following exception message: {0}" -f $_.Exception.Message
}
~~~~
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.
![Image of the script running](images/atp-running-script.png)
NOTE:<br>
If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you need to add the proxy configuration by adding the following code to the PowerShell script:
~~~~
$webclient=New-Object System.Net.WebClient
$creds=Get-Credential
$webclient.Proxy.Credentials=$creds
~~~~
## Step 3: Simulate a custom TI alert
This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert.
1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP.
2. Type `Invoke-WebRequest 52.184.197.12` in the editor and click **Run**. This call will generate a network communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom alert definition.
![Image of editor with command to Invoke-WebRequest](images/atp-simulate-custom-ti.png)
## Step 4: Explore the custom alert in the portal
This step will guide you in exploring the custom alert in the portal.
1. Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser.
2. Log in with your Windows Defender ATP credentials.
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png)
> [!NOTE]
> There is a latency time of approximately 20 minutes between the the time a custom TI is introduced and when it becomes effective.
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)

104
windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,104 @@
---
title: Use the Windows Defender Advanced Threat Protection exposed APIs
description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/23/2017
---
# Use the Windows Defender ATP exposed APIs
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, youll need to take the following steps to use the APIs:
- Create an app
- Get an access token
- Run queries on the graph API
### Before you begin
Before using the APIs, youll need to create an app that youll use to authenticate against the graph. Youll need to create a native app to use for the adhoc queries.
## Create an app
1. Log on to [Azure](https://portal.azure.com).
2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png)
3. In the Create window, enter the following information then click **Create**.
![Image of Create application window](images/atp-azure-create.png)
- **Name:** WinATPGraph
- **Application type:** Native
- **Redirect URI:** `https://localhost`
4. Navigate and select the newly created application.
![Image of new app in Azure](images/atp-azure-atp-app.png)
5. Click **All settings** > **Required permissions** > **Add**.
![Image of All settings, then required permissions](images/atp-azure-required-permissions.png)
6. Click **Select an API** > **Microsoft Graph**, then click **Select**.
![Image of API access and API selection](images/atp-azure-api-access.png)
7. Click **Select permissions** and select **Sign in and read user profile** then click **Select**.
![Image of select permissions](images/atp-azure-select-permissions.png)
You can now use the code snippets in the following sections to query the API using the created app ID.
## Get an access token
1. Get the Client ID from the application you created.
2. Use the **Client ID**. For example:
```
private const string authority = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
private const string resourceId = "https://graph.microsoft.com";
private const string clientId = "{YOUR CLIENT ID/APP ID HERE}";
private const string redirect = "https://localhost";
HttpClient client = new HttpClient();
AuthenticationContext auth = new AuthenticationContext(authority);
var token = auth.AcquireTokenAsync(resourceId, clientId, new Uri(redirect), new PlatformParameters(PromptBehavior.Auto)).Result;
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(token.AccessTokenType, token.AccessToken);
```
## Query the graph
Once the bearer token is retrieved, you can easily invoke the graph APIs. For example:
```
client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
// sample endpoint
string ep = @"https://graph.microsoft.com/{VERSION}/alerts?$top=5";
HttpResponseMessage response = client.GetAsync(ep).Result;
string resp = response.Content.ReadAsStringAsync().Result;
Console.WriteLine($"response for: {ep} \r\n {resp}");
```
## Related topics
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)

79
windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Find machine information by interal IP API
description: Use this API to create calls related to finding a machine entry around a specific timestamp by FQDN or interal IP.
keywords: apis, graph api, supported apis, find machine, machine information, IP
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Find machine information by interal IP API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Find a machine entity around a specific timestamp by FQDN or internal IP.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine exists - 200 OK.
If no machine found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp={time},key={IP/FQDN})
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
"computerDnsName": "",
"firstSeen": "2017-07-06T01:25:04.9480498Z",
"osPlatform": "Windows10",
}
```

84
windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Fix unhealthy sensors in Windows Defender ATP
description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine.
keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/23/2017
---
# Fix unhealthy sensors in Windows Defender ATP
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
## Inactive machines
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause a machine to be categorized as inactive:
**Machine is not in use**</br>
If the machine has not been in use for more than 7 days for any reason, it will remain in an Inactive status in the portal.
**Machine was reinstalled or renamed**</br>
A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an Inactive status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
**Machine was offboarded**</br>
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
Do you expect a machine to be in Active status? [Open a support ticket ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
## Misconfigured machines
Misconfigured machines can further be classified to:
- Impaired communications
- No sensor data
### Impaired communications
This status indicates that there's limited communication between the machine and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
### No sensor data
A misconfigured machine with status No sensor data has communication with the service but can only report partial sensor data.
Follow theses actions to correct known issues related to a misconfigured machine with status No sensor data:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)</br>
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)</br>
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
## Related topic
- [Check sensor health state in Windows Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md)

47
windows/security/threat-protection/windows-defender-atp/general-settings-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Update general Windows Defender Advanced Threat Protection settings
description: Update your general Windows Defender Advanced Threat Protection settings such as data retention or industry after onboarding.
keywords: general settings, settings, update settings
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
---
# Update general Windows Defender ATP settings
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-gensettings-abovefoldlink)
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
1. In the navigation pane, select **Preferences setup** > **General**.
2. Modify settings such as data retention policy or the industry that best describes your organization.
> [!NOTE]
> Other settings are not editable.
3. Click **Save preferences**.
## Related topics
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
- [Create and build Power BI reports](powerbi-reports-windows-defender-advanced-threat-protection.md)

75
windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Get actor information API
description: Retrieves an actor information report.
keywords: apis, graph api, supported apis, get, actor, information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get actor information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves an actor information report.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and actor exists - 200 OK.
If actor does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

84
windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,84 @@
---
title: Get actor related alerts API
description: Retrieves all alerts related to a given actor.
keywords: apis, graph api, supported apis, get, actor, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get actor related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves all alerts related to a given actor.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/actor/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If actor does not exist or no related alerts - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/actors/zinc/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 3,
"value": [
{
"id": "636390437845006321_-1646055784",
"severity": "Medium",
"status": "Resolved",
"description": "Malware associated with ZINC has been detected.",
"recommendedAction": "1.\tContact your incident response team.",
"alertCreationTime": "2017-08-23T00:09:43.9057955Z",
"category": "Malware",
"title": "Malware associated with the activity group ZINC was discovered",
}
```

80
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Get alert information by ID API
description: Retrieves an alert by its ID.
keywords: apis, graph api, supported apis, get, alert, information, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alert information by ID API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves an alert by its ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert exists - 200 OK.
If alert not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts/$entity",
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope.",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

76
windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Get alert related actor information API
description: Retrieves the actor information related to the specific alert.
keywords: apis, graph api, supported apis, get, alert, actor, information, related
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alert related actor information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves the actor information related to the specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/actor
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and actor exist - 200 OK.
If alert not found or actor not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/actor
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Actors/$entity",
"id": "zinc",
"linkToReport": "link-to-pdf"
}
```

78
windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Get alert related domain information
description: Retrieves all domains related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related domain
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alert related domain information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves all domains related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/domains
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and domain exist - 200 OK.
If alert not found or domain not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/domains
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Domains",
"value": [
{
"host": "www.example.com"
}
]
}
```

80
windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Get alert related files information
description: Retrieves all files related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related files
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alert related files information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves all files related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/files
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and files exist - 200 OK.
If alert not found or files not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/files
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files",
"value": [
{
"sha1": "121c7060dada38275d7082a4b9dc62641b255c36",
"sha256": "c815e0abb8273ba4ea6ca92d430d9e4d065dbb52877a9ce6a8371e5881bd7a94",
"md5": "776c970dfd92397b3c7d74401c85cd40",
"globalPrevalence": null,
"globalFirstObserved": null,
}
```

80
windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Get alert related IP information
description: Retrieves all IPs related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related ip
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alert related IP information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves all IPs related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/ips
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and an IP exist - 200 OK.
If alert not found or IPs not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/ips
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Ips",
"value": [
{
"id": "104.80.104.128"
},
{
"id": "23.203.232.228
}
```

75
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Get alert related machine information
description: Retrieves all machines related to a specific alert.
keywords: apis, graph api, supported apis, get alert information, alert information, related machine
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alert related machine information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves all machines related to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/machine
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and machine exist - 200 OK.
If alert not found or machine not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/machine
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "207575116e44741d2b22b6a81429b3ca4fd34608",
"computerDnsName": "machine1-corp.contoso.com",
"firstSeen": "2015-12-01T11:31:53.7016691Z",
}
```

78
windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Get alert related user information
description: Retrieves the user associated to a specific alert.
keywords: apis, graph api, supported apis, get, alert, information, related, user
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alert related user information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves the user associated to a specific alert.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts/{id}/user
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alert and a user exists - 200 OK.
If alert not found or user not found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts/{id}/user
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4\\DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountSid": null,
"accountName": "DomainPII_aca88e6ed7dc68a69c35019ca947745f3858c868",
"accountDomainName": "UserPII_487a7e2aa8b0a24e429b0be88e5cf5e91be1a8f4",
}
```

83
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Get alerts API
description: Retrieves top recent alerts.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves top recent alerts.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and alerts exists - 200 OK.
If no recent alerts found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/alerts?$skip=5000",
"value": [
{
"id": "636396039176847743_89954699",
"severity": "Informational",
"status": "New",
"description": "Readily available tools, such as commercial spyware, monitoring software, and hacking programs",
"recommendedAction": "Collect artifacts and determine scope",
"alertCreationTime": "2017-08-29T11:45:17.5754165Z",
}
```

81
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Get domain related alerts API
description: Retrieves a collection of alerts related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get domain related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of alerts related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and alert exists - 200 OK.
If domain or alert does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

79
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Get domain related machines API
description: Retrieves a collection of machines related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get domain related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of machines related to a given domain address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain and machine exists - 200 OK.
If domain or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

76
windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Get domain statistics API
description: Retrieves the prevalence for the given domain.
keywords: apis, graph api, supported apis, get, domain, domain related machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get domain statistics API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves the prevalence for the given domain.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/domains/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/domains/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.graph.InOrgDomainStats",
"host": "example.com",
"orgPrevalence": "4070",
"orgFirstSeen": "2017-07-30T13:23:48Z",
"orgLastSeen": "2017-08-29T13:09:05Z"
}
```

78
windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,78 @@
---
title: Get file information API
description: Retrieves a file by identifier Sha1, Sha256, or MD5.
keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get file information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a file by identifier Sha1, Sha256, or MD5.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Files/$entity",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"sha256": "34fcb083cd01b1bd89fc467fd3c2cd292de92f915a5cb43a36edaed39ce2689a",
"md5": "d387a06cd4bf5fcc1b50c3882f41a44e",
"globalPrevalence": 40790196,
}
```

81
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Get file related alerts API
description: Retrieves a collection of alerts related to a given file hash.
keywords: apis, graph api, supported apis, get, file, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get file related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of alerts related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and alert exists - 200 OK.
If file or alerts do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

79
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Get file related machines API
description: Retrieves a collection of machines related to a given file hash.
keywords: apis, graph api, supported apis, get, machines, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get file related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of machines related to a given file hash.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file and machines exists - 200 OK.
If file or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

80
windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Get file statistics API
description: Retrieves the prevalence for the given file.
keywords: apis, graph api, supported apis, get, file, statistics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get file statistics API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves the prevalence for the given file.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/files/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and file exists - 200 OK.
If file do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/files/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "adae3732709d2178c8895c9be39c445b5e76d587",
"orgPrevalence": "106398",
"orgFirstSeen": "2017-07-30T13:29:50Z",
"orgLastSeen": "2017-08-29T13:29:31Z",
"topFileNames": [
"chrome.exe",
"old_chrome.exe"
]
}
```

115
windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,115 @@
---
title: Get FileActions collection API
description: Use this API to create calls related to get fileactions collection
keywords: apis, graph api, supported apis, get, file, information, fileactions collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get FileActions collection API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/fileactions
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a collection of FileAction objects.
>[!NOTE]
>Although Block and Unblock actions are under FileAction category, this API only returns the Block actions on files that are currently blocked. For example, a file that is blocked and then unblocked will not be seen on this API.
## Example
Request
Here is an example of the request on an organization that has three FileActions.
```
GET https://graph.microsoft.com/testwdatppreview/fileactions
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileActions",
"value": [
{
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z"
},
{
"fileIdentifier": "df708f0107c7cc75ba2e5aaadc88b8bcfa01071d",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T11:16:19.9209438Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "1316",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T11:16:19.9209438Z"
},
{
"fileIdentifier": "f5bc0981641c8a1fb3ef03e4bf574d8adf7134cf",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T10:57:02.2430564Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test 1256 2017.11.05",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T10:57:02.2430564Z"
}
]
}
```

87
windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,87 @@
---
title: Get FileMachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, filemachineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get FileMachineAction object API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Gets file and machine actions.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/filemachineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *FileMachineAction* object.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions/3dc88ce3-dd0c-40f7-93fc-8bd14317aab6
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions/$entity",
"id": "3dc88ce3-dd0c-40f7-93fc-8bd14317aab6",
"sha1": "8908b4441a2cd7285fe9c82917f69041cd467cf7",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": "1104",
"status": "Succeeded",
"fileId": "8908b4441a2cd7285fe9c82917f69041cd467cf7",
"machineId": "61a2d326d2190d048950406b54af23416118094a",
"creationDateTimeUtc": "2017-09-06T08:04:06.1994034Z",
"lastUpdateDateTimeUtc": "2017-09-06T08:05:46.9200942Z",
"fileInstances": [
{
"filePath": "C:\\tools\\PE\\7f06a650-040b-4774-bb39-5264ea9e93fa.exe",
"status": "Succeeded"
}
]
}
```

174
windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,174 @@
---
title: Get FileMachineActions collection API
description: Use this API to create calls related to get filemachineactions collection
keywords: apis, graph api, supported apis, filemachineactions collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get FileMachineActions collection API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/filemachineactions
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a collection of FileMachineAction objects since the Retention policy time of the organization.
## Example 1
Request
Here is an example of the request on an organization that has three FileMachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileActions",
"value": [
{
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-12-04T13:06:23.4502191Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-12-04T13:06:23.4502191Z"
},
{
"fileIdentifier": "df708f0107c7cc75ba2e5aaadc88b8bcfa01071d",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T11:16:19.9209438Z",
"requestor": "Analyst@contoso.com ",
"requestorComment": "1316",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T11:16:19.9209438Z"
},
{
"fileIdentifier": "f5bc0981641c8a1fb3ef03e4bf574d8adf7134cf",
"fileIdentifierType": "Sha1",
"actionType": "Block",
"fileStatus": "Blocked",
"creationDateTimeUtc": "2017-11-05T10:57:02.2430564Z",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test 1256 2017.11.05",
"cancellationDateTimeUtc": null,
"cancellationRequestor": null,
"cancellationComment": null,
"lastUpdateDateTimeUtc": "2017-11-05T10:57:02.2430564Z"
}
]
}
```
##Example 2
Request
Here is an example of a request that filters the FileMachineActions by machine ID and shows the latest two FileMachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/filemachineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
```
Response
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#FileMachineActions",
"value": [
{
"id": "6f1d364c-680c-499a-b30c-dd9265ad4c9d",
"sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"fileId": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T13:13:26.2106524Z",
"lastUpdateDateTimeUtc": "2017-12-04T13:15:07.1639963Z",
"fileInstances": [
{
"filePath": "C:\\Users\\ testUser \\Downloads\\elma.exe",
"status": "Succeeded"
},
{
"filePath": "C:\\Users\\ testUser \\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\elma (2).exe.xc9q785.partial",
"status": "Succeeded"
},
]
},
{
"id": "c083f601-012f-4955-b4cc-fab50fb69d79",
"sha1": "8d25682b3a82af25b42dc90291c35ff3293daa68",
"type": "RequestSample",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"fileId": "8d25682b3a82af25b42dc90291c35ff3293daa68",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T13:39:24.9399004Z",
"lastUpdateDateTimeUtc": "2017-12-04T13:40:01.1094743Z",
"fileInstances": [
{
"filePath": "C:\\Windows\\System32\\conhost.exe",
"status": "Succeeded"
}
]
}
]
}
```

81
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Get IP related alerts API
description: Retrieves a collection of alerts related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get IP related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and alert exists - 200 OK.
If IP and alerts do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

72
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Get IP related machines API
description: Retrieves a collection of machines related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get IP related machines API
Retrieves a collection of alerts related to a given IP address.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and machines exists - 200 OK.
If IP or machines do not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

76
windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,76 @@
---
title: Get IP statistics API
description: Retrieves the prevalence for the given IP.
keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get IP statistics API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves the prevalence for the given IP.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/ips/{id}/stats
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and IP and domain exists - 200 OK.
If domain does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/ips/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "192.168.1.1",
"orgPrevalence": "63515",
"orgFirstSeen": "2017-07-30T13:36:06Z",
"orgLastSeen": "2017-08-29T13:32:59Z"
}
```

79
windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Get machine by ID API
description: Retrieves a machine entity by ID.
keywords: apis, graph api, supported apis, get, machines, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get machine by ID API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a machine entity by ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine exists - 200 OK.
If no machine found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines/$entity",
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

79
windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Get machine log on users API
description: Retrieves a collection of logged on users.
keywords: apis, graph api, supported apis, get, machine, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get machine log on users API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of logged on users.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/logonusers
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and user exist - 200 OK.
If no machine found or no users found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/logonusers
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users",
"value": [
{
"id": "m",
"accountSid": null,
"accountName": "",
"accountDomainName": "northamerica",
}
```

80
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Get machine related alerts API
description: Retrieves a collection of alerts related to a given machine ID.
keywords: apis, graph api, supported apis, get, machines, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get machine related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of alerts related to a given machine ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machine and alert exists - 200 OK.
If no machine or no alerts found - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 1,
"value": [
{
"id": "636396066728379047_-395412459",
"severity": "Medium",
"status": "New",
"description": "A reverse shell created from PowerShell was detected. A reverse shell allows an attacker to access the compromised machine without authenticating.",
}
```

80
windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,80 @@
---
title: Get MachineAction object API
description: Use this API to create calls related to get machineaction object
keywords: apis, graph api, supported apis, machineaction object
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get MachineAction object API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Get actions done on a machine.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/machineactions/{id}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with the *MachineAction* object.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions/$entity",
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z"
}
```

154
windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,154 @@
---
title: Get MachineActions collection API
description: Use this API to create calls related to get machineactions collection
keywords: apis, graph api, supported apis, machineaction collection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get MachineActions collection API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
GET /testwdatppreview/machineactions
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with a collection of MachineAction objects since the Retention policy time of the organization.
## Example 1
Request
Here is an example of the request on an organization that has three MachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z"
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z"
},
{
"id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
"type": "UnrestrictCodeExecution",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:15:40.6052029Z",
"lastUpdateTimeUtc": "2017-12-04T12:16:14.2899973Z"
}
]
}
```
## Example 2
Request
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#MachineActions",
"value": [
{
"id": "69dc3630-1ccc-4342-acf3-35286eec741d",
"type": "CollectInvestigationPackage",
"requestor": "Analyst@contoso.com ",
"requestorComment": "test",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:43:57.2011911Z",
"lastUpdateTimeUtc": "2017-12-04T12:45:25.4049122Z"
},
{
"id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
"type": "RunAntiVirusScan",
"requestor": "Analyst@ contoso.com ",
"requestorComment": "Check machine for viruses due to alert 3212",
"status": "Succeeded",
"error": "None",
"machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
"creationDateTimeUtc": "2017-12-04T12:18:27.1293487Z",
"lastUpdateTimeUtc": "2017-12-04T12:18:57.5511934Z"
}
]
}
```

83
windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,83 @@
---
title: Get machines API
description: Retrieves a collection of recently seen machines.
keywords: apis, graph api, supported apis, get, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of recently seen machines.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and machines exists - 200 OK.
If no recent machines - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"@odata.count": 5000,
"@odata.nextLink": "https://graph.microsoft.com/testwdatppreview/machines?$skip=5000",
"value": [
{
"id": "fadd8a46f4cc722a0391fdee82a7503b9591b3b9",
"computerDnsName": "",
"firstSeen": "2015-03-15T00:18:20.6588778Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
}
```

75
windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Get package SAS URI API
description: Use this API to get a URI that allows downloading an investigation package.
keywords: apis, graph api, supported apis, get package, sas, uri
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get package SAS URI API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Get a URI that allows downloading of an investigation package.
## Permissions
Users need to have Security administrator or Global admin directory roles.
## HTTP request
```
POST /testwdatppreview/machineactions/{id}/getPackageUri
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content-Type | application/json
## Request body
Empty
## Response
If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
```
Response
Here is an example of the response.
```
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
}
```

77
windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Get user information API
description: Retrieve a User entity by key such as user name or domain.
keywords: apis, graph api, supported apis, get, user, user information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get user information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieve a User entity by key (user name or domain\user).
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Users/$entity",
"id": "",
"accountSid": null,
"accountName": "",
"accountDomainName": "",
}
```

81
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,81 @@
---
title: Get user related alerts API
description: Retrieves a collection of alerts related to a given user ID.
keywords: apis, graph api, supported apis, get, user, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get user related alerts API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of alerts related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/alerts
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and alert exists - 200 OK.
If user does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/alerts
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Alerts",
"@odata.count": 9,
"value": [
{
"id": "636396023170943366_-36088267",
"severity": "Medium",
"status": "New",
"description": "Built-in Microsoft command-line utility Regsvr32.exe executes a suspicious script that leads to malicious actions. The commands trigger additional downloads and execution of uncommon executable (PE) files or scripts. There are rare cases where this is tied to legitimate behavior.",
"recommendedAction": "Update AV signatures and run a full scan.",
}
```

79
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Get user related machines API
description: Retrieves a collection of machines related to a given user ID.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 12/08/2017
---
# Get user related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of machines related to a given user ID.
## Permissions
User needs read permissions.
## HTTP request
```
GET /testwdatppreview/users/{id}/machines
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
Content type | application/json
## Request body
Empty
## Response
If successful and user and machine exists - 200 OK.
If user or machine does not exist - 404 Not Found.
## Example
Request
Here is an example of the request.
```
GET https://graph.microsoft.com/testwdatppreview/users/{id}/machines
Content-type: application/json
```
Response
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines",
"value": [
{
"id": "0a3250e0693a109f1affc9217be9459028aa8426",
"computerDnsName": "ComputerPII_4aa5f8f4509b90675a13183742f1b1ad67cf62b0.DomainPII_23208d0fe863968308c0c8e67dc0004bd1257631",
"firstSeen": "2017-07-05T08:21:00.0572159Z",
"osPlatform": "Windows10",
}
```

BIN
windows/security/threat-protection/windows-defender-atp/images/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 430 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/active-threat-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 813 B

BIN
windows/security/threat-protection/windows-defender-atp/images/alert-details.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/alert-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 831 B

BIN
windows/security/threat-protection/windows-defender-atp/images/alerts-q-bulk.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/alerts-queue-numbered.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 201 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/analysis-results.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 281 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-Application-Guard-events-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 971 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-Device-Guard-events-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 803 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-ETW-event-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-Exploit-Guard-events-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 880 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-File-path-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 751 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-Firewall-events-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 905 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-O365-admin-portal-customer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 167 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-Other-events-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 972 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-Smart-Screen-events-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 888 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-access-token-modification-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 897 B

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-action-block-file.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-action-center-app-restriction.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-action-center-package-collection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-action-center-restrict-app.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-action-center.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-collect-investigation-package.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-isolate-machine.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-manage-tags.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isolation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-release-from-isoloation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-remove-app-restrictions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-restrict-app-execution.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actions-run-av.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actor-alert.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 432 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-actor-report.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 185 KiB

Some files were not shown because too many files have changed in this diff Show More