Updates from: 07/28/2021 03:11:27
Category Microsoft Docs article Related commit history on GitHub Change details
admin Let Users Reset Passwords https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/let-users-reset-passwords.md
These steps turn on self-service password reset for everyone in your business.
4. Under **Self-service password reset**, select **Go to the Azure portal to turn on self-service password reset**.
-5. In the left navigation pane, select **Users**, and then, on the **Users | All users** page, select **Password reset**.
+5. On the **Properties** page, select **All** to enable it for everyone in your business, and then select **Save**.
-6. On the **Properties** page, select **All** to enable it for everyone in your business, and then select **Save**.
-
-7. When your users sign in, they will be prompted to enter additional contact information that will help them reset their password in the future.
+6. When your users sign in, they will be prompted to enter additional contact information that will help them reset their password in the future.
## Related content
compliance App Governance App Policies Create https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-create.md
Title: "Create app policies" f1.keywords: - NOCSH--++ audience: Admin
Here are the available conditions for a custom app policy.
|Condition | Condition values accepted | More information | |:-|:--|:-| | App registration age | Within last X days | |
-| App certification | Basic compliance, MCAS Compliance, or N/A | [Microsoft 365 Certification](https://docs.microsoft.com/microsoft-365-app-certification/docs/enterprise-app-certification-guide) |
+| M365 certification | Basic compliance, MCAS Compliance, or N/A | [Microsoft 365 Certification](https://docs.microsoft.com/microsoft-365-app-certification/docs/enterprise-app-certification-guide) |
| Publisher verification | Yes or No | [Publisher Verification](https://docs.microsoft.com/azure/active-directory/develop/publisher-verification-overview) | | Application Permission | Select one or more API permission from list | [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) | | Delegated Permission | Select one or more API permission from list | [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) |
compliance App Governance App Policies Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-get-started.md
Title: "Get started with app policies" f1.keywords: - NOCSH--++ audience: Admin
description: "Get started with Learn about app policies."
App policies for Microsoft app governance are the way that you can implement more proactive or reactive conditions to create alerts or automatic remediation for your specific needs for app compliance in your organization.
-To see the list of current app policies, go to **Microsoft 365 Compliance Center > App protection & governance > Policies**.
+To see the list of current app policies, go to **Microsoft 365 Compliance Center > App governance > Policies**.
![The MAPG policies summary page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-policies.png)
compliance App Governance App Policies Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-manage.md
Title: "Manage app policies" f1.keywords: - NOCSH--++ audience: Admin
compliance App Governance App Policies Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-app-policies-overview.md
Title: "Learn about app policies" f1.keywords: - NOCSH--++ audience: Admin
compliance App Governance Detect Remediate Detect Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-detect-remediate-detect-threats.md
Title: "Remediate app threats" f1.keywords: - NOCSH--++ audience: Admin
compliance App Governance Detect Remediate Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-detect-remediate-get-started.md
Title: "Get started with app threat detection and remediation" f1.keywords: - NOCSH--++ audience: Admin
compliance App Governance Detect Remediate Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-detect-remediate-overview.md
Title: "Learn about app threat detection and remediation" f1.keywords: - NOCSH--++ audience: Admin
compliance App Governance Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-get-started.md
Title: "Get Started with app governance"
f1.keywords: - NOCSH -+ audience: Admin
description: "Get started with app governance capabilities to govern your apps."
To begin using the app governance add-on to Microsoft Cloud App Security:
-1. Verify your account has the appropriate level of licensing. App governance is an add-on feature for Microsoft Cloud App Security (MCAS), and thus MCAS must be present in your account as either a standalone product or as part of the various license packages listed below.
-1. You must have one of the administrator roles listed below to access the app governance pages in the portal.
+1. Verify your account has the [appropriate level of licensing](#licensing-for-app-governance). App governance is an add-on feature for Microsoft Cloud App Security (MCAS), and thus MCAS must be present in your account as either a standalone product or as part of the various license packages listed below.
+1. You must have one of the [administrator roles](#administrator-roles) listed below to access the app governance pages in the portal.
1. Your organization's tenant registration must be within one of the [supported areas of North America, Europe, or Africa](app-governance-countries.md).
+## Add app governance to your Microsoft 365 account
+
+For new Microsoft 365 customers:
+
+1. At the top of this page, click the **Free Account** button.
+1. Under **Try Microsoft 365 for business** click **Try 1 month free**.
+1. Complete the steps for the sign-up.
+
+For existing Microsoft 365 customers:
+
+1. In your Microsoft 365 admin center, navigate to **Billing** > **Purchase services** and click **Add-ons**. Use the search bar to locate **app governance**.
+1. In the app governance card, clickΓÇ»**Details**.
+1. ClickΓÇ»**Activate Start free trial**.
+
+## Add integration with MCAS
+
+Pre requisites:
+
+- Office 365 is connected in Cloud App Security
+- Office 365 Azure AD apps are enabled
+
+To enable app governance sync with Cloud App Security follow these steps:
+
+1. Go to your Microsoft Cloud App Security portal ΓÇô [https://portal.cloudappsecurity.com](https://portal.cloudappsecurity.com)
+1. Click the gear icon (top right corner) and select **Settings**.
+1. Under **Threat Protection**, select **App Governance**.
+1. Click **Enable App Governance integration**, and then select **Save**.
+
+Next, review newly enabled policies in MCAS. The new policies might take few minutes to appear once integration is enabled.
+
+- Microsoft 365 OAuth app Reputation
+- Microsoft 365 OAuth Phishing Detection
+- Microsoft 365 OAuth App Governance
+- Review App Governance widget in MCAS dashboard
+- Review newly generated App Governance alerts in MCAS alerts
+- Review MCAS M365 OAuth policies in App Governance policy list
+- Review newly generated  MCAS M365 OAuth alerts  in App Governance alerts
+ ## Licensing for app governance Before you get started with app governance, you should confirm your [Microsoft 365 admin center - subscriptions](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/subscriptions) and any add-ons. To access and use app governance, your organization must have one of the following subscriptions or add-ons:
Before you get started with app governance, you should confirm your [Microsoft 3
## Administrator roles
+> [!NOTE]
+> Only Global Admin role can activate the app governance free trial.
+ One of the following administrator roles is required to see app governance pages or manage policies and settings: - Application Administrator
Here are the capabilities for each role.
For additional information about each role, see [Administrator role permissions](/azure/active-directory/roles/permissions-reference).
-## Add app governance to your Microsoft 365 account
-
-For existing Microsoft 365 customers:
-
-1. In your [Microsoft 365 admin center](https://admin.microsoft.com), navigate to **Billing - Purchase services** and click **Add-ons**.
-1. In the app governance card, click **Details**.
-1. Click **Start free trial**.
-1. Complete the requested information to add app governance to your selected tenant. I you are a new customer, you must first provide information to establish an account and create a tenant for your trial period. Once this is done you can add app governance to the trial.
-
-For new Microsoft 365 customers:
-
-1. At the top of this page, click the **Free Account** button.
-1. Under **Try Microsoft 365 for business** click **Try 1 month free**.
-
-For both:
-
-1. In the sign-up portal, provide your email address to use for the trial. If you are an existing customer, use the email associated with your account. Click **Next**
-1. Once you have signed in, click **Try now** to get the free trial.
-1. Click **Continue** to close page and begin trial setup. For new app governance customers, it will take up to two hours for your app governance instance to become available. For existing customers, there will be no interruption of existing services.
-
- > [!NOTE]
- If you do not already have an account you will be prompted to set up a new account before you can proceed with the trial.
-
-1. Enter in an available domain name for your AAD tenant and click **Check availability**. You will automatically be assigned an Admin role (if you donΓÇÖt have an existing role for app governance) and can always change the domain name and/or purchase more tenants later through the Microsoft 365 admin center.
-1. Enter the username and password you would like to use to login to your account. Click **Sign up**.
-1. Click **Get started** to go to the app governance portal or **Manage your subscription** to go to the Microsoft 365 admin center.
-
-## Add integration with MCAS
-
-Pre requisites:
--- Office 365 is connected in Cloud App Security-- Office 365 Azure AD apps are enabled-
-To enable app governance sync with Cloud App Security follow these steps:
-
-1. Go to your Microsoft Cloud App Security portal ΓÇô [https://portal.cloudappsecurity.com](https://portal.cloudappsecurity.com)
-1. Click the gear icon (top right corner) and select **Settings**.
-1. Under **Threat Protection**, select **App Governance**.
-1. Click **Enable App Governance integration**, and then select **Save**.
-
-Next, review newly enabled policies in MCAS. The new policies might take few minutes to appear once integration is enabled.
--- Microsoft 365 OAuth app Reputation-- Microsoft 365 OAuth Phishing Detection-- Microsoft 365 OAuth App Governance-- Review App Governance widget in MCAS dashboard-- Review newly generated App Governance alerts in MCAS alerts-- Review MCAS M365 OAuth policies in App Governance policy list-- Review newly generated  MCAS M365 OAuth alerts  in App Governance alerts- ## Canceling your trial If you did not participate in private preview and would like to cancel your trial of app governance, you can communicate with your CXE contact, or use these steps:
compliance App Governance Manage App Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-manage-app-governance.md
Title: "App governance in Microsoft 365" f1.keywords: - NOCSH--++ audience: Admin
description: "Implement Microsoft app governance capabilities to govern your app
>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).*
+> [!NOTE]
+> To sign up for app governance, see [Get started with app governance (in preview)](app-governance-get-started.md).
+ Cyberattacks have become increasingly sophisticated in the ways they exploit the apps you have deployed in your on-premises and cloud infrastructures, establishing a starting point for privilege escalation, lateral movement, and exfiltration of your data. To understand the potential risks and stop these types of attacks, you need to gain clear visibility into your organization’s app compliance posture to quickly identify when an app exhibits anomalous behaviors and to respond when these behaviors present risks to your environment, data, and users. The app governance add-on feature to Microsoft Cloud App Security is a security and policy management capability designed for OAuth-enabled apps that access Microsoft 365 data through Microsoft Graph APIs. App governance delivers full visibility, remediation, and governance into how these apps and their users access, use, and share your sensitive data stored in Microsoft 365 through actionable insights and automated policy alerts and actions.
App governance provides you with comprehensive:
App governance is a platform-based solution that is an integral part of the Microsoft 365 app ecosystem. App governance oversees and governs OAuth-enabled apps that are registered with Azure Active Directory (Azure AD) and access data through the Microsoft Graph API. App governance provides you with application behavior controls to help strengthen the security and compliance posture of your IT infrastructure.
-<!--
-Unlike other application governance products in the marketplace, MAPG is a platform-based solution that is an integral part of the Microsoft 365 application ecosystem. MAPG's initial focus is on OAuth-enabled apps published to the Microsoft 365 platform that are registered with Azure AD and access data through the Graph API. For the initial release, MAPG does not support other, non-OAuth-enabled M365 apps, add-ins (such as PowerBI), or other app vendor ecosystems such as Google, Facebook, Amazon Web Services, Workplace, and Salesforce. MAPGΓÇÖs focus is on third-party published apps for the Microsoft 365 application platform.
-
-Microsoft allows developers to build cloud applications using Azure Active Directory (Azure AD), MicrosoftΓÇÖs cloud identity platform, and other resources and access to tenant data through the Microsoft Graph. Because of MAPG's visibility, insights, and control capabilities, app developers have the incentive to comply with publisher verification, self-attestation, and Microsoft certification, and can build high-quality productivity apps that are secure and compliant.
>- ## A first glimpse at app governance
-To see the app governance dashboard, go to [https://aka.ms/appgovernance](https://aka.ms/appgovernance). Note that your sign-in account must have one of the [administrator roles](app-governance-get-started.md#administrator-roles) to view any app governance data.
+To see the app governance dashboard, go to [https://compliance.microsoft.com/appgovernance](https://compliance.microsoft.com/appgovernance). Note that your sign-in account must have one of the [administrator roles](app-governance-get-started.md#administrator-roles) to view any app governance data.
## App governance integration with Azure AD and Microsoft Cloud App Security
compliance App Governance Visibility Insights Compliance Posture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-compliance-posture.md
Title: "Determine your app compliance posture" f1.keywords: - NOCSH--++ audience: Admin
compliance App Governance Visibility Insights Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-get-started.md
Title: "Get started with visibility and insights" f1.keywords: - NOCSH--++ audience: Admin
The first place to get started is the app governance dashboard at [https://aka.m
![The app governance overview page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-overview.png)
-You can also access the app governance dashboard from **Office 365 admin center > Microsoft 365 Compliance Center > App governance > Overview page**.
+You can also access the app governance dashboard from **Office 365 > Microsoft 365 Compliance Center > App governance > Overview page**.
## WhatΓÇÖs available on the dashboard The dashboard contains a summary of the components of the Microsoft 365 app ecosystem in the tenant: - **Tenant summary**: The count of key app and alert categories.-- **Detection and policy alerts**: The most recent active alerts in the tenant-- **Data and resources access**: Aggregate application API access and overall usage of top resources in the tenant. Mouse over each month column in the graph to see the corresponding value.
+- **Top alerts**: The 10 most recent active alerts in the tenant
+- **Data and resources access**: Mouse over each month column in the graph to see the corresponding value.
+ - **Data access over the last four months**: Tracks total data accessed by all apps in the tenant through Graph API over the last four calendar months. Currently only includes Mail and File upload/download usage.
+ - **Top resources data access over the last four months**: Data usage over the last four calendar months, broken down by resource type. Currently only includes Mail and File upload/download usage
- **Improve your app protection and governance**: Recommended actions such as creating an app usage or permissions policy. - **Top apps by categories**: The top apps sorted by these categories:
compliance App Governance Visibility Insights Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-overview.md
Title: "Learn about visibility and insights" f1.keywords: - NOCSH--++ audience: Admin
compliance App Governance Visibility Insights View Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-visibility-insights-view-apps.md
Title: "View your apps" f1.keywords: - NOCSH--++ audience: Admin
Microsoft app governance allows you to quickly gain deep insights into the Micro
## Getting a list of all the apps in your tenant
-For a summary of apps in your tenant, go to **Microsoft 365 Compliance Center > App protection & governance > Apps**.
+For a summary of apps in your tenant, go to **Microsoft 365 Compliance Center > App governance > Apps**.
![The MAPG app summary page in the Microsoft 365 Compliance Center](..\media\manage-app-protection-governance\mapg-cc-apps.png)
The app details pane provides additional information on these tabs:
| Tab name | Description | |:-|:--| | Details | See additional data on the app such as the date first consented and the App ID. To see the properties of the app as registered in Azure AD, select **View app in Azure AD**. |
-| Usage | See the data accessed by the app in the tenant, plot the data usage, and show usage by the top \<x> users and users with [priority accounts](/microsoft-365/admin/setup/priority-accounts). |
+| Usage |See the data accessed by the app in the tenant and plot the data usage for Sharepoint and Exchange resources. |
| Users | See a list of users who are using the app, whether they are a priority account, and the amount of data downloaded and uploaded. | | Permissions | See a summary of the permissions granted to and used by the app and the list of specific permissions. See the [Microsoft Graph permissions reference](/graph/permissions-reference) for more information. | |||
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
Use the following table to help you identify the differences in behavior for the
|Feature or behavior|Label setting: Auto-labeling for files and emails |Policy: Auto-labeling| |:--|:--|:--|
-|App dependency|[Yes](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps) |No \* |
+|App dependency|Yes ([minimum versions](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps)) |No \* |
|Restrict by location|No |Yes | |Conditions: Trainable classifiers|Yes |No | |Conditions: Sharing options and additional options for email|No |Yes |
Also similarly to DLP policy configuration, you can choose whether a condition m
### Configuring trainable classifiers for a label
-This option is currently in preview. If you use this option, make sure you have published in your tenant at least one other sensitivity label that's configured for auto-labeling and the [sensitive info types option](#configuring-sensitive-info-types-for-a-label).
+If you use this option, make sure you have published in your tenant at least one other sensitivity label that's configured for auto-labeling and the [sensitive info types option](#configuring-sensitive-info-types-for-a-label).
When you select the **Trainable classifiers** option, select one or more of the built-in trainable classifiers from Microsoft. If you've created your own custom trainable classifiers, these are also available to select:
When you select the **Trainable classifiers** option, select one or more of the
For more information about these classifiers, see [Learn about trainable classifiers](classifier-learn-about.md).
-During the preview period for this option, the following apps support trainable classifiers for sensitivity labels:
--- Microsoft 365 Apps for enterprise ([formerly Office 365 ProPlus](/deployoffice/name-change)) for Windows, now rolling out to the [Current Channel](/deployoffice/overview-update-channels#current-channel-overview) in version 2006 and later:
- - Word
- - Excel
- - PowerPoint
--- Office for the web apps, when you have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md):
- - Word
- - Excel
- - PowerPoint
- - Outlook
- ### Recommend that the user applies a sensitivity label If you prefer, you can recommend to your users that they apply the label. With this option, your users can accept the classification and any associated protection, or dismiss the recommendation if the label isn't suitable for their content.
compliance Create A Dlp Policy From A Template https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-dlp-policy-from-a-template.md
In this example, you'll create a DLP policy that identifies U.S. PII data, which
### Create a DLP policy from a template
-1. Go to [https://protection.office.com](https://protection.office.com).
+1. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com).
2. Sign in using your work or school account. You're now in the Security &amp; Compliance Center.
compliance Create A Keyword Dictionary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-keyword-dictionary.md
Remove-Item $rawFile
The keywords for your dictionary could come from various sources, most commonly from a file (such as a .csv or .txt list) imported in the service or by PowerShell cmdlet, from a list you enter directly in the PowerShell cmdlet, or from an existing dictionary. When you create a keyword dictionary, you follow the same core steps:
-1. Use the **Security & Compliance Center** ([https://protection.office.com](https://protection.office.com)) or connect to **Security &amp; Compliance Center PowerShell**.
+1. Use the **Compliance Center** ([https://compliance.microsoft.com](https://compliance.microsoft.com)) or connect to **Security &amp; Compliance Center PowerShell**.
2. **Define or load your keywords from your intended source**. The wizard and the cmdlet both accept a comma-separated list of keywords to create a custom keyword dictionary, so this step will vary slightly depending on where your keywords come from. Once loaded, they're encoded and converted to a byte array before they're imported.
The keywords for your dictionary could come from various sources, most commonly
Use the following steps to create and import keywords for a custom dictionary:
-1. Connect to the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)).
+1. Connect to the Compliance Center ([https://compliance.microsoft.com](https://compliance.microsoft.com)).
2. Navigate to **Classifications > Sensitive info types**.
compliance Data Classification Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-content-explorer.md
Access to content explorer is highly restricted because it lets you read the con
> [!IMPORTANT] > These permissions supercede permissions that are locally assigned to the items, which allows viewing of the content.
-There are two roles that grant access to content explorer and it is granted using the [Microsoft Security & Compliance Center](https://protection.office.com/permissions):
+There are two roles that grant access to content explorer and it is granted using the [Compliance Center](https://compliance.microsoft.com/permissions):
- **Content Explorer List viewer**: Membership in this role group allows you to see each item and its location in list view. The `data classification list viewer` role has been pre-assigned to this role group.
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
To successfully access the **Disposition** tab in the Microsoft 365 compliance c
To grant users just the permissions they need for disposition reviews without granting them permissions to view and configure other features for retention and records management, create a custom role group (for example, named "Disposition Reviewers") and grant this group the **Disposition Management** role.
-For instructions to configure these permissions, see [Give users access to the Office 365 Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to add users to the default roles or create your own role groups, see [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md).
Additionally:
compliance Get Started With Records Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-records-management.md
Members of your compliance team who are responsible for records management need
For a read-only role, you can create a new role group and add the **View-Only Record Management** role to this group.
-For more information about role groups and roles, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center).
-
-For instructions to add users to role groups and assign roles, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to add users to the default roles or create your own role groups, see [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md).
These permissions are required only to create, configure, and apply retention labels that declare records, and manage disposition. The person configuring these labels doesn't require access to the content.
compliance Get Started With Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-retention.md
Members of your compliance team who will create and manage retention policies an
Alternatively to using this default role, you can create a new role group and add the **Retention Management** role to this group. For a read-only role, use **View-Only Retention Management**.
-For more information about role groups and roles, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md#roles-in-the-security--compliance-center).
-
-For instructions to add users to role groups and assign roles, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to add users to the default roles or create your own role groups, see [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md).
These permissions are required only to create, configure, and apply retention policies and retention labels. The person configuring these policies and labels doesn't require access to the content.
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
To see the options for licensing your users to benefit from Microsoft 365 compli
## Permissions required to create and manage sensitivity labels
-Members of your compliance team who will create sensitivity labels need permissions to the Microsoft 365 compliance center, or to the older Security & Compliance Center.
+Members of your compliance team who will create sensitivity labels need permissions to the Microsoft 365 compliance center.
-By default, global administrators for your tenant have access to these admin centers and can give compliance officers and other people access, without giving them all of the permissions of a tenant admin. For this delegated limited admin access, add users to the **Compliance Data Administrator**, **Compliance Administrator**, or **Security Administrator** role group.
+By default, global administrators for your tenant have access to this admin center and can give compliance officers and other people access, without giving them all of the permissions of a tenant admin. For this delegated limited admin access, add users to the **Compliance Data Administrator**, **Compliance Administrator**, or **Security Administrator** role group.
Alternatively to using the default roles, you can create a new role group and add either **Sensitivity Label Administrator** or **Organization Configuration** roles to this group. For a read-only role, use **Sensitivity Label Reader**.
-For instructions to add users to the default roles or create your own role groups, see [Give users access to the Office 365 Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
+For instructions to add users to the default roles or create your own role groups, see [Permissions in the Microsoft 365 compliance center](microsoft-365-compliance-center-permissions.md).
These permissions are required only to create and configure sensitivity labels and their label policies. They are not required to apply the labels in apps or services. If additional permissions are needed for specific configurations that relate to sensitivity labels, those permissions will be listed in their respective documentation instructions.
compliance Microsoft 365 Compliance Center Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center-permissions.md
Complete the following steps to remove users from a compliance role group:
6. Select **Remove** and then select the checkbox for all users you want to remove from the role group. 7. Select **Remove**, then select **Done**. 8. Select **Save** to remove the users from the role group. Select **Close** to complete the steps.+
+## Create a custom role group
+
+Complete the following steps to create a custom role group:
+
+1. Sign into [https://compliance.microsoft.com/permissions](https://compliance.microsoft.com/permissions) using credentials for an admin account in your Microsoft 365 organization.
+2. In the Microsoft 365 compliance center, go to **Permissions**.
+3. On the **Permissions & roles** page, select **Compliance center > Roles**.
+4. On the **Compliance center roles** page, select **Create**.
+5. On the **Name your role group** page, enter a name for the custom role group in the **Name** field. The name of the role group cannot be changed after creation of the role group. If needed, enter a description for the custom role group in the **Description** field. Select **Next** to continue.
+6. On the **Choose roles** page, select **Choose roles**.
+7. Select **Add**, then choose the roles to add to the custom role group. Select **Add** to add the role group, then select **Done**.
+8. Select **Next** to continue.
+9. On the **Choose members** page, select **Choose members**.
+10. Select **Add**, then choose the members to add to the custom role group. Select **Add** to add the members, then select **Done**.
+11. Select **Next** to continue.
+12. On the **Review your settings** page, review the details for the custom role group. If you need to edit the information, select **Edit** in the appropriate section. When all the settings are correct, select **Create role group** to create the custom role group or select **Cancel** to discard the changes and not create the custom role group.
+
+## Update a custom role group
+
+Complete the following steps to update a custom role group:
+
+1. Sign into [https://compliance.microsoft.com/permissions](https://compliance.microsoft.com/permissions) using credentials for an admin account in your Microsoft 365 organization.
+2. In the Microsoft 365 compliance center, go to **Permissions**.
+3. On the **Permissions & roles** page, select **Compliance center > Roles**.
+4. On the **Compliance center roles** page and select the role group to update.
+5. On the details pane for the selected role group, select **Edit role group**.
+6. On the **Editing role group name** page, update the description for the custom role group in the **Description** field. The name of the custom role group cannot be changed.
+7. On the **Choose roles** page, select **Edit** to update the roles assigned to the role groups.
+8. Select **Add**, then choose the roles to add to the custom role group. Select **Add** to add the role group, then select **Done**.
+9. On the **Choose members** page, select **Edit**.
+10. Select **Add**, then choose the members to add to the custom role group. Select **Add** to add the members, then select **Done**.
+11. Select **Save** to save updated *Description*, *Role groups*, and *Members* values.
+12. On the details pane for the selected role group, select **Close**.
+
+## Delete a custom role group
+
+Complete the following steps to update a custom role group:
+
+1. Sign into [https://compliance.microsoft.com/permissions](https://compliance.microsoft.com/permissions) using credentials for an admin account in your Microsoft 365 organization.
+2. In the Microsoft 365 compliance center, go to **Permissions**.
+3. On the **Permissions & roles** page, select **Compliance center > Roles**.
+4. On the **Compliance center roles** page and select the role group to update.
+5. On the details pane for the selected role group, select **Delete role group**.
+6. On the **Warning** dialog, select **Yes** to delete the role group or select **No** to cancel the deletion process.
compliance Microsoft 365 Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-compliance-center.md
In addition to links in cards on the home page, you'll see a navigation pane on
## Frequently asked questions
-**Why am I taken to the Security & Compliance Center to complete some tasks, such as defining certain policies?**
-
-We're still developing the Microsoft 365 compliance center, and we'll add more functionality and solutions over the coming months. In the meantime, there are a few tasks that must be completed in the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)). In those cases, you'll be directed automatically to the location where you can complete the task at hand, such as creating or editing a supervision policy.
- **Why don't I see the new Microsoft 365 compliance center yet?** First, make sure that you have the appropriate licenses and permissions. Then, sign in at [https://compliance.microsoft.com](https://compliance.microsoft.com). If you don't see the new compliance center yet, you'll have it soon.
-**Some of my compliance features aren't available in the Microsoft 365 compliance center. What do I do?**
-
-We're still adding functionality to the Microsoft 365 compliance center. If you can't find something, such as audit log search, use the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)). Your configurations are saved in both the existing Security & Compliance Center and in the new Microsoft 365 compliance center automatically.
-
-To go there, in the Microsoft 365 compliance center, in the navigation pane on the left side of the screen, choose **More resources**, and then, under **Office 365 Security & Compliance Center**, choose **Open**.
- ![More resources](../media/m365-compliance-center-more-resources.png) ## Next steps
compliance Microsoft 365 Solution Catalog https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/microsoft-365-solution-catalog.md
To visit the Microsoft 365 solution catalog, go to [https://compliance.microsoft
**Why don't I see the Microsoft 365 solution catalog?**
-First, make sure that you have the appropriate licenses and permissions. Then, sign in at [https://compliance.microsoft.com](https://compliance.microsoft.com) as a global administrator, compliance administrator, or compliance data administrator.
-
-**Some of the compliance features listed on the solution catalog page aren't available in the Microsoft 365 compliance center. What do I do?**
-
-We're always working to add new functionality to the Microsoft 365 compliance center and the solution catalog. If you can't find a specific solution in the navigation area, it will be accessible when the solution is available in your subscription.
-
-If you are looking for an existing compliance solution and it's not available in the Microsoft 365 compliance center yet, you can always access solutions in the existing Security &amp; Compliance Center by going to [https://protection.office.com](https://protection.office.com). Alternatively, you can click on the **More resources** tab in the left navigation of the Microsoft 365 compliance center and select the Office 365 security and compliance center card.
+First, make sure that you have the appropriate licenses and permissions. Then, sign in at [https://compliance.microsoft.com](https://compliance.microsoft.com) as a global administrator, compliance administrator, or compliance data administrator.
## Next steps
compliance New Defender Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/new-defender-alert-policies.md
The new alerts will begin firing, and triggering the AIR investigations in your
## What you need to do to prepare for these changes
-How your organization utilizes these alerts will determine what you need to do to prepare. If you have operationalized the alerts and are using or consuming them either through an API, an alert email notification, or in the Office 365 Security & Compliance Center (`https://protection.office.com/viewalerts`) or the Microsoft security center (`https://security.microsoft.com/viewalerts`), you'll need to modify your workflows.
+How your organization utilizes these alerts will determine what you need to do to prepare. If you have operationalized the alerts and are using or consuming them either through an API, an alert email notification, or in the Microsoft 365 compliance center (`https://compliance.mmicrosoft.com/viewalerts`) or the Microsoft security center (`https://security.microsoft.com/viewalerts`), you'll need to modify your workflows.
**If you haven't operationalized these alerts, you can do one of the following:**
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Let users assign permissions: <br /> - Prompt users](encryption-sensitivity-labels.md#let-users-assign-permissions) |2004+ | 16.35+ | Under review | Under review | Under review | |[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | Rolling out: 16.0.13628+ | Yes <sup>\*</sup> | |[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.45+ | 2.47+ | 16.0.13628+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md)
-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | 2009+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | 2009+ | Under review | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | 2105: June 18+ | 16.50+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |
The numbers listed are the minimum Office application version required for each
|[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | 16.48+ <sup>\*</sup> | 4.2112.0+ | 4.2112.0+ | Yes | |[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes | |[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | Rolling out: 16.51+ <sup>\*</sup> | Rolling out: 4.2126+ | Rolling out: 4.2126+ | Under review |
-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | 2009+ | Under review | Under review | Under review | Yes |
|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes | |
compliance Use Notifications And Policy Tips https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-notifications-and-policy-tips.md
In the Compliance Center, when you create a DLP policy, you can configure the us
When you create a DLP policy, you can enable **User notifications**. When user notifications are enabled, Microsoft 365 sends out both email notifications and policy tips. You can customize who notification emails are sent to, the email text and the policy tip text.
-1. Go to [https://protection.office.com](https://protection.office.com).
+1. Go to [https://(https://compliance.microsoft.com/permissions](https://(https://compliance.microsoft.com/permissions).
2. Sign in using your work or school account. You're now in the Security &amp; Compliance Center.
knowledge Scale Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/scale-topics.md
Title: "Manage topics at scale in Microsoft Viva Topics"-
+ Title: Manage topics at scale in Microsoft Viva Topics
+ -+ audience: admin ms.prod: microsoft-365-enterprise
- enabler-strategic - m365initiative-viva-topics localization_priority: None
-description: "Learn about best practices to manage the many topics in your organization using Viva Topics."
+description: Learn about best practices to manage the many topics in your organization using Viva Topics.
+ # Manage topics at scale in Microsoft Viva Topics When you index your SharePoint sites or your entire organization for Viva Topics, many topics might be generated. When this happens and you see thousands of suggested topics on the **Manage topics** page, it can be challenging to know where to start. This article describes how Viva Topics helps you optimize which topics and information are shown to users who are searching for information, even in large organizations with large numbers of topics.
knowledge Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/search.md
Title: "Use Microsoft Search to find topics in Microsoft Viva Topics"
+ Title: Use Microsoft Search to find topics in Microsoft Viva Topics
search.appverid: localization_priority: None
-description: "Learn how you can search for topics in Microsoft Viva."
+description: Learn how to search for topics in Microsoft Viva Topics.
# Use Microsoft Search to find topics in Microsoft Viva Topics
knowledge Topic Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-center-overview.md
Title: Topic center overview in Microsoft Viva Topics- + audience: admin
search.appverid:
- enabler-strategic - m365initiative-viva-topics
-ROBOTS:
localization_priority: None description: Learn about the topic center in Microsoft Viva Topics.
knowledge Topic Experiences Discovery Curation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-discovery-curation.md
Title: 'Microsoft Viva Topics topic discovery and curation '
-description: 'Overview of how topics are discovered.'
--
+ Title: Topic discovery and curation in Microsoft Viva Topics
++ audience: admin
- enabler-strategic - m365initiative-viva-topics localization_priority: None-
+description: Overview of how topics are discovered in Viva Topics.
-# Microsoft Viva Topics discovery and curation
+
+# Topic discovery and curation in Microsoft Viva Topics
Viva Topics organizes information to knowledge in your Microsoft 365 environment. We've all experienced reading through documents and site pages where we encounter terms we are unfamiliar with. Many times we stop what we are doing to spend precious time searching for more information. Viva Topics uses Microsoft Graph and AI to identify **topics** in your organization. A topic is a phrase or term that has a specific meaning to the organization, and has resources related to it that can help people understand what it is and find more information about it. There are lots of different types of topics that will be important to your organization. Initially, the following types of topics can be identified:+ - Project - Event - Organization
Viva Topics uses Microsoft Graph and AI to identify **topics** in your organizat
- Creative work - Field of study
-AI identifies people and content connected to the topic, and if enough is discovered, it becomes a suggested topic. It looks to identify the following properties and display them on a **Topic page**:
+AI identifies people and content connected to the topic, and if enough is discovered, it becomes a suggested topic. It looks to identify the following properties and display them on a *topic page*:
+ - Alternate names and/or acronyms. - A short description of the topic. - People who might be knowledgeable about the topic. - Files, pages, and sites that are related to the topic.
-The properties are identified from the files and pages that are part of the evidence for identifying the topic. Alternate names and acronyms are sourced from these files and pages. The short description is sourced from these files and pages, or from the internet through Wikipedia. The source file, page, or Wikipedia article is referenced alongside the suggested properties. People are suggested based on their active contributions (for example, edits) to the files and pages. A reference to the amount of contributions from a particular person provides a hint as to why the person has been identified. Files, pages, and sites are ranked based on whether they are central to the topic, whether they can give an overview or introduction to the topic.
+The properties are identified from the files and pages that are part of the evidence for identifying the topic. Alternate names and acronyms are sourced from these files and pages. The short description is sourced from these files and pages, or from the internet through Wikipedia. The source file, page, or Wikipedia article is referenced alongside the suggested properties. People are suggested based on their active contributions (for example, edits) to the files and pages. A reference to the amount of contributions from a particular person provides a hint as to why the person has been identified. Files, pages, and sites are ranked based on whether they are central to the topic, or whether they can give an overview or introduction to the topic.
-Not every identified topic will be useful to your organization. It may not have identified any of the correct alternate names, descriptions, the appropriate people, or content. So the ability to add topics that aren't identified, keep suggested topics, and curate topics is critical to improving the quality of the topics that are discoverable in your organization.
+Not every identified topic will be useful to your organization. It might not have identified any of the correct alternate names, descriptions, the appropriate people, or content. So the ability to add topics that aren't identified, keep suggested topics, and curate topics is critical to improving the quality of the topics that are discoverable in your organization.
Viva Topics then, when the context is appropriate, will suggest these topics to be highlighted on all SharePoint modern site pages in your tenant. The topic can also be directly referenced on the SharePoint modern site page by a page author. When a user is curious to learn more about a topic, they can select the highlighted topic to view a **Topic summary** card that provides a short description. And if they want to learn more, they can select a **Topic details** link in the summary to open the detailed topic page.
-![Topic highlights](../media/knowledge-management/saturn.png) </br>
+![Topic highlights.](../media/knowledge-management/saturn.png) </br>
Additionally, users will also be able to find topics through Microsoft Search.
Additionally, users will also be able to find topics through Microsoft Search.
Viva Topics welcomes human contribution to improve the quality of your topics. While AI initially identifies and suggests topics, manually made edits to content from contributors, manually added topics, confirmation from users for AI discovered properties and content, and feedback on the usefulness of topics are all essential. -- Topics can be reviewed by **knowledge managers** in your organization. The knowledge manager can review topics that they have permissions to see. In the Manage Topics page in the Topic Center, they can choose to confirm AI-generated topics ("suggested topics") as valid, reject topics to prevent the content from being viewed as a topic, create topics that were not discovered by AI, or identify topics that could benefit from a few edits by subject matter experts to be more helpful or accurate. For more information, see [Manage topics in the Topic center](manage-topics.md).
+- Topics can be reviewed by **knowledge managers** in your organization. The knowledge manager can review topics that they have permissions to see. On the **Manage topics** page in the topic center, they can choose to confirm AI-generated topics ("suggested topics") as valid, reject topics to prevent the content from being viewed as a topic, create topics that were not discovered by AI, or identify topics that could benefit from a few edits by subject matter experts to be more helpful or accurate. For more information, see [Manage topics in the topic center](manage-topics.md).
-- You can assign *Create and edit topics* permissions to any of your licensed users so that they can make changes to existing topics or create new topics. This allows users that are knowledgeable about the topic to update the topic page directly to make corrections or add additional information. They can also add new topics that AI wasn't able to identify. If there is enough information on these manually added topics, and AI is able to identify this type of topic, additional suggestions from AI may enhance these manually added topics. Together, humans and AI can keep knowledge accurate over time and not have this rest on a single person. For more information, see [Create a new topic](./create-a-topic.md) and [Edit a topic](./edit-a-topic.md).
+- You can assign *Create and edit topics* permissions to any of your licensed users so that they can make changes to existing topics or create new topics. This allows users that are knowledgeable about the topic to update the topic page directly to make corrections or add additional information. They can also add new topics that AI wasn't able to identify. If there is enough information on these manually added topics, and AI is able to identify this type of topic, additional suggestions from AI might enhance these manually added topics. Together, humans and AI can keep knowledge accurate over time and not have this rest on a single person. For more information, see [Create a new topic](./create-a-topic.md) and [Edit a topic](./edit-a-topic.md).
-- Even users who only have read access to topic (topic viewers) will be asked to verify the usefulness of specific topics. Feedback questions are asked on the **Topic summary** card to improve the value of the topic and its information. Questions about the quality and usefulness of the AI suggestions are presented to users one at a time. Questions include:</br>
+- Even users who only have read access to topic (topic viewers) will be asked to verify the usefulness of specific topics. Feedback questions are asked on the **Topic summary** card to improve the value of the topic and its information. Questions about the quality and usefulness of the AI suggestions are presented to users one at a time. Questions include:
1. Whether identifying the topic in the SharePoint page was helpful. There's an opportunity to remove the highlight if it's not accurate or helpful. If enough people indicate that a topic is not correctly identified on a particular page, this highlight will eventually be removed for all users.
- 2. Whether the suggested topic is valuable to the organization. If enough people indicate that the suggested topic is valuable, the topic is automatically confirmed. Alternatively, if the suggested topic is not valuable, the topic is automatically rejected. The Knowledge Manager can observe this activity in the Manage Topics view.
+ 2. Whether the suggested topic is valuable to the organization. If enough people indicate that the suggested topic is valuable, the topic is automatically confirmed. Alternatively, if the suggested topic is not valuable, the topic is automatically rejected. The knowledge manager can observe this activity on the **Manage topics** page.
3. Whether the people and resource suggestions are helpful.
- 4. On the Topic Center home page, you can see the topics in your organization to which you have a connection. You can choose to remain listed on the topic or remove yourself. This feedback is reflected to everyone who discovers this topic. See [Topic center overview](./topic-center-overview.md) for more details on the topic center home page.
+ 4. On the topic center home page, you can see the topics in your organization to which you have a connection. You can choose to remain listed on the topic or remove yourself. This feedback is reflected to everyone who discovers this topic. For more information about the topic center home page, see [Topic center overview](./topic-center-overview.md).
Even with human edits, AI will continually look for more information about topics, and will look for human verification. For example, if AI thinks you are a person that should be listed as an expert on a topic, it will ask you to confirm this. -
-## See also
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
Title: "Microsoft Viva Topics overview"
+ Title: Microsoft Viva Topics overview
- enabler-strategic - m365initiative-viva-topics localization_priority: None
-description: "Overview of Viva Topics."
+description: Learn about how to use Viva Topics in your organization.
# Microsoft Viva Topics overview
knowledge Topic Experiences Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-roles.md
Title: "Microsoft Viva Topics roles"--
+ Title: Roles in Microsoft Viva Topics
++ audience: admin
- enabler-strategic - m365initiative-viva-topics localization_priority: None
-description: "Learn about user roles in Viva Topics."
+description: Learn about user roles in Viva Topics.
-# Microsoft Viva Topics roles
+# Roles in Microsoft Viva Topics
When you use Viva Topics in your Microsoft 365 environment, your users can have the following roles:
To create and edit a topic, the user must:
## Knowledge managers
-Knowledge managers are users who manage topics in your organization. Topic management is done through the Manage Topics page in the topic center, and it's only visible to Knowledge managers.
+Knowledge managers are users who manage topics in your organization. Topic management is done through the **Manage topics** page in the topic center, and it's only visible to knowledge managers.
-In the Manage Topics page, knowledge managers can do the following tasks:
+On the **Manage topics** page, knowledge managers can do the following tasks:
- View AI-suggested topics. - Review topics to confirm that they're valid.
knowledge Topic Experiences Security Trimming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-security-trimming.md
Title: "Microsoft Viva Topics security trimming"--
+ Title: Security trimming in Microsoft Viva Topics
++ audience: admin
ms.prod: microsoft-365-enterprise
search.appverid: localization_priority: None
-description: "Overview of how security is used to view topics."
+description: Learn how security is used to view topics in Viva Topics.
-# Microsoft Viva Topics security trimming
+# Security trimming in Microsoft Viva Topics
Viva Topics users can't view information in topics that their existing Office 365 permissions prevent them from seeing. Everything a user sees on a topic page (for example, SharePoint sites, documents, files) will be information they are already allowed to see. Viva Topics does not make changes to any existing permissions.
-## Why two users may have different views of the same topic
+## Why two users might have different views of the same topic
When a topic is created through AI or manual curation, it can contain a description of the topic, alternative names, people associated with the topic, as well as sites, pages, and files related to the topic. When this information is viewed on a topic page, it is possible that two users who are viewing the same topic my not see the same information.
However, when User 2 looks at the same Neptune topic page, their view differs fr
![Neptune topic for user 2](../media/knowledge-management/user1-topic-view.png) </br>
-The difference in what users may see on the same topic is because users may not have the Office 365 permissions to view a related site or file. Viva Topics respects the permissions that are set on items in a topic, and cannot change access to them. In our example, User 1 is not able to view the *DG-2000 Product Overview* file in their topic page for Neptune because User 1 does not have Office 365 permissions to view the file.
+The difference in what users can see on the same topic is because users might not have the Office 365 permissions to view a related site or file. Viva Topics respects the permissions that are set on items in a topic, and cannot change access to them. In our example, User 1 is not able to view the *DG-2000 Product Overview* file in their topic page for Neptune because User 1 does not have Office 365 permissions to view the file.
If a user is not able to see enough information in a topic for it to be useful, the topic will not be available to the user. When this happens, the user will not see the highlighted topic. A different user who has permissions to more information in the topic for it to be useful, will be able to see the topic.
The following table describes what users - topic viewers, contributors, and know
|Topic item|What users can see| |:|:|
-|Topic name|Users can see the topic name of topics in the topic center. Some topics may not be visible if users don't have permissions to the source content or have a low relevancy to the user.|
+|Topic name|Users can see the topic name of topics in the topic center. Some topics might not be visible if users don't have permissions to the source content or have a low relevancy to the user.|
|Topic description|AI-generated descriptions are visible only to users who have permissions to the source content. Manually entered or edited descriptions are visible to all users.| |People|Pinned people are visible to all users. Suggested people are only visible to users who have permissions to the source content.| |Files|Files are only visible to users who have permissions to the source content.|
managed-desktop Guest Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/guest-accounts.md
audience: Admin
# Prerequisites for guest accounts
+## External collaboration settings
+ Microsoft Managed Desktop requires the following settings in your Azure AD organization for guest account access. You can adjust these settings at the [Azure portal](https://portal.azure.com) under **External Identities / External collaboration settings**: - For **Guest invite restrictions** set to **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**
Microsoft Managed Desktop requires the following settings in your Azure AD organ
If you set restrictions that interact with these settings, make sure to exclude the Azure Active Directory **Modern Workplace Service Accounts**. For example, if you have a conditional access policy that prevents guest accounts from accessing the Intune portal, exclude the **Modern Workplace Service Accounts** group from this policy.
+## Unlicensed Intune admin
+
+The **Allow access to unlicensed admins** setting must be enabled. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications, since the scope of access is defined by the roles assigned to users, including our operations staff.
+
+To enable this setting, follow these steps:
+
+1. Go to the Microsoft Endpoint Manager [admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Navigate to **Tenant administration** > **Roles** > **Administrator licensing**.
+3. In **Allow access to unlicensed admins**, select **Yes**.
+
+> [!IMPORTANT]
+> You cannot undo this setting after you select **Yes**.
+
+For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins).
## Steps to get ready 1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
managed-desktop Readiness Assessment Fix https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix.md
The Intune Administrator role doesn't have sufficient permissions for this check
Intune Device Compliance policies in your Azure AD organization might impact Microsoft Managed Desktop devices.
-**Not ready**
-
-You have at least one compliance policy that targets all users. Microsoft Managed Desktop includes compliance policies that will target your Microsoft Managed Desktop devices. Change the policy to target a specific Azure AD group that does not include any Microsoft Managed Desktop users or devices. For steps, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy).
- **Advisory**
-Make sure that any compliance policies you have don't target any Microsoft Managed Desktop users. For steps, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy).
+You have at least one compliance policy that applies all users. Microsoft Managed Desktop also includes compliance policies that will apply to your Microsoft Managed Desktop devices. Review all of the compliance policies created by your organization that apply to Microsoft Managed Desktop devices to ensure there are no conflicts. For steps, see [Create a compliance policy in Microsoft Intune](/mem/intune/protect/create-compliance-policy).
Intune Device Configuration profiles in your Azure AD organization must not targ
**Not ready**
-You have at least one configuration profile that targets all users, all devices, or both. Reset the profile to target a specific Azure AD group that does not include any Microsoft Managed Desktop devices. For steps, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure).
+You have at least one configuration profile that applies to all users, all devices, or both. Reset the profile to apply to a specific Azure AD group that does not include any Microsoft Managed Desktop devices. For steps, see [Create a profile with custom settings in Microsoft Intune](/mem/intune/configuration/custom-settings-configure).
**Advisory**
managed-desktop Add Admin Contacts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/add-admin-contacts.md
There are several ways that Microsoft Managed Desktop service communicates with
> [!IMPORTANT] > You might have already added these contacts in the Admin portal. If so, take a moment now to double-check that the contact list is accurate, since Microsoft Managed Desktop **must** be able to reach them if a severe incident occurs.
-## Azure Active Directory access for Microsoft Managed Desktop Admin portal
-
-Microsoft Managed Desktop Admin portal requires that people accessing the portal have one of these Azure Active Directory (AD) roles:
--- Global Administrator-- Intune Service Administrator-- Global Reader-- Service Support Administrator-
-The Global Administrator must be the one to enroll your organization in Microsoft Managed Desktop. All five roles have the same access within the Admin portal to initiate and view tasks. For more information on assigning these roles in Azure AD, see [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles).
- ## Admin contact areas of focus Admin contacts should be the best person or group that can answer questions and make decisions for different areas of focus. **Microsoft Managed Desktop Operations will contact these Admin contacts for questions involving support requests filed by the customer.** These Admin contacts will receive notifications for support request updates and new messages. These areas include:
managed-desktop Esp First Run https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/esp-first-run.md
Microsoft Managed Desktop uses both [Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot) and Microsoft Intune's [Enrollment Status Page (ESP)](/windows/deployment/windows-autopilot/enrollment-status) to provide the best possible first-run experience to your users.
-The Enrollment Status Page is currently in public preview.
- ## Initial deployment To provide the ESP experience, you must register devices in the Microsoft Managed Desktop service. For more about registration, see [Register new devices yourself](../get-started/register-devices-self.md) or [Steps for Partners to register devices](../get-started/register-devices-partner.md).-
-Once your devices are registered with the service, you can enable ESP for your Microsoft Managed Desktop devices by filing a support ticket through the [Admin Portal](https://portal.azure.com/). We will initially deploy the ESP configuration to the Test group when you file the ticket. It is deployed to the other subsequent deployment groups (First, Fast, and Broad) each 24 hours. To pause the deployment, file another ticket asking Operations to hold.
+Enrollment Status Page and Autopilot for pre-provisioned deployment are enabled by default in Microsoft Managed Desktop.
## Autopilot profile settings
Microsoft Managed Desktop uses these settings for the Enrollment Status Page exp
||| |Show app and profile configuration progress|Yes| |Show an error when installation takes longer than specified number of minutes|60|
-|Show custom message when time limit error occurs|Yes|
-|Error message|Yes, It's taking a little longer to set up your device than expected. Click below to get started and we'll finish setting up in the background|
+|Show custom message when time limit error occurs|No|
|Allow users to collect logs about installation errors|Yes| |Only show page to devices provisioned by out-of-box experience (OOBE)|Yes| |Block device use until all apps and profiles are installed|Yes| |Allow users to reset device if installation error occurs|Yes| |Allow users to use device if installation error occurs|Yes|
-|Block device use until these required apps are installed if they are assigned to the user/device|Modern Workplace - Time Correction|
+|Block device use until these required apps are installed if they are assigned to the user/device|Modern Workplace - Time Correction|Modern Workplace - Client Library|
| The Enrollment Status Page experience occurs in three phases. For more, see [Enrollment Status Page tracking information](/mem/intune/enrollment/windows-enrollment-status#enrollment-status-page-tracking-information).
The experience proceeds as follows:
![Start page of Autopilot setup showing "device preparation" and "device setup" phases.](../../medi-autopilot-screenshot.png)
-## Autopilot for pre-provisioned deployment
-
-> [!NOTE]
-> Autopilot for pre-provisioned deployment in Microsoft Managed Desktop is currently in public preview.
## Additional prerequisites for Autopilot for pre-provisioned deployment -- You must have Enrollment Status Page (ESP) enabled. For more information, see [Initial deployment](#initial-deployment). - Device must have a wired network connection. - If you have devices that were registered using the Microsoft Managed Desktop portal before August 2020, de-register and register them again. - Devices must must have a factory image that includes the November 2020 cumulative update [19H1/19H2 2020.11C](https://support.microsoft.com/topic/november-19-2020-kb4586819-os-builds-18362-1237-and-18363-1237-preview-25cbb849-74af-b8b8-29b8-68aa925e8cc3) or [20H1 2020.11C](https://support.microsoft.com/topic/november-30-2020-kb4586853-os-builds-19041-662-and-19042-662-preview-8fb07fb8-a7dd-ea62-d65e-3305da09f92e) as appropriate installed or must be reimaged with the latest Microsoft Managed Desktop image.
You might want to request a different device name template. You cannot, however,
### Enrollment Status Page settings change - A longer number of minutes for the "Show an error when installation takes longer than specified number of minutes" setting.-- The error message displayed
+- The error message displayed.
- Adding or removing applications in the "Block device use until these required apps are installed if they are assigned to the user/device" setting. ## Required applications
You might want to request a different device name template. You cannot, however,
- Limit required applications to only the core applications that a user needs immediately when they sign in to the device. - Keep the total size of all applications collectively under 1 GB to avoid timeouts during the application installation phase. - Ideally, apps should not have any dependencies. If you have apps that *must* have dependencies, be sure you configure, test, and validate them as part of your ESP evaluation.-- No applications that require the "user" context (for example, Teams) can be included in the public preview of ESP.
+- Microsoft Teams cannot be included in ESP.
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/index.md
Title: Is Microsoft Managed Desktop right for you?
+ Title: What is Microsoft Managed Desktop?
description: Orientation for what the service is and shortcuts to articles for different audiences keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
managed-desktop Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/updates.md
There are parts of the service that you manage, like app deployment, where it mi
## How update deployment works: 1. Microsoft Managed Desktop deploys a new feature or quality update according to the schedule specified in the following table. 2. During deployment, Microsoft Managed Desktop monitors for signs of failure or disruption based on diagnostic data and the user support system. If any are detected, we immediately pause the deployment to all current and future groups.
- - Example: if an issue is discovered while deploying a quality update to the First group, then update deployments to First, Fast, and Broad will all be paused until the issue is resolved.
+ - Example: If an issue is discovered while deploying a quality update to the First group, then update deployments to First, Fast, and Broad will all be paused until the issue is mitigated.
- You can report compatibility issues by filing a ticket in the Microsoft Managed Desktop Admin portal.
- - Feature and quality updates are paused independently. Pause is in effect for 35 days by default, but can be reduced or extended depending on whether the issue is remediated.
+ - Feature and quality updates are paused independently. Pause is in effect for 35 days by default, but can be reduced or extended depending on whether the issue is mitigated.
3. Once the groups are unpaused, deployment resumes according to the schedule in the table.
+4. Users are empowered to respond to restart notifications for a set period (known as the deadline and measured from the time the update is offered to the device), during which time the device will only automatically restart outside active hours. After this period expires, the deadline has been reached and the device will restart at the next available opportunity, regardless of active hours. The deadline for quality updates is three days; for feature updates it is five days.
This deployment process applies to both feature and quality updates, though the timeline varies for each.
This deployment process applies to both feature and quality updates, though the
<table> <tr><th colspan="5">Update deployment settings</th></tr> <tr><th>Update type</th><th>Test</th><th>First</th><th>Fast</th><th>Broad</th></tr>
- <tr><td>Quality updates for operating system</td><td>0 days</td><td>0 days</td><td>0 days</td><td>3 days</td></tr>
+ <tr><td>Quality updates for operating system</td><td>0 days</td><td>0 days</td><td>0 days</td><td>7 days</td></tr>
<tr><td>Feature updates for operating system</td><td>0 days</td><td>30 days</td><td>60 days</td><td>90 days</td></tr> <tr><td>Drivers/firmware</td><td colspan="4">Follows the schedule for quality updates</td></tr> <tr><td>Anti-virus definition</td><td colspan="4">Updated with each scan</td></tr>
Any devices found with Windows Insider builds might be put into the Test group a
## Bandwidth management
-We use [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) for all operating system and driver updates. Delivery Optimization minimizes the download size from the Windows Update service by seeking updates from peers within the corporate network.
+We use [Delivery Optimization](/windows/deployment/update/waas-delivery-optimization) for all operating system and driver updates. Delivery Optimization minimizes the download size from the Windows Update service by seeking updates from peers within the corporate network.
managed-desktop Test Win11 Mmd https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd.md
How to enroll and participate in the Windows 11 compatibility testing program within your Microsoft Managed Desktop environment. For more about Windows 11 and Microsoft Managed Desktop generally, see [Windows 11 and Microsoft Managed Desktop](../intro/win11-overview.md).
-## Check device eligibility
-
-To date, more than 95% of Microsoft Managed Desktop devices meet [eligibility criteria for Windows 11](/windows/whats-new/windows-11-requirements). You can request details about the eligibility status of your devices from Microsoft Managed Desktop. To file the request, follow these steps:
-
-1. Open a new service request with the Microsoft Managed Desktop Service Engineering team. If you need more info on how to file the request, see [Admin support](admin-support.md).
-2. Use these values for the fields:
- - Title: Windows 11 device eligibility
- - Request type: Request for information
- - Category: Devices
- - Subcategory: Other
-- ## Add devices to the Windows 11 test group Upon request, we will create the device group (**Modern Workplace - Windows 11 Pre-Release Test Devices**) for testing and evaluating Windows 11. Devices in this group get new Windows 11 builds and Microsoft Managed Desktop baseline configurations as they become available, and are monitored for reliability issues.
security Onboard Windows 10 Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device.md
If you plan to manage your machines using a management tool, you can onboard dev
For more information, see [Onboard Windows 10 devices using Configuration Manager](configure-endpoints-sccm.md). > [!WARNING]
-> If you plan to use [Attack Surface reduction Rules](attack-surface-reduction-rules.md), note that the rule ΓÇ£[Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used, because that rule is incompatible with management through Microsoft Endpoint Configuration Manager. The rule blocks WMI commands that the Configuration Manager client uses to function correctly.
+> If you plan to use [Attack Surface reduction Rules](attack-surface-reduction-rules.md), note that the rule "[Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used, because that rule is incompatible with management through Microsoft Endpoint Configuration Manager. The rule blocks WMI commands that the Configuration Manager client uses to function correctly.
> [!TIP] > After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
security Attack Surface Reduction Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules.md
This article provides information about attack reduction rules:
## Supported operating systems
-Links to information about operating system versions referenced in this table are listed below this table.
+The following table lists attack surface reduction rules in alphabetical order. A check mark indicates the rule is supported by the operating system listed in that column.
> [!Note] >
Links to information about operating system versions referenced in this table ar
|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | | | **Rule name** | **Windows&nbsp;10** | **Windows&nbsp;Server 2019** | **Windows&nbsp;Server** | **Windows&nbsp;Server 2016** | **Windows&nbsp;Server 2012 R2** |
-### Operating system version
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows 10 Pro, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows 10 Enterprise, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809)--- [Windows Server, version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)- ## Supported configuration management systems Links to information about configuration management system versions referenced in this table are listed below this table.
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
The product has received multiple compliance certifications, demonstrating conti
- SOC I, II, III - and PCI
-[Azure Compliance Offerings](https://docs.microsoft.com/azure/compliance/#compliance-offerings) provides more information on these certifications. All certification artifacts for Microsoft Defender for Endpoint can be found on MicrosoftΓÇÖs [Service Trust Portal](https://servicetrust.microsoft.com/) within each of the associated Azure Certification Reports.
+[Azure Compliance Offerings](/azure/compliance/#compliance-offerings) provides more information on these certifications. All certification artifacts for Microsoft Defender for Endpoint can be found on MicrosoftΓÇÖs [Service Trust Portal](https://servicetrust.microsoft.com/) within each of the associated Azure Certification Reports.
## Cloud Protection Mechanisms
The Microsoft Intelligent Security Graph monitors threat data from a vast networ
Defender for Endpoint antivirus and cloud protection automatically blocks most new, never-before-seen threats at first sight using the following methods:
-1. Lightweight client-based machine learning models, blocking new and unknown malware
-2. Local behavioral analysis, stopping file-based and file-less attacks
-3. High-precision antivirus, detecting common malware through generic and heuristic techniques
+1. Lightweight client-based machine learning models, blocking new and unknown malware.
+
+2. Local behavioral analysis, stopping file-based and file-less attacks.
+
+3. High-precision antivirus, detecting common malware through generic and heuristic techniques.
+ 4. Advanced cloud-based protection is provided for cases when Defender for Endpoint antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.+ 1. In the event Microsoft Defender for Endpoint antivirus cannot make a clear determination, file metadata is sent to the cloud protection service. Usually, the cloud protection service can determine whether the file is safe or malicious, within milliseconds. - The cloud query of file metadata can be a result of behavior, mark of the web, or other characteristics where a clear verdict is not determined. - A small metadata payload is sent, with the goal of reaching a clean vs malware verdict - Metadata can include PE attributes, static file attributes, dynamic and contextual attributes, and more (Figure 1). - Does not include personally identifiable information (PII). Information such as filenames, are hashed - Can be synchronous or asynchronous. For synchronous, the file will not open until the cloud renders a verdict. For asynchronous, the file will open while the cloud performs its analysis.+ 2. After examining the metadata, if Defender for Endpoint antivirus cloud protection cannot reach a conclusive verdict, it can request a sample of the file for further inspection. This request honors the settings configuration for sample submission:+ 1. **Send safe samples automatically** (default) - Safe samples are samples considered to not commonly contain PII data like: .bat, .scr, .dll, .exe. - If file is likely to contain PII, the user will get a request to allow file sample submission.
- - This is the default on Windows, MacOS and Linux.
+ - This is the default on Windows, macOS and Linux.
+ 2. **Always Prompt** - If configured, the user will always be prompted for consent before file submission
- - This setting isn't available in MacOS cloud protection
+ - This setting isn't available in macOS cloud protection
+ 3. **Send all samples automatically** - If configured, all samples will be sent automatically - If you would like sample submission to include macros embedded in Word docs, you must choose ΓÇ£Send all samples automaticallyΓÇ¥
- - This setting isn't available on MacOS cloud protection
+ - This setting isn't available on macOS cloud protection
+ 4. **Do not send** - Prevents ΓÇ£block at first sightΓÇ¥ based on file sample analysis
- - "Do not send" is the equivalent to the ΓÇ£DisabledΓÇ¥ setting in MacOS policy
+ - "Do not send" is the equivalent to the ΓÇ£DisabledΓÇ¥ setting in macOS policy
- Metadata is sent for detections even when sample submission is disabled+ 3. After metadata and/or files are submitted to the Defender for Endpoint cloud, you can use **samples**, **detonation**, or **big data analysis** machine learning models to reach a verdict. This model is illustrated in Figure 3. Turning off Cloud-delivered Protection will limit analysis to only what the client can provide through local machine learning models, and similar functions.
-Figure 1 - Examples of Metadata Sent to Microsoft Defender Cloud Protection
+_Figure 1 - Examples of Metadata Sent to Microsoft Defender Cloud Protection_
:::image type="content" source="images/cloud-protection-metadata-sample.png" alt-text="Figure 1. Examples of metadata sent to Microsoft Defender Cloud Protection":::
+_Figure 2. Cloud-delivered protection flow_
+ :::image type="content" source="images/cloud-protection-flow.png" alt-text="Figure 2. Cloud-delivered protection flow":::
+_Figure 3. Cloud-delivered protection and layered machine learning_
+ > [!Note] >
-> You may also have heard the phrase ΓÇ£Block at first sight (BAFS).ΓÇ¥ BAFSΓÇ¥ refers to the more extensive analysis that the cloud can provide, including things like detonation to provide a more accurate verdict. This can also include delaying the opening of a file that is under interrogation by cloud protection until a verdict is reached. If you disable ΓÇ£Sample Submission,ΓÇ¥ BAFS is disabled, and you cannot do the more extensive analysis and are limited to analyzing file metadata only.
+> You may also have heard the phrase ΓÇ£Block at first sight (BAFS).ΓÇ¥ BAFS refers to the more extensive analysis that the cloud can provide, including things like detonation to provide a more accurate verdict. This can also include delaying the opening of a file that is under interrogation by cloud protection until a verdict is reached. If you disable ΓÇ£Sample Submission,ΓÇ¥ BAFS is disabled, and you cannot do the more extensive analysis and are limited to analyzing file metadata only.
## Cloud Delivered Protection Levels
-Malware detection requires striking a balance between providing the strongest possible protection, while minimizing the number of false positives. Different environments may have tolerance for protection versus risk of false positive. Cloud-delivered protection levels allow the customer to define the tolerance level appropriate for the specific environment. When you enable Cloud Delivered Protection, the protection level is automatically configured to provide strong detection without increasing the risk of detecting legitimate files. If you want to configure a different protection level, see [Specify the cloud-delivered protection level for Microsoft Defender Antivirus - Windows security](/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
+Malware detection requires striking a balance between providing the strongest possible protection, while minimizing the number of false positives. Different environments may have tolerance for protection versus risk of false positive. Cloud-delivered protection levels allow the customer to define the tolerance level appropriate for the specific environment. When you enable Cloud Delivered Protection, the protection level is automatically configured to provide strong detection without increasing the risk of detecting legitimate files. If you want to configure a different protection level, see [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
> [!Note] >
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The \*.blob.core.windows.net URL endpoint can be replaced with the URLs shown in
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs.
-1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Defender for Endpoint sensor is running on.
+1. Download the [Micrsofot Defender for Endpoint Client Analyzer tool](https://aka.ms/mdeanalyzer) to the PC where Defender for Endpoint sensor is running on.
-2. Extract the contents of MDATPClientAnalyzer.zip on the device.
+2. Extract the contents of MDEClientAnalyzer.zip on the device.
3. Open an elevated command-line: 1. Go to **Start** and type **cmd**.
Verify the proxy configuration completed successfully, that WinHTTP can discover
4. Enter the following command and press **Enter**: ```PowerShell
- HardDrivePath\MDATPClientAnalyzer.cmd
+ HardDrivePath\MDEClientAnalyzer.cmd
```
- Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example:
+ Replace *HardDrivePath* with the path where the MDEClientAnalyzer tool was downloaded to, for example:
```PowerShell
- C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd
+ C:\Work\tools\MDEClientAnalyzer\MDEClientAnalyzer.cmd
```
-5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
+5. Extract the *MDEClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
-6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
+6. Open *MDEClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
- The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
+ The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDEClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example:
```text Testing URL : https://xxx.microsoft.com/xxx
If at least one of the connectivity options returns a (200) status, then the Def
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+> The Connectivity Analyzer tool cloud connectivity checks are not compatible with Attack Surface Reduction rule [Block process creations originating from PSExec and WMI commands](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands). You will need to temporarily disable this rule to run the connectivity tool. Alternatively, you can temporarily add [ASR exclusions](/microsoft-365/security/defender-endpoint/customize-attack-surface-reduction.md#exclude-files-and-folders) when running the analyzer.
> > When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can't access the defined proxy.
security Exploit Protection Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection-reference.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Exploit protection provides advanced protections for applications that the IT Pro can apply after the developer has compiled and distributed the software.
security Exposed Apis Create App Nativeapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp.md
If you are not sure which access you need, read the [Introduction page](apis-int
Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
-In general, youΓÇÖll need to take the following steps to use the APIs:
+In general, you'll need to take the following steps to use the APIs:
- Create an AAD application - Get an access token using this application - Use the token to access Defender for Endpoint API
security Exposed Apis Create App Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-partners.md
This page describes how to create an Azure Active Directory (Azure AD) applicati
Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
-In general, youΓÇÖll need to take the following steps to use the APIs:
+In general, you'll need to take the following steps to use the APIs:
- Create a **multi-tenant** Azure AD application. - Get authorized(consent) by your customer administrator for your application to access Defender for Endpoint resources it needs. - Get an access token using this application.
security Exposed Apis Create App Webapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp.md
This page describes how to create an application to get programmatic access to D
Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
-In general, youΓÇÖll need to take the following steps to use the APIs:
+In general, you'll need to take the following steps to use the APIs:
- Create an Azure Active Directory (Azure AD) application. - Get an access token using this application. - Use the token to access Defender for Endpoint API.
security Exposed Apis Full Sample Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-full-sample-powershell.md
ms.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)]
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Full scenario using multiple APIs from Microsoft Defender for Endpoint.
security Exposed Apis Odata Samples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-odata-samples.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
security Fetch Alerts Mssp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fetch-alerts-mssp.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>[!NOTE] >This action is taken by the MSSP.
security Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/files.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
security Find Machine Info By Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machine-info-by-ip.md
localization_priority: Normal audience: ITPro-+
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Find a device by internal IP.
->[!NOTE]
->The timestamp must be within the last 30 days.
+> [!NOTE]
+> The timestamp must be within the last 30 days.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
## HTTP request
-```
+
+```http
GET /api/machines/find(timestamp={time},key={IP}) ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response+ If successful and machine exists - 200 OK. If no machine found - 404 Not Found. - ## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') Content-type: application/json ```
-**Response**
+### Response example
Here is an example of the response.
-The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp.
+The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp.
-```
+```json
HTTP/1.1 200 OK Content-type: application/json {
Content-type: application/json
"computerDnsName": "", "firstSeen": "2017-07-06T01:25:04.9480498Z", "osPlatform": "Windows10",
-…
+...
} ```
security Find Machines By Tag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machines-by-tag.md
useStartsWithFilter|Boolean|When set to true, the search will find all devices w
Empty ## Response+ If successful - 200 OK with list of the machines in the response body. ## Example
security Fix Unhealthy Sensors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md
An inactive device is not necessarily flagged due to an issue. The following act
### Device is not in use
-If the device has not been in use for more than seven days for any reason, it will remain in an ΓÇÿInactiveΓÇÖ status in the portal.
+If the device has not been in use for more than seven days for any reason, it will remain in an 'Inactive' status in the portal.
### Device was reinstalled or renamed
-A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an ΓÇÿInactiveΓÇÖ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.
+A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an 'Inactive' status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally.
### Device was offboarded If the device was offboarded, it will still appear in devices list. After seven days, the device health state should change to inactive.
If the device was offboarded, it will still appear in devices list. After seven
### Device is not sending signals If the device is not sending any signals for more than seven days to any of the Microsoft Defender for Endpoint channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive.
-Do you expect a device to be in ΓÇÿActiveΓÇÖ status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
+Do you expect a device to be in 'Active' status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
## Misconfigured devices Misconfigured devices can further be classified to:
The following suggested actions can help fix issues related to a misconfigured d
If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). ### No sensor data
-A misconfigured device with status ΓÇÿNo sensor dataΓÇÖ has communication with the service but can only report partial sensor data.
-Follow theses actions to correct known issues related to a misconfigured device with status ΓÇÿNo sensor dataΓÇÖ:
+A misconfigured device with status 'No sensor data' has communication with the service but can only report partial sensor data.
+Follow theses actions to correct known issues related to a misconfigured device with status 'No sensor data':
- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)</br> The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service.
security Get Alert Related Files Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-files-info.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-
-> Want to experience Microsoft Defender for Endpoint? [Sign up for free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves all files related to a specific alert.
+Retrieves all files related to a specific alert.
## Limitations+ 1. You can query on alerts last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | File.Read.All | 'Read file profiles'
-Delegated (work or school account) | File.Read.All | 'Read file profiles'
+Application|File.Read.All|'Read file profiles'
+Delegated (work or school account)|File.Read.All|'Read file profiles'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/alerts/{id}/files ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
+If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files",
Here is an example of the response.
"fileType": null, "isPeFile": true, "filePublisher": "Microsoft Corporation",
- "fileProductName": "Microsoft� Windows� Operating System",
+ "fileProductName": "Microsoft© Windows© Operating System",
"signer": "Microsoft Corporation", "issuer": "Microsoft Code Signing PCA", "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675",
Here is an example of the response.
"determinationType": "Unknown", "determinationValue": null }
- ...
+ ...
] } ```
security Get Alert Related Ip Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-ip-info.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves all IPs related to a specific alert.
+Retrieves all IPs related to a specific alert.
## Limitations+ 1. You can query on alerts last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Ip.Read.All | 'Read IP address profiles'
-Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
+Application|Ip.Read.All|'Read IP address profiles'
+Delegated (work or school account)|Ip.Read.All|'Read IP address profiles'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/alerts/{id}/ips ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
+If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips ```
-**Response**
+### Response example
Here is an example of the response. - ```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips",
- "value": [
- {
- "id": "104.80.104.128"
- },
- {
- "id": "23.203.232.228
- }
- ...
- ]
+ "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips",
+ "value": [
+ {
+ "id": "104.80.104.128"
+ },
+ {
+ "id": "23.203.232.228
+ }
+ ...
+ ]
}
-
```
security Get Alert Related Machine Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-machine-info.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves [Device](machine.md) related to a specific alert.
+Retrieves [Device](machine.md) related to a specific alert.
## Limitations+ 1. You can query on alerts last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine information'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine information'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
GET /api/alerts/{id}/machine
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response+ If successful and alert and device exist - 200 OK. If alert not found or device not found - 404 Not Found. ## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine ```
-**Response**
+### Response example
Here is an example of the response. - ```json {
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2021-01-25T07:27:36.052313Z",
- "osPlatform": "Windows10",
- "osProcessor": "x64",
- "version": "1901",
- "lastIpAddress": "10.166.113.46",
- "lastExternalIpAddress": "167.220.203.175",
- "osBuild": 19042,
- "healthStatus": "Active",
- "deviceValue": "Normal",
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Low",
- "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
- "machineTags": [
- "Tag1",
- "Tag2"
- ],
- "ipAddresses": [
- {
- "ipAddress": "10.166.113.47",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- },
- {
- "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
- "macAddress": "8CEC4B897E73",
- "operationalStatus": "Up"
- }
- ]
+ "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2021-01-25T07:27:36.052313Z",
+ "osPlatform": "Windows10",
+ "osProcessor": "x64",
+ "version": "1901",
+ "lastIpAddress": "10.166.113.46",
+ "lastExternalIpAddress": "167.220.203.175",
+ "osBuild": 19042,
+ "healthStatus": "Active",
+ "deviceValue": "Normal",
+ "rbacGroupName": "The-A-Team",
+ "riskScore": "Low",
+ "exposureLevel": "Low",
+ "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028",
+ "machineTags": [
+ "Tag1",
+ "Tag2"
+ ],
+ "ipAddresses": [
+ {
+ "ipAddress": "10.166.113.47",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ },
+ {
+ "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96",
+ "macAddress": "8CEC4B897E73",
+ "operationalStatus": "Up"
+ }
+ ]
} ```
security Get Alert Related User Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-user-info.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves the User related to a specific alert.
+Retrieves the User related to a specific alert.
## Limitations+ 1. You can query on alerts last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | User.Read.All | 'Read user profiles'
-Delegated (work or school account) | User.Read.All | 'Read user profiles'
+Application|User.Read.All|'Read user profiles'
+Delegated (work or school account)|User.Read.All|'Read user profiles'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/alerts/{id}/user ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
+If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
security Get Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alerts.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of Alerts.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name
GET /api/alerts
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
security Get All Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-recommendations.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a list of all security recommendations affecting the organization. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|SecurityRecommendation.Read |'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
-```
+
+```http
GET /api/recommendations ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the list of security recommendations in the body.
+If successful, this method returns 200 OK with the list of security recommendations in the body.
## Example
-**Request**
+### Request
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/recommendations ```
-**Response**
+### Response
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
Here is an example of the response.
"nonProductivityImpactedAssets": 0, "relatedComponent": "Windows 10" }
- ...
+ ...
] } ```+ ## See also+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)-
security Get All Vulnerabilities By Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities-by-machines.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).+ - If the vulnerability has a fixing KB, it will appear in the response. - Supports [OData V4 queries](https://www.odata.org/documentation/). - The OData ```$filter``` is supported on all properties.
->[!Tip]
->This is great API for [Power BI integration](api-power-bi.md).
+> [!TIP]
+> This is great API for [Power BI integration](api-power-bi.md).
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
-```
+
+```http
GET /api/vulnerabilities/machinesVulnerabilities ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)",
Here is an example of the response.
"productVersion": "6.3.9600.19728", "severity": "Low" },
- ...
+ ...
] }
security Get All Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a list of all the vulnerabilities. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
-```
+
+```http
GET /api/vulnerabilities ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
+If successful, this method returns 200 OK with the list of vulnerabilities in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Vulnerabilities",
Here is an example of the response.
"exploitTypes": [], "exploitUris": [] }
- ...
+ ...
] } ``` ## See also+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security Get Assessment Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-methods-properties.md
Provides methods and property details about the APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data. In general, each API call contains the requisite data for devices in your organization.
-> [!Note]
->
+> [!NOTE]
> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**). You can use the export assessment APIs to retrieve (export) different types of information: - [1. Export secure configurations assessment](#1-export-secure-configurations-assessment)- - [2. Export software inventory assessment](#2-export-software-inventory-assessment)- - [3. Export software vulnerabilities assessment](#3-export-software-vulnerabilities-assessment) The APIs that correspond to the export information types are described in sections 1, 2, and 3.
For each method, there are different API calls to get different types of data. B
- **JSON response** The API pulls all data in your organization as JSON responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results. - **via files** This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:- - Call the API to get a list of download URLs with all your organization data.- - Download all the files using the download URLs and process the data as you like. Data that is collected (using either _JSON response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
Returns all of the configurations and their status, on a per-device basis.
### 1.1 Methods
-Method | Data type | Description
+Method|Data type|Description
:|:|:
-Export secure configuration assessment **(JSON response)** | Secure configuration by device collection. See: [1.2 Properties (JSON response)](#12-properties-json-response) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
-Export secure configuration assessment **(via files)** | Secure configuration by device collection. See: [1.3 Properties (via files)](#13-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+Export secure configuration assessment **(JSON response)**|Secure configuration by device collection. See: [1.2 Properties (JSON response)](#12-properties-json-response)|Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export secure configuration assessment **(via files)**|Secure configuration by device collection. See: [1.3 Properties (via files)](#13-properties-via-files)|Returns a table with an entry for every unique combination of DeviceId, ConfigurationId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
### 1.2 Properties (JSON response)
-Property (ID) | Data type | Description
+Property (ID)|Data type|Description
:|:|:
-ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
-ConfigurationId | string | Unique identifier for a specific configuration
-ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10)
-ConfigurationName | string | Display name of the configuration
-ConfigurationSubcategory | string | Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
-DeviceId | string | Unique identifier for the device in the service.
-DeviceName | string | Fully qualified domain name (FQDN) of the device.
-IsApplicable | bool | Indicates whether the configuration or policy is applicable
-IsCompliant | bool | Indicates whether the configuration or policy is properly configured
-IsExpectedUserImpact | bool | Indicates whether there will be user impact if the configuration will be applied
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
-RecommendationReference | string | A reference to the recommendation ID related to this software.
-Timestamp | string | Last time the configuration was seen on the device
+ConfigurationCategory|string|Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls
+ConfigurationId|string|Unique identifier for a specific configuration
+ConfigurationImpact|string|Rated impact of the configuration to the overall configuration score (1-10)
+ConfigurationName|string|Display name of the configuration
+ConfigurationSubcategory|string|Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.
+DeviceId|string|Unique identifier for the device in the service.
+DeviceName|string|Fully qualified domain name (FQDN) of the device.
+IsApplicable|bool|Indicates whether the configuration or policy is applicable
+IsCompliant|bool|Indicates whether the configuration or policy is properly configured
+IsExpectedUserImpact|bool|Indicates whether there will be user impact if the configuration will be applied
+OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RecommendationReference|string|A reference to the recommendation ID related to this software.
+Timestamp|string|Last time the configuration was seen on the device
### 1.3 Properties (via files)
-Property (ID) | Data type | Description
+Property (ID)|Data type|Description
:|:|:
-Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
-GeneratedTime | string | The time that the export was generated.
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime|string|The time that the export was generated.
## 2. Export software inventory assessment
Returns all of the installed software and their details on each device.
### 2.1 Methods
-Method | Data type | Description
+Method|Data type|Description
:|:|:
-Export software inventory assessment **(JSON response)** | Software inventory by device collection. See: [2.2 Properties (JSON response)](#22-properties-json-response) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
-Export software inventory assessment **(via files)** | Software inventory by device files. See: [2.3 Properties (via files)](#23-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+Export software inventory assessment **(JSON response)**|Software inventory by device collection. See: [2.2 Properties (JSON response)](#22-properties-json-response)|Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software inventory assessment **(via files)**|Software inventory by device files. See: [2.3 Properties (via files)](#23-properties-via-files)|Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
### 2.2 Properties (JSON response)
-Property (ID) | Data type | Description
+Property (ID)|Data type|Description
:|:|:
-DeviceId | string | Unique identifier for the device in the service.
-DeviceName | string | Fully qualified domain name (FQDN) of the device.
-DiskPaths | Array[string] | Disk evidence that the product is installed on the device.
-EndOfSupportDate | string | The date in which support for this software has or will end.
-EndOfSupportStatus | string | End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software.
-Id | string | Unique identifier for the record.
-NumberOfWeaknesses | int|Number of weaknesses on this software on this device
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
-RegistryPaths | Array[string] | Registry evidence that the product is installed in the device.
-SoftwareFirstSeenTimestamp | string | The first time this software was seen on the device.
-SoftwareName | string | Name of the software product.
-SoftwareVendor | string | Name of the software vendor.
-SoftwareVersion | string | Version number of the software product.
+DeviceId|string|Unique identifier for the device in the service.
+DeviceName|string|Fully qualified domain name (FQDN) of the device.
+DiskPaths|Array[string]|Disk evidence that the product is installed on the device.
+EndOfSupportDate|string|The date in which support for this software has or will end.
+EndOfSupportStatus|string|End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software.
+Id|string|Unique identifier for the record.
+NumberOfWeaknesses|int|Number of weaknesses on this software on this device
+OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RegistryPaths|Array[string]|Registry evidence that the product is installed in the device.
+SoftwareFirstSeenTimestamp|string|The first time this software was seen on the device.
+SoftwareName|string|Name of the software product.
+SoftwareVendor|string|Name of the software vendor.
+SoftwareVersion|string|Version number of the software product.
### 2.3 Properties (via files)
-Property (ID) | Data type | Description
+Property (ID)|Data type|Description
:|:|:
-Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
-GeneratedTime | string | The time that the export was generated.
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime|string|The time that the export was generated.
## 3. Export software vulnerabilities assessment
Returns all the known vulnerabilities on a device and their details, for all dev
### 3.1 Methods
-Method | Data type | Description
+Method|Data type|Description
:|:|:
-Export software vulnerabilities assessment **(JSON response)** | Investigation collection See: [3.2 Properties (JSON response)](#32-properties-json-response) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
-Export software vulnerabilities assessment **(via files)** | Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files) | Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
-**Delta export** software vulnerabilities assessment **(JSON response)** | Investigation collection See: [3.4 Properties Delta export (JSON response)](#34-properties-delta-export-json-response) | Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. <br><br> The API pulls data in your organization as JSON responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
+Export software vulnerabilities assessment **(JSON response)**|Investigation collection See: [3.2 Properties (JSON response)](#32-properties-json-response)|Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls all data in your organization as JSON responses. This method is best for small organizations with less than 100-K devices. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+Export software vulnerabilities assessment **(via files)**|Investigation entity See: [3.3 Properties (via files)](#33-properties-via-files)|Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows: 1. Call the API to get a list of download URLs with all your organization data. 2. Download all the files using the download URLs and process the data as you like.
+**Delta export** software vulnerabilities assessment **(JSON response)**|Investigation collection See: [3.4 Properties Delta export (JSON response)](#34-properties-delta-export-json-response)|Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp. <br><br> The API pulls data in your organization as JSON responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed?" or "how many new vulnerabilities were added to my organization?" <br><br> Because the Delta export API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
### 3.2 Properties (JSON response)
-Property (ID) | Data type | Description
+Property (ID)|Data type|Description
:|:|:
-CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.
-CvssScore | string | The CVSS score of the CVE.
-DeviceId | string | Unique identifier for the device in the service.
-DeviceName | string | Fully qualified domain name (FQDN) of the device.
-DiskPaths | Array\[string\] | Disk evidence that the product is installed on the device.
-ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)
-FirstSeenTimestamp | string | First time the CVE of this product was seen on the device.
-Id | string | Unique identifier for the record.
-LastSeenTimestamp | string | Last time the CVE was seen on the device.
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
-RecommendationReference | string | A reference to the recommendation ID related to this software.
-RecommendedSecurityUpdate | string | Name or description of the security update provided by the software vendor to address the vulnerability.
-RecommendedSecurityUpdateId | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
-Registry Paths Array\[string\] | Registry evidence that the product is installed in the device.
-SoftwareName | string | Name of the software product.
-SoftwareVendor | string | Name of the software vendor.
-SoftwareVersion | string | Version number of the software product.
-VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
+CveId|string|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.
+CvssScore|string|The CVSS score of the CVE.
+DeviceId|string|Unique identifier for the device in the service.
+DeviceName|string|Fully qualified domain name (FQDN) of the device.
+DiskPaths|Array\[string\]|Disk evidence that the product is installed on the device.
+ExploitabilityLevel|string|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)
+FirstSeenTimestamp|string|First time the CVE of this product was seen on the device.
+Id|string|Unique identifier for the record.
+LastSeenTimestamp|string|Last time the CVE was seen on the device.
+OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RecommendationReference|string|A reference to the recommendation ID related to this software.
+RecommendedSecurityUpdate|string|Name or description of the security update provided by the software vendor to address the vulnerability.
+RecommendedSecurityUpdateId|string|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
+Registry Paths Array\[string\]|Registry evidence that the product is installed in the device.
+SoftwareName|string|Name of the software product.
+SoftwareVendor|string|Name of the software vendor.
+SoftwareVersion|string|Version number of the software product.
+VulnerabilitySeverityLevel|string|Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
### 3.3 Properties (via files)
-Property (ID) | Data type | Description
+Property (ID)|Data type|Description
:|:|:
-Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization.
-GeneratedTime | string | The time that the export was generated.
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization.
+GeneratedTime|string|The time that the export was generated.
### 3.4 Properties (delta export JSON response)
-Property (ID) | Data type | Description
+Property (ID)|Data type|Description
:|:|:
-CveIdΓÇ»| string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.
-CvssScore | string | The CVSS score of the CVE.
-DeviceId | string | Unique identifier for the device in the service.
-DeviceName | string | Fully qualified domain name (FQDN) of the device.
-DiskPaths | Array[string] | Disk evidence that the product is installed on the device.
-EventTimestamp | String | The time this delta event was found.
-ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)
-FirstSeenTimestamp | string | First time the CVE of this product was seen on the device.
-Id | string | Unique identifier for the record.  
-LastSeenTimestamp | string | Last time the CVE was seen on the device.
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥
-RecommendationReference | string | A reference to the recommendation ID related to this software.
-RecommendedSecurityUpdateΓÇ» | string | Name or description of the security update provided by the software vendor to address the vulnerability.
-RecommendedSecurityUpdateIdΓÇ» | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
-RegistryPathsΓÇ» | Array[string] | Registry evidence that the product is installed in the device.
-SoftwareName | string | Name of the software product.
-SoftwareVendor | string | Name of the software vendor.
-SoftwareVersion | string | Version number of the software product.
-Status | String | **New** (for a new vulnerability introduced on a device). **Fixed** (for a vulnerability that doesn’t exist anymore on the device, which means it was remediated). **Updated** (for a vulnerability on a device that has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate).
-VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
+CveIdΓÇ»|string|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.
+CvssScore|string|The CVSS score of the CVE.
+DeviceId|string|Unique identifier for the device in the service.
+DeviceName|string|Fully qualified domain name (FQDN) of the device.
+DiskPaths|Array[string]|Disk evidence that the product is installed on the device.
+EventTimestamp|String|The time this delta event was found.
+ExploitabilityLevel|string|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)
+FirstSeenTimestamp|string|First time the CVE of this product was seen on the device.
+Id|string|Unique identifier for the record.  
+LastSeenTimestamp|string|Last time the CVE was seen on the device.
+OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."
+RecommendationReference|string|A reference to the recommendation ID related to this software.
+RecommendedSecurityUpdateΓÇ»|string|Name or description of the security update provided by the software vendor to address the vulnerability.
+RecommendedSecurityUpdateIdΓÇ»|string|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles
+RegistryPathsΓÇ»|Array[string]|Registry evidence that the product is installed in the device.
+SoftwareName|string|Name of the software product.
+SoftwareVendor|string|Name of the software vendor.
+SoftwareVersion|string|Version number of the software product.
+Status|String|**New** (for a new vulnerability introduced on a device). **Fixed** (for a vulnerability that doesn't exist anymore on the device, which means it was remediated). **Updated** (for a vulnerability on a device that has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate).
+VulnerabilitySeverityLevel|string|Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.
## See also - [Export secure configuration assessment per device](get-assessment-secure-config.md)- - [Export software inventory assessment per device](get-assessment-software-inventory.md)- - [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md) Other related - [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)- - [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessment Secure Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md
Title: Export secure configuration assessment per device description: Returns an entry for every unique combination of DeviceId, ConfigurationId.
-keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
+keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine,
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
ms.technology: mde
-
-
++ # Export secure configuration assessment per device [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
->
Returns all of the configurations and their status, on a per-device basis. There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved:
There are different API calls to get different types of data. Because the amount
Data that is collected (using either _JSON response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-> [!Note]
->
+> [!NOTE]
> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**). ## 1. Export secure configuration assessment (JSON response)
This API response contains the Secure Configuration Assessment on your exp
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
||
-Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|Vulnerability.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|Vulnerability.Read|\'Read Threat and Vulnerability Management vulnerability information\'
### 1.3 URL
GET /api/machines/SecureConfigurationsAssessmentByMachine
### 1.4 Parameters -- pageSize \(default = 50,000\) ΓÇô number of results in response--- \$top ΓÇô number of results to return \(doesnΓÇÖt return \@odata.nextLink and therefore doesnΓÇÖt pull all the data\)
+- pageSize \(default = 50,000\): Number of results in response.
+- \$top: Number of results to return \(doesn't return \@odata.nextLink and therefore doesn't pull all the data\).
### 1.5 Properties
->[!Note]
->
->- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
->
->- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+> [!NOTE]
>-
-Property (ID) | Data type | Description | Example of a returned value
-:|:|:|:
-ConfigurationCategory | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | Security controls
-ConfigurationId | string | Unique identifier for a specific configuration | scid-10000
-ConfigurationImpact | string | Rated impact of the configuration to the overall configuration score (1-10) | 9
-ConfigurationName | string | Display name of the configuration | Onboard devices to Microsoft Defender for Endpoint
-ConfigurationSubcategory | string | Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | Onboard Devices
-DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
-DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
-IsApplicable | bool | Indicates whether the configuration or policy is applicable | true
-IsCompliant | bool | Indicates whether the configuration or policy is properly configured | false
-IsExpectedUserImpact | bool | Indicates whether there will be user impact if the configuration will be applied | true
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
-RecommendationReference | string | A reference to the recommendation ID related to this software. | sca-_-scid-20000
-Timestamp | string | Last time the configuration was seen on the device | 2020-11-03 10:13:34.8476880
+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+
+<br>
+
+****
+
+Property (ID)|Data type|Description|Example of a returned value
+|||
+ConfigurationCategory|string|Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|Security controls
+ConfigurationId|string|Unique identifier for a specific configuration|scid-10000
+ConfigurationImpact|string|Rated impact of the configuration to the overall configuration score (1-10)|9
+ConfigurationName|string|Display name of the configuration|Onboard devices to Microsoft Defender for Endpoint
+ConfigurationSubcategory|string|Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features.|Onboard Devices
+DeviceId|string|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName|string|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com
+IsApplicable|bool|Indicates whether the configuration or policy is applicable|true
+IsCompliant|bool|Indicates whether the configuration or policy is properly configured|false
+IsExpectedUserImpact|bool|Indicates whether there will be user impact if the configuration will be applied|true
+OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.|Windows10
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."|Servers
+RecommendationReference|string|A reference to the recommendation ID related to this software.|sca-_-scid-20000
+Timestamp|string|Last time the configuration was seen on the device|2020-11-03 10:13:34.8476880
+|
### 1.6 Examples #### 1.6.1 Request example ```http
-GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pageSize=5
+GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAssessmentByMachine?pageSize=5
``` #### 1.6.2 Response example
GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs
            "isCompliant": true,             "isApplicable": true,             "isExpectedUserImpact": false,
-            "configurationName": "Disable insecure administration protocol – Telnet",
+            "configurationName": "Disable insecure administration protocol - Telnet",
            "recommendationReference": "sca-_-scid-10000"         },         {
GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs
            "isCompliant": true,             "isApplicable": true,             "isExpectedUserImpact": false,
-            "configurationName": "Disable insecure administration protocol – Telnet",
+            "configurationName": "Disable insecure administration protocol - Telnet",
            "recommendationReference": "sca-_-scid-10000"         },         {
Rate limitations for this API are 5 calls per minute and 20 calls per hour.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
||
-Application | Vulnerability.Read.All | \'Read "threat and vulnerability management" vulnerability information\'
-Delegated (work or school account) | Vulnerability.Read | \'Read "threat and vulnerability management" vulnerability information\'
+Application|Vulnerability.Read.All|\'Read "threat and vulnerability management" vulnerability information\'
+Delegated (work or school account)|Vulnerability.Read|\'Read "threat and vulnerability management" vulnerability information\'
### 2.3 URL
GET /api/machines/SecureConfigurationsAssessmentExport
### Parameters -- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours).
+- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).
### 2.5 Properties
->[!Note]
->
->- The files are gzip compressed & in multiline Json format.
+> [!NOTE]
>
->- The download URLs are only valid for 3 hours; otherwise you can use the parameter.
->
->- For maximum download speed of your data, you can make sure you are downloading from the same Azure region in which your data resides.
->
-Property (ID) | Data type | Description | Example of a returned value
-:|:|:|:
-Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
-GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 3 hours; otherwise you can use the parameter.
+> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region in which your data resides.
+
+<br>
+
+****
+
+Property (ID)|Data type|Description|Example of a returned value
+|||
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization|["Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
+GeneratedTime|string|The time that the export was generated.|2021-05-20T08:00:00Z
+|
### 2.6 Examples
GET https://api.securitycenter.microsoft.com/api/machines/SecureConfigurationsAs
## See also - [Export assessment methods and properties per device](get-assessment-methods-properties.md)- - [Export software inventory assessment per device](get-assessment-software-inventory.md)- - [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md) Other related - [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)- - [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
ms.technology: mde
-
+ # Export software inventory assessment per device [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
->
There are different API calls to get different types of data. Because the amount of data can be large, there are two ways it can be retrieved: - [Export software inventory assessment **JSON response**](#1-export-software-inventory-assessment-json-response) The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100-K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results. - [Export software inventory assessment **via files**](#2-export-software-inventory-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Therefore, it is recommended for large organizations, with more than 100-K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:- - Call the API to get a list of download URLs with all your organization data.- - Download all the files using the download URLs and process the data as you like. Data that is collected (using either _Json response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-> [!Note]
->
+> [!NOTE]
> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**). ## 1. Export software inventory assessment (JSON response)
This API response contains all the data of installed software per device. Retu
#### Limitations - Maximum page size is 200,000.- - Rate limitations for this API are 30 calls per minute and 1000 calls per hour. ### 1.2 Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
||
-Application | Software.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | Software.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|Software.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|Software.Read|\'Read Threat and Vulnerability Management vulnerability information\'
### 1.3 URL
GET /api/machines/SoftwareInventoryByMachine
### 1.4 Parameters -- pageSize (default = 50,000) ΓÇô number of results in response.--- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+- pageSize (default = 50,000): Number of results in response.
+- $top: Number of results to return (doesn't return @odata.nextLink and therefore doesn't pull all the data)
### 1.5 Properties
->[!NOTE]
->
->- Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+> [!NOTE]
>
->- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
->
->- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+> - Each record is approximately 0.5KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+
+<br>
-<br/>
+****
-Property (ID) | Data type | Description | Example of a returned value
+Property (ID)|Data type|Description|Example of a returned value
:|:|:|:
-DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
-DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
-DiskPaths | Array[string] | Disk evidence that the product is installed on the device. | [ "C:\\Program Files (x86)\\Microsoft\\Silverlight\\Application\\silverlight.exe" ]
-EndOfSupportDate | string | The date in which support for this software has or will end. | 2020-12-30
-EndOfSupportStatus | string | End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software. | Upcoming EOS
-Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!
-NumberOfWeaknesses | int | Number of weaknesses on this software on this device | 3
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
-RegistryPaths | Array[string] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Silverlight" ]
-SoftwareFirstSeenTimestamp | string | The first time this software was seen on the device. | 2019-04-07 02:06:47
-SoftwareName | string | Name of the software product. | Silverlight
-SoftwareVendor | string | Name of the software vendor. | microsoft
-SoftwareVersion | string | Version number of the software product. | 81.0.4044.138
+DeviceId|string|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName|string|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com
+DiskPaths|Array[string]|Disk evidence that the product is installed on the device.|[ "C:\\Program Files (x86)\\Microsoft\\Silverlight\\Application\\silverlight.exe" ]
+EndOfSupportDate|string|The date in which support for this software has or will end.|2020-12-30
+EndOfSupportStatus|string|End of support status. Can contain these possible values: None, EOS Version, Upcoming EOS Version, EOS Software, Upcoming EOS Software.|Upcoming EOS
+Id|string|Unique identifier for the record.|123ABG55_573AG&mnp!
+NumberOfWeaknesses|int|Number of weaknesses on this software on this device|3
+OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.|Windows10
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."|Servers
+RegistryPaths|Array[string]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Microsoft Silverlight" ]
+SoftwareFirstSeenTimestamp|string|The first time this software was seen on the device.|2019-04-07 02:06:47
+SoftwareName|string|Name of the software product.|Silverlight
+SoftwareVendor|string|Name of the software vendor.|microsoft
+SoftwareVersion|string|Version number of the software product.|81.0.4044.138
+|
### 1.6 Examples #### 1.6.1 Request example ```http
-GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pageSize=5 &sinceTime=2021-05-19T18%3A35%3A49.924Z
+GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryByMachine?pageSize=5 &sinceTime=2021-05-19T18%3A35%3A49.924Z
``` #### 1.6.2 Response example
Rate limitations for this API are 5 calls per minute and 20 calls per hour.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
||
-Application | Software.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | Software.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|Software.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|Software.Read|\'Read Threat and Vulnerability Management vulnerability information\'
### 2.3 URL
GET /api/machines/SoftwareInventoryExport
### Parameters -- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours)
+- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours)
### 2.5 Properties
->[!Note]
->
->- The files are gzip compressed & in multiline JSON format.
->
->- The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
+> [!NOTE]
>
->- For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+> - The files are gzip compressed & in multiline JSON format.
+> - The download URLs are only valid for 3 hours. Otherwise you can use the parameter.
+> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
-<br/><br/>
+<br>
-Property (ID) | Data type | Description | Example of a returned value
+****
+
+Property (ID)|Data type|Description|Example of a returned value
:|:|:|:
-Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization | [ Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
-GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z ]
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization|"[Https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
+GeneratedTime|string|The time that the export was generated.|2021-05-20T08:00:00Z
+|
### 2.6 Examples
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareInventoryExpor
## See also - [Export assessment methods and properties per device](get-assessment-methods-properties.md)- - [Export secure configuration assessment per device](get-assessment-secure-config.md)- - [Export software vulnerabilities assessment per device](get-assessment-software-vulnerabilities.md) Other related - [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)- - [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Assessment Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md
Title: Export software vulnerabilities assessment per device
-description: The API response is per device and contains vulnerable software installed on your exposed devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information.
+description: The API response is per device and contains vulnerable software installed on your exposed devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information.
keywords: api, apis, export assessment, per device assessment, vulnerability assessment report, device vulnerability assessment, device vulnerability report, secure configuration assessment, secure configuration report, software vulnerabilities assessment, software vulnerability report, vulnerability report by machine, search.product: eADQiWindows 10XVcnh ms.prod: m365-security
ms.technology: mde
-
+ # Export software vulnerabilities assessment per device [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
->
Returns all known software vulnerabilities and their details for all devices, on a per-device basis. There are different API calls to get different types of data. Because the amount of data can be very large, there are two ways it can be retrieved:
There are different API calls to get different types of data. Because the amount
1. [Export software vulnerabilities assessment **JSON response**](#1-export-software-vulnerabilities-assessment-json-response) The API pulls all data in your organization as Json responses. This method is best for _small organizations with less than 100 K devices_. The response is paginated, so you can use the \@odata.nextLink field from the response to fetch the next results. 2. [Export software vulnerabilities assessment **via files**](#2-export-software-vulnerabilities-assessment-via-files) This API solution enables pulling larger amounts of data faster and more reliably. Via-files is recommended for large organizations, with more than 100 K devices. This API pulls all data in your organization as download files. The response contains URLs to download all the data from Azure Storage. This API enables you to download all your data from Azure Storage as follows:- - Call the API to get a list of download URLs with all your organization data.- - Download all the files using the download URLs and process the data as you like. 3. [Delta export software vulnerabilities assessment **JSON response**](#3-delta-export-software-vulnerabilities-assessment-json-response) Returns a table with an entry for every unique combination of: DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId, and EventTimestamp.
-The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. <br><br> Unlike the full "software vulnerabilities assessment (JSON response)" - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥ <br><br> Because the Delta export JSON response API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
+The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results.
+
+ Unlike the full "software vulnerabilities assessment (JSON response)" - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed?" or "how many new vulnerabilities were added to my organization?"
+
+ Because the Delta export JSON response API call for software vulnerabilities returns data for only a targeted date range, it is not considered a _full export_.
Data that is collected (using either _Json response_ or _via files_) is the current snapshot of the current state, and does not contain historic data. In order to collect historic data, customers must save the data in their own data storages.
-> [!Note]
->
+> [!NOTE]
> Unless indicated otherwise, all export assessment methods listed are **_full export_** and **_by device_** (also referred to as **_per device_**). ## 1. Export software vulnerabilities assessment (JSON response)
This API response contains all the data of installed software per device. Retu
#### 1.1.1 Limitations - Maximum page size is 200,000.- - Rate limitations for this API are 30 calls per minute and 1000 calls per hour. ### 1.2 Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
||
-Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|Vulnerability.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|Vulnerability.Read|\'Read Threat and Vulnerability Management vulnerability information\'
### 1.3 URL
GET /api/machines/SoftwareVulnerabilitiesByMachine
### 1.4 Parameters -- pageSize (default = 50,000) ΓÇô number of results in response-- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+- pageSize (default = 50,000): Number of results in response.
+- $top: Number of results to return (doesn't return @odata.nextLink and therefore doesn't pull all the data).
### 1.5 Properties
->[!Note]
->
->- Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+> [!NOTE]
>
->- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
->
->- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+> - Each record is approximately 1 KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+
+<br>
-<br/>
+****
-Property (ID) | Data type | Description | Example of a returned value
+Property (ID)|Data type|Description|Example of a returned value
:|:|:|:
-CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | CVE-2020-15992
-CvssScore | string | The CVSS score of the CVE. | 6.2
-DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
-DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com
-DiskPaths | Array\[string\] | Disk evidence that the product is installed on the device. | [ "C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe" ]
-ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) | ExploitIsInKit
-FirstSeenTimestamp | string | First time the CVE of this product was seen on the device. | 2020-11-03 10:13:34.8476880
-Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!
-LastSeenTimestamp | string | Last time the CVE was seen on the device. | 2020-11-03 10:13:34.8476880
-OSPlatform | string | Platform of the operating system running on the device. This property indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be ΓÇ£Unassigned.ΓÇ¥ If the organization doesnΓÇÖt contain any RBAC groups, the value will be ΓÇ£None.ΓÇ¥ | Servers
-RecommendationReference | string | A reference to the recommendation ID related to this software. | va-_-microsoft-_-silverlight
-RecommendedSecurityUpdate (optional) | string | Name or description of the security update provided by the software vendor to address the vulnerability. | April 2020 Security Updates
-RecommendedSecurityUpdateId (optional) | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles | 4550961
-RegistryPaths | Array\[string\] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftSilverlight" ]
-SoftwareName | string | Name of the software product. | chrome
-SoftwareVendor | string | Name of the software vendor. | google
-SoftwareVersion | string | Version number of the software product. | 81.0.4044.138
-VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape. | Medium
+CveId|string|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.|CVE-2020-15992
+CvssScore|string|The CVSS score of the CVE.|6.2
+DeviceId|string|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1
+DeviceName|string|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com
+DiskPaths|Array\[string\]|Disk evidence that the product is installed on the device.|[ "C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe" ]
+ExploitabilityLevel|string|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)|ExploitIsInKit
+FirstSeenTimestamp|string|First time the CVE of this product was seen on the device.|2020-11-03 10:13:34.8476880
+Id|string|Unique identifier for the record.|123ABG55_573AG&mnp!
+LastSeenTimestamp|string|Last time the CVE was seen on the device.|2020-11-03 10:13:34.8476880
+OSPlatform|string|Platform of the operating system running on the device. This property indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.|Windows10
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."|Servers
+RecommendationReference|string|A reference to the recommendation ID related to this software.|va-_-microsoft-_-silverlight
+RecommendedSecurityUpdate (optional)|string|Name or description of the security update provided by the software vendor to address the vulnerability.|April 2020 Security Updates
+RecommendedSecurityUpdateId (optional)|string|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles|4550961
+RegistryPaths|Array\[string\]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MicrosoftSilverlight" ]
+SoftwareName|string|Name of the software product.|chrome
+SoftwareVendor|string|Name of the software vendor.|google
+SoftwareVersion|string|Version number of the software product.|81.0.4044.138
+VulnerabilitySeverityLevel|string|Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.|Medium
+|
### 1.6 Examples
Rate limitations for this API are 5 calls per minute and 20 calls per hour.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details](apis-intro.md).
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
||
-Application | Vulnerability.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | Vulnerability.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|Vulnerability.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|Vulnerability.Read|\'Read Threat and Vulnerability Management vulnerability information\'
### 2.3 URL
GET /api/machines/SoftwareVulnerabilitiesExport
### 2.4 Parameters -- sasValidHours ΓÇô The number of hours that the download URLs will be valid for (Maximum 24 hours)
+- sasValidHours: The number of hours that the download URLs will be valid for (Maximum 24 hours).
### 2.5 Properties
->[!Note]
+> [!NOTE]
>
->- The files are gzip compressed & in multiline Json format.
->
->- The download URLs are only valid for 3 hours; otherwise you can use the parameter.
->
->- For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
+> - The files are gzip compressed & in multiline Json format.
+> - The download URLs are only valid for 3 hours; otherwise you can use the parameter.
+> - For maximum download speed of your data, you can make sure you are downloading from the same Azure region that your data resides.
>
+> - Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
->[!Note]
->
->- Each record is approximately 1KB of data. You should take this into account when choosing the correct pageSize parameter for you.
->
->- Some additional columns might be returned in the response. These columns are temporary and might be removed, please use only the documented columns.
->
+<br>
-Property (ID) | Data type | Description | Example of a returned value
+****
+
+Property (ID)|Data type|Description|Example of a returned value
:|:|:|:
-Export files | array\[string\] | A list of download URLs for files holding the current snapshot of the organization. | [ ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1ΓÇ¥, ΓÇ£https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2ΓÇ¥ ]
-GeneratedTime | string | The time that the export was generated. | 2021-05-20T08:00:00Z
+Export files|array\[string\]|A list of download URLs for files holding the current snapshot of the organization.|["https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...1", "https://tvmexportstrstgeus.blob.core.windows.net/tvm-export...2"]
+GeneratedTime|string|The time that the export was generated.|2021-05-20T08:00:00Z
+|
### 2.6 Examples
GET https://api-us.securitycenter.contoso.com/api/machines/SoftwareVulnerabiliti
### 3.1 API method description
-Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response)ΓÇöwhich is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by deviceΓÇöthe delta export JSON response API call is used to fetch only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call). Instead of getting a full export with a large amount of data every time, youΓÇÖll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as ΓÇ£how many vulnerabilities were fixed?ΓÇ¥ or ΓÇ£how many new vulnerabilities were added to my organization?ΓÇ¥
+Returns a table with an entry for every unique combination of DeviceId, SoftwareVendor, SoftwareName, SoftwareVersion, CveId. The API pulls data in your organization as Json responses. The response is paginated, so you can use the @odata.nextLink field from the response to fetch the next results. Unlike the full software vulnerabilities assessment (JSON response) (which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device) the delta export JSON response API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export JSON response API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed?" or "how many new vulnerabilities were added to my organization?"
->[!NOTE]
->
->It is highly recommended you use the full export software vulnerabilities assessment by device API call at least once a week, and this additional export software vulnerabilities changes by device (delta) API call all the other days of the week. Unlike the other Assessments JSON response APIs, the ΓÇ£delta exportΓÇ¥ is not a full export. The delta export includes only the changes that have happened between a selected date and the current date (the ΓÇ£deltaΓÇ¥ API call).
+> [!NOTE]
+> It is highly recommended you use the full export software vulnerabilities assessment by device API call at least once a week, and this additional export software vulnerabilities changes by device (delta) API call all the other days of the week. Unlike the other Assessments JSON response APIs, the "delta export" is not a full export. The delta export includes only the changes that have happened between a selected date and the current date (the "delta" API call).
#### 3.1.1 Limitations - Maximum page size is 200,000.- - The sinceTime parameter has a maximum of 14 days.- - Rate limitations for this API are 30 calls per minute and 1000 calls per hour. ### 3.2 Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
||
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management vulnerability information'
### 3.3 URL ```http
-GET /api/machines/SoftwareVulnerabilityChangesByMachine
+GET /api/machines/SoftwareVulnerabilityChangesByMachine
``` ### 3.4 Parameters -- sinceTime (required) ΓÇô The data between a selected time and today.-- pageSize (default = 50,000) ΓÇô number of results in response-- $top ΓÇô number of results to return (doesnΓÇÖt return @odata.nextLink and therefore doesnΓÇÖt pull all the data)
+- sinceTime (required): The data between a selected time and today.
+- pageSize (default = 50,000): number of results in response.
+- $top: number of results to return (doesn't return @odata.nextLink and therefore doesn't pull all the data).
### 3.5 Properties Each returned record contains all the data from the full export software vulnerabilities assessment by device API, plus two additional fields: _**EventTimestamp**_ and _**Status**_.
->[!NOTE]
->- Some additional columns might be returned in the response. These columns are temporary and might be removed, so please use only the documented columns.
+> [!NOTE]
>
->- The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
-<br><br/>
+> - Some additional columns might be returned in the response. These columns are temporary and might be removed, so please use only the documented columns.
+> - The properties defined in the following table are listed alphabetically, by property ID. When running this API, the resulting output will not necessarily be returned in the same order listed in this table.
+
+<br>
-Property (ID) | Data type | Description | Example of returned value
+****
+
+Property (ID)|Data type|Description|Example of returned value
:|:|:|:
-CveId | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system. | CVE-2020-15992  
-CvssScore | string | The CVSS score of the CVE. | 6.2  
-DeviceId | string | Unique identifier for the device in the service. | 9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1  
-DeviceName | string | Fully qualified domain name (FQDN) of the device. | johnlaptop.europe.contoso.com  
-DiskPaths | Array[string] | Disk evidence that the product is installed on the device. | [ "C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe" ]  
-EventTimestamp | String | The time this delta event was found. | 2021-01-11T11:06:08.291Z
-ExploitabilityLevel | string | The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit) | ExploitIsInKit  
-FirstSeenTimestamp | string | First time the CVE of this product was seen on the device. | 2020-11-03 10:13:34.8476880  
-Id | string | Unique identifier for the record. | 123ABG55_573AG&mnp!  
-LastSeenTimestamp | string | Last time the CVE was seen on the device. | 2020-11-03 10:13:34.8476880  
-OSPlatform | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details. | Windows10  
-RbacGroupName | string | The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be “Unassigned.” If the organization doesn’t contain any RBAC groups, the value will be “None.” | Servers  
-RecommendationReference | string | A reference to the recommendation ID related to this software. | va--microsoft--silverlight  
-RecommendedSecurityUpdate  | string | Name or description of the security update provided by the software vendor to address the vulnerability. | April 2020 Security Updates  
-RecommendedSecurityUpdateId  | string | Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles | 4550961  
-RegistryPaths  | Array[string] | Registry evidence that the product is installed in the device. | [ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome" ]  
-SoftwareName | string | Name of the software product. | chrome  
-SoftwareVendor | string | Name of the software vendor. | google  
-SoftwareVersion | string | Version number of the software product. | 81.0.4044.138  
-Status | String | **New** (for a new vulnerability introduced on a device) (1) **Fixed** (if this vulnerability doesn’t exist anymore on the device, which means it was remediated). (2) **Updated** (if a vulnerability on a device has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). | Fixed
-VulnerabilitySeverityLevel | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape. | Medium  
+CveId |string|Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system.|CVE-2020-15992  
+CvssScore|string|The CVSS score of the CVE.|6.2  
+DeviceId|string|Unique identifier for the device in the service.|9eaf3a8b5962e0e6b1af9ec756664a9b823df2d1  
+DeviceName|string|Fully qualified domain name (FQDN) of the device.|johnlaptop.europe.contoso.com  
+DiskPaths|Array[string]|Disk evidence that the product is installed on the device.|["C:\Program Files (x86)\Microsoft\Silverlight\Application\silverlight.exe"]  
+EventTimestamp|String|The time this delta event was found.|2021-01-11T11:06:08.291Z
+ExploitabilityLevel|string|The exploitability level of this vulnerability (NoExploit, ExploitIsPublic, ExploitIsVerified, ExploitIsInKit)|ExploitIsInKit  
+FirstSeenTimestamp|string|First time the CVE of this product was seen on the device.|2020-11-03 10:13:34.8476880  
+Id|string|Unique identifier for the record.|123ABG55_573AG&mnp!  
+LastSeenTimestamp|string|Last time the CVE was seen on the device.|2020-11-03 10:13:34.8476880  
+OSPlatform|string|Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. See tvm supported operating systems and platforms for details.|Windows10  
+RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."|Servers  
+RecommendationReference|string|A reference to the recommendation ID related to this software.|va--microsoft--silverlight  
+RecommendedSecurityUpdate |string|Name or description of the security update provided by the software vendor to address the vulnerability.|April 2020 Security Updates  
+RecommendedSecurityUpdateId |string|Identifier of the applicable security updates or identifier for the corresponding guidance or knowledge base (KB) articles|4550961  
+RegistryPaths |Array[string]|Registry evidence that the product is installed in the device.|[ "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome" ]  
+SoftwareName|string|Name of the software product.|chrome  
+SoftwareVendor|string|Name of the software vendor.|google  
+SoftwareVersion|string|Version number of the software product.|81.0.4044.138  
+Status|String|**New** (for a new vulnerability introduced on a device) (1) **Fixed** (if this vulnerability doesn't exist anymore on the device, which means it was remediated). (2) **Updated** (if a vulnerability on a device has changed. The possible changes are: CVSS score, exploitability level, severity level, DiskPaths, RegistryPaths, RecommendedSecurityUpdate). |Fixed
+VulnerabilitySeverityLevel|string|Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape.|Medium
+|
#### Clarifications -- If the software was updated from version 1.0 to version 2.0, and both versions are exposed to CVE-A, you will receive 2 separate events:
- 1. Fixed ΓÇô CVE-A on version 1.0 was fixed
- 1. New ΓÇô CVE-A on version 2.0 was added
+- If the software was updated from version 1.0 to version 2.0, and both versions are exposed to CVE-A, you will receive 2 separate events:
+ 1. Fixed: CVE-A on version 1.0 was fixed.
+ 1. New: CVE-A on version 2.0 was added.
-- If a specific vulnerability (for example, CVE-A) was first seen at a specific time (for example, January 10) on software with version 1.0, and a few days later that software was updated to version 2.0 which also exposed to the same CVE-A, you will receive these two separated events:
- 1. Fixed ΓÇô CVE-X, FirstSeenTimestamp January 10, version 1,0.
- 1. New ΓÇô CVE-X, FirstSeenTimestamp January 10, version 2.0.
+- If a specific vulnerability (for example, CVE-A) was first seen at a specific time (for example, January 10) on software with version 1.0, and a few days later that software was updated to version 2.0 which also exposed to the same CVE-A, you will receive these two separated events:
+ 1. Fixed: CVE-X, FirstSeenTimestamp January 10, version 1,0.
+ 1. New: CVE-X, FirstSeenTimestamp January 10, version 2.0.
### 3.6 Examples
GET https://api.securitycenter.microsoft.com/api/machines/SoftwareVulnerabilityC
#### 3.6.2 Response example ```json
-{
-    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.DeltaAssetVulnerability)",
-    "value": [
-        {
-            "id": "008198251234544f7dfa715e278d4cec0c16c171_chrome_87.0.4280.88__",
-            "deviceId": "008198251234544f7dfa715e278b4cec0c19c171",
-            "rbacGroupName": "hhh",
-            "deviceName": "ComputerPII_1c8fee370690ca24b6a0d3f34d193b0424943a8b8.DomainPII_0dc1aee0fa366d175e514bd91a9e7a5b2b07ee8e.corp.contoso.com",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.19042.685",
-            "osArchitecture": "x64",
-            "softwareVendor": "google",
-            "softwareName": "chrome",
-            "softwareVersion": "87.0.4280.88",
-            "cveId": null,
-            "vulnerabilitySeverityLevel": null,
-            "recommendedSecurityUpdate": null,
-            "recommendedSecurityUpdateId": null,
-            "recommendedSecurityUpdateUrl": null,
-            "diskPaths": [
-                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
-            ],
-            "registryPaths": [
-                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome"
-            ],
-            "lastSeenTimestamp": "2021-01-04 00:29:42",
-            "firstSeenTimestamp": "2020-11-06 03:12:44",
-            "exploitabilityLevel": "NoExploit",
-            "recommendationReference": "va-_-google-_-chrome",
-            "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
-        },
-        {
-            "id": "00e59c61234533860738ecf488eec8abf296e41e_onedrive_20.64.329.3__",
-            "deviceId": "00e56c91234533860738ecf488eec8abf296e41e",
-            "rbacGroupName": "hhh",
-            "deviceName": "ComputerPII_82c13a8ad8cf3dbaf7bf34fada9fa3aebc124116.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.18363.1256",
-            "osArchitecture": "x64",
-            "softwareVendor": "microsoft",
-            "softwareName": "onedrive",
-            "softwareVersion": "20.64.329.3",
-            "cveId": null,
-            "vulnerabilitySeverityLevel": null,
-            "recommendedSecurityUpdate": null,
-            "recommendedSecurityUpdateId": null,
-            "recommendedSecurityUpdateUrl": null,
-            "diskPaths": [],
-            "registryPaths": [
-                "HKEY_USERS\\S-1-5-21-2127521184-1604012920-1887927527-24918864\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe"
-            ],
-            "lastSeenTimestamp": "2020-12-11 19:49:48",
-            "firstSeenTimestamp": "2020-12-07 18:25:47",
-            "exploitabilityLevel": "NoExploit",
-            "recommendationReference": "va-_-microsoft-_-onedrive",
-            "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
-        },
-        {
-            "id": "01aa8c73095bb12345918663f3f94ce322107d24_firefox_83.0.0.0_CVE-2020-26971_",
-            "deviceId": "01aa8c73065bb12345918693f3f94ce322107d24",
-            "rbacGroupName": "hhh",
-            "deviceName": "ComputerPII_42684eb981bea2d670027e7ad2caafd3f2b381a3.DomainPII_21eed80b086e76dbfa178eabfa25e8de9acfa346.corp.contoso.com",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.19042.685",
-            "osArchitecture": "x64",
-            "softwareVendor": "mozilla",
-            "softwareName": "firefox",
-            "softwareVersion": "83.0.0.0",
-            "cveId": "CVE-2020-26971",
-            "vulnerabilitySeverityLevel": "High",
-            "recommendedSecurityUpdate": "193220",
-            "recommendedSecurityUpdateId": null,
-            "recommendedSecurityUpdateUrl": null,
-            "diskPaths": [
-                "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"
-            ],
-            "registryPaths": [
-                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 83.0 (x86 en-US)"
-            ],
-            "lastSeenTimestamp": "2021-01-05 17:04:30",
-            "firstSeenTimestamp": "2020-05-06 12:42:19",
-            "exploitabilityLevel": "NoExploit",
-            "recommendationReference": "va-_-mozilla-_-firefox",
-            "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
-        },
-        {
-            "id": "026f0fcb12345fbd2decd1a339702131422d362e_project_16.0.13701.20000__",
-            "deviceId": "029f0fcb13245fbd2decd1a336702131422d392e",
-            "rbacGroupName": "hhh",
-            "deviceName": "ComputerPII_a5706750acba75f15d69cd17f4a7fcd268d6422c.DomainPII_f290e982685f7e8eee168b4332e0ae5d2a069cd6.corp.contoso.com",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.19042.685",
-            "osArchitecture": "x64",
-            "softwareVendor": "microsoft",
-            "softwareName": "project",
-            "softwareVersion": "16.0.13701.20000",
-            "cveId": null,
-            "vulnerabilitySeverityLevel": null,
-            "recommendedSecurityUpdate": null,
-            "recommendedSecurityUpdateId": null,
-            "recommendedSecurityUpdateUrl": null,
-            "diskPaths": [],
-            "registryPaths": [
-                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ProjectProRetail - en-us"
-            ],
-            "lastSeenTimestamp": "2021-01-03 23:38:03",
-            "firstSeenTimestamp": "2019-08-01 22:56:12",
-            "exploitabilityLevel": "NoExploit",
-            "recommendationReference": "va-_-microsoft-_-project",
-            "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
-        },
-        {
-            "id": "038df381234510b357ac19d0113ef622e4e212b3_chrome_81.0.4044.138_CVE-2020-16011_",
-            "deviceId": "038df381234510d357ac19b0113ef922e4e212b3",
-            "rbacGroupName": "hhh",
-            "deviceName": "ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596a43a2ef2bbfa00f6a16c0cb1d108bc63e32.DomainPII_3c5fefd2e6fda2f36257359404f6c1092aa6d4b8.net",
-            "osPlatform": "Windows10",
-            "osVersion": "10.0.18363.1256",
-            "osArchitecture": "x64",
-            "softwareVendor": "google",
-            "softwareName": "chrome",
-            "softwareVersion": "81.0.4044.138",
-            "cveId": "CVE-2020-16011",
-            "vulnerabilitySeverityLevel": "High",
-            "recommendedSecurityUpdate": "ADV 200002",
-            "recommendedSecurityUpdateId": null,
-            "recommendedSecurityUpdateUrl": null,
-            "diskPaths": [
-                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
-            ],
-            "registryPaths": [
-                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-E3C54949024A}"
-            ],
-            "lastSeenTimestamp": "2020-12-10 22:45:41",
-            "firstSeenTimestamp": "2020-07-26 02:13:43",
-            "exploitabilityLevel": "NoExploit",
-            "recommendationReference": "va-_-google-_-chrome",
-            "status": "Fixed",
-            "eventTimestamp": "2021-01-11T11:06:08.291Z"
-        }
-    ],
-    "@odata.nextLink": "https://wpatdadi-eus-stg.cloudapp.net/api/machines/SoftwareVulnerabilitiesTimeline?sincetime=2021-01-11&pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
-}
+{
+    "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.DeltaAssetVulnerability)",
+    "value": [
+        {
+            "id": "008198251234544f7dfa715e278d4cec0c16c171_chrome_87.0.4280.88__",
+            "deviceId": "008198251234544f7dfa715e278b4cec0c19c171",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_1c8fee370690ca24b6a0d3f34d193b0424943a8b8.DomainPII_0dc1aee0fa366d175e514bd91a9e7a5b2b07ee8e.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.19042.685",
+            "osArchitecture": "x64",
+            "softwareVendor": "google",
+            "softwareName": "chrome",
+            "softwareVersion": "87.0.4280.88",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [
+                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
+            ],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Google Chrome"
+            ],
+            "lastSeenTimestamp": "2021-01-04 00:29:42",
+            "firstSeenTimestamp": "2020-11-06 03:12:44",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-google-_-chrome",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "00e59c61234533860738ecf488eec8abf296e41e_onedrive_20.64.329.3__",
+            "deviceId": "00e56c91234533860738ecf488eec8abf296e41e",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_82c13a8ad8cf3dbaf7bf34fada9fa3aebc124116.DomainPII_21eeb80d086e79dbfa178eadfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.18363.1256",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "onedrive",
+            "softwareVersion": "20.64.329.3",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_USERS\\S-1-5-21-2127521184-1604012920-1887927527-24918864\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\OneDriveSetup.exe"
+            ],
+            "lastSeenTimestamp": "2020-12-11 19:49:48",
+            "firstSeenTimestamp": "2020-12-07 18:25:47",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-onedrive",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "01aa8c73095bb12345918663f3f94ce322107d24_firefox_83.0.0.0_CVE-2020-26971_",
+            "deviceId": "01aa8c73065bb12345918693f3f94ce322107d24",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_42684eb981bea2d670027e7ad2caafd3f2b381a3.DomainPII_21eed80b086e76dbfa178eabfa25e8de9acfa346.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.19042.685",
+            "osArchitecture": "x64",
+            "softwareVendor": "mozilla",
+            "softwareName": "firefox",
+            "softwareVersion": "83.0.0.0",
+            "cveId": "CVE-2020-26971",
+            "vulnerabilitySeverityLevel": "High",
+            "recommendedSecurityUpdate": "193220",
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [
+                "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe"
+            ],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Mozilla Firefox 83.0 (x86 en-US)"
+            ],
+            "lastSeenTimestamp": "2021-01-05 17:04:30",
+            "firstSeenTimestamp": "2020-05-06 12:42:19",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-mozilla-_-firefox",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "026f0fcb12345fbd2decd1a339702131422d362e_project_16.0.13701.20000__",
+            "deviceId": "029f0fcb13245fbd2decd1a336702131422d392e",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_a5706750acba75f15d69cd17f4a7fcd268d6422c.DomainPII_f290e982685f7e8eee168b4332e0ae5d2a069cd6.corp.contoso.com",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.19042.685",
+            "osArchitecture": "x64",
+            "softwareVendor": "microsoft",
+            "softwareName": "project",
+            "softwareVersion": "16.0.13701.20000",
+            "cveId": null,
+            "vulnerabilitySeverityLevel": null,
+            "recommendedSecurityUpdate": null,
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ProjectProRetail - en-us"
+            ],
+            "lastSeenTimestamp": "2021-01-03 23:38:03",
+            "firstSeenTimestamp": "2019-08-01 22:56:12",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-microsoft-_-project",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        },
+        {
+            "id": "038df381234510b357ac19d0113ef622e4e212b3_chrome_81.0.4044.138_CVE-2020-16011_",
+            "deviceId": "038df381234510d357ac19b0113ef922e4e212b3",
+            "rbacGroupName": "hhh",
+            "deviceName": "ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596a43a2ef2bbfa00f6a16c0cb1d108bc63e32.DomainPII_3c5fefd2e6fda2f36257359404f6c1092aa6d4b8.net",
+            "osPlatform": "Windows10",
+            "osVersion": "10.0.18363.1256",
+            "osArchitecture": "x64",
+            "softwareVendor": "google",
+            "softwareName": "chrome",
+            "softwareVersion": "81.0.4044.138",
+            "cveId": "CVE-2020-16011",
+            "vulnerabilitySeverityLevel": "High",
+            "recommendedSecurityUpdate": "ADV 200002",
+            "recommendedSecurityUpdateId": null,
+            "recommendedSecurityUpdateUrl": null,
+            "diskPaths": [
+                "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe"
+            ],
+            "registryPaths": [
+                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{C4EBFDFD-0C55-3E5F-A919-E3C54949024A}"
+            ],
+            "lastSeenTimestamp": "2020-12-10 22:45:41",
+            "firstSeenTimestamp": "2020-07-26 02:13:43",
+            "exploitabilityLevel": "NoExploit",
+            "recommendationReference": "va-_-google-_-chrome",
+            "status": "Fixed",
+            "eventTimestamp": "2021-01-11T11:06:08.291Z"
+        }
+    ],
+    "@odata.nextLink": "https://wpatdadi-eus-stg.cloudapp.net/api/machines/SoftwareVulnerabilitiesTimeline?sincetime=2021-01-11&pagesize=5&$skiptoken=eyJFeHBvcnREZWZpbml0aW9uIjp7IlRpbWVQYXRoIjoiMjAyMS0wMS0xMS8xMTAxLyJ9LCJFeHBvcnRGaWxlSW5kZXgiOjAsIkxpbmVTdG9wcGVkQXQiOjV9"
+}
``` ## See also - [Export assessment methods and properties per device](get-assessment-methods-properties.md)- - [Export secure configuration assessment per device](get-assessment-secure-config.md)- - [Export software inventory assessment per device](get-assessment-software-inventory.md) Other related - [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)- - [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Cvekbmap Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-cvekbmap-collection.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
ms.technology: mde
Retrieves a map of CVE's to KB's and CVE details. ## Permissions+ User needs read permissions. ## HTTP request
-```
+
+```http
GET /testwdatppreview/cvekbmap ``` ## Request headers
-Header | Value
+Header|Value
:|:
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
+Authorization|Bearer {token}. **Required**.
+Content type|application/json
## Request body+ Empty ## Response+ If successful and map exists - 200 OK. ## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://graph.microsoft.com/testwdatppreview/CveKbMap ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
"title": "Cumulative Security Update for Internet Explorer", "severity": "Critical" },
- …
+ ...
}- ```
security Get Device Secure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-device-secure-score.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] -
-Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
+Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+Application|Score.Read.All|'Read Threat and Vulnerability Management score'
+Delegated (work or school account)|Score.Read|'Read Threat and Vulnerability Management score'
## HTTP request
-```
+```http
GET /api/configurationScore ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
+Authorization|String|Bearer {token}. **Required**.
## Request body
If successful, this method returns 200 OK, with the device secure score data in
## Example
-### Request
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/configurationScore ```
-### Response
+### Response example
Here is an example of the response.
->[!NOTE]
->The response list shown here may be truncated for brevity.
+> [!NOTE]
+> The response list shown here may be truncated for brevity.
```json {
security Get Discovered Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-discovered-vulnerabilities.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulne
## HTTP request
-```
+```http
GET /api/machines/{machineId}/vulnerabilities ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
security Get Domain Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-alerts.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name
Application | Alert.ReadWrite.All | 'Read and write all alerts'
Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request
GET /api/domains/{domain}/alerts
| Authorization | String | ## Request body+ Empty ## Response
-If successful and domain exists - 200 OK with list of [alert](alerts.md) entities. If domain does not exist - 404 Not Found.
+If successful and domain exists - 200 OK with list of [alert](alerts.md) entities. If domain does not exist - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
security Get Domain Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-machines.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves a collection of [Machines](machine.md) that have communicated to or from a given domain address.
+Retrieves a collection of [Machines](machine.md) that have communicated to or from a given domain address.
## Limitations+ 1. You can query on devices last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request+ ```http GET /api/domains/{domain}/machines ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and domain exists - 200 OK with list of [machine](machine.md) entities. If domain do not exist - 404 Not Found.
+If successful and domain exists - 200 OK with list of [machine](machine.md) entities. If domain do not exist - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
security Get Domain Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-statistics.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves the statistics on the given domain.
+Retrieves the statistics on the given domain.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | URL.Read.All | 'Read URLs'
-Delegated (work or school account) | URL.Read.All | 'Read URLs'
+Application|URL.Read.All|'Read URLs'
+Delegated (work or school account)|URL.Read.All|'Read URLs'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
-```
+
+```http
GET /api/domains/{domain}/stats ``` ## Request headers
-Header | Value
+Header|Value
:|:
-Authorization | Bearer {token}. **Required**.
+Authorization|Bearer {token}. **Required**.
## Request URI parameters
-Name | Type | Description
+Name|Type|Description
:|:|:
-lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
+lookBackHours|Int32|Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body+ Empty ## Response
-If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
+If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ```
-**Response**
+### Response example
Here is an example of the response. - ```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
- "host": "example.com",
- "organizationPrevalence": 4070,
- "orgFirstSeen": "2017-07-30T13:23:48Z",
- "orgLastSeen": "2017-08-29T13:09:05Z"
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
+ "host": "example.com",
+ "organizationPrevalence": 4070,
+ "orgFirstSeen": "2017-07-30T13:23:48Z",
+ "orgLastSeen": "2017-08-29T13:09:05Z"
} ```
security Get Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-exposure-score.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability
## HTTP request
-```
+```http
GET /api/exposureScore ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
security Get File Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-information.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves a [File](files.md) by identifier Sha1, or Sha256
+Retrieves a [File](files.md) by identifier Sha1, or Sha256
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md).
+
+Permission type|Permission|Permission display name
:|:|:
-Application | File.Read.All | 'Read all file profiles'
-Delegated (work or school account) | File.Read.All | 'Read all file profiles'
+Application|File.Read.All|'Read all file profiles'
+Delegated (work or school account)|File.Read.All|'Read all file profiles'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
-```
+
+```http
GET /api/files/{id} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and file exists - 200 OK with the [file](files.md) entity in the body. If file does not exist - 404 Not Found.
+If successful and file exists - 200 OK with the [file](files.md) entity in the body. If file does not exist - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ```
-**Response**
+### Response example
Here is an example of the response. - ```json {
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",
- "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
- "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
- "globalPrevalence": 180022,
- "globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
- "globalLastObserved": "2020-01-06T03:59:21.3229314Z",
- "size": 22139496,
- "fileType": "APP",
- "isPeFile": true,
- "filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
- "fileProductName": "EaseUS MobiSaver for Android",
- "signer": "CHENGDU YIWO Tech Development Co., Ltd.",
- "issuer": "VeriSign Class 3 Code Signing 2010 CA",
- "signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
- "isValidCertificate": false,
- "determinationType": "Pua",
- "determinationValue": "PUA:Win32/FusionCore"
+ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",
+ "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
+ "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
+ "globalPrevalence": 180022,
+ "globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
+ "globalLastObserved": "2020-01-06T03:59:21.3229314Z",
+ "size": 22139496,
+ "fileType": "APP",
+ "isPeFile": true,
+ "filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
+ "fileProductName": "EaseUS MobiSaver for Android",
+ "signer": "CHENGDU YIWO Tech Development Co., Ltd.",
+ "issuer": "VeriSign Class 3 Code Signing 2010 CA",
+ "signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
+ "isValidCertificate": false,
+ "determinationType": "Pua",
+ "determinationValue": "PUA:Win32/FusionCore"
} ```
security Get File Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-alerts.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves a collection of alerts related to a given file hash.
+Retrieves a collection of alerts related to a given file hash.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+Application|Alert.Read.All|'Read all alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
+Delegated (work or school account)|Alert.Read|'Read alerts'
+Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/files/{id}/alerts ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file does not exist - 404 Not Found.
+If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file does not exist - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
security Get File Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-machines.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves a collection of [Machines](machine.md) related to a given file hash.
+Retrieves a collection of [Machines](machine.md) related to a given file hash.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
GET /api/files/{id}/machines ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file does not exist - 404 Not Found.
+If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file does not exist - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
security Get File Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-statistics.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves the statistics for the given file.
+Retrieves the statistics for the given file.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | File.Read.All | 'Read file profiles'
-Delegated (work or school account) | File.Read.All | 'Read file profiles'
+Application|File.Read.All|'Read file profiles'
+Delegated (work or school account)|File.Read.All|'Read file profiles'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
-```
+
+```http
GET /api/files/{id}/stats ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
+Authorization|String|Bearer {token}. **Required**.
## Request URI parameters
-Name | Type | Description
+Name|Type|Description
:|:|:
-lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
+lookBackHours|Int32|Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body+ Empty ## Response
-If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
+If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
Here is an example of the response.
"MREC.exe" ] }- ```
security Get Installed Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-installed-software.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of installed software related to a given device ID. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+Application |Software.Read.All|'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management Software information'
## HTTP request
-```
+
+```http
GET /api/machines/{machineId}/software ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the installed software information in the body.
+If successful, this method returns 200 OK with the installed software information in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ```
-**Response**
+### Response example
Here is an example of the response. -
-```
+```json
{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software", "value": [
security Get Investigation Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-investigation-collection.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description+ Retrieves a collection of [Investigations](investigation.md).
-<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's ```$filter``` query is supported on: ```startTime```, ```state```, ```machineId``` and ```triggeringAlertId``` properties.
-<br>See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
+Supports [OData V4 queries](https://www.odata.org/documentation/).
+
+The OData's `$filter` query is supported on: `startTime`, `state`, `machineId` and `triggeringAlertId` properties.
+
+See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
## Limitations
-1. Maximum page size is 10,000.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Maximum page size is 10,000.
+2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
+Application|Alert.Read.All|'Read all alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
+Delegated (work or school account)|Alert.Read|'Read alerts'
+Delegated (work or school account)|Alert.ReadWrite|'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
-```
+
+```http
GET https://api.securitycenter.microsoft.com/api/investigations ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities.
+If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities.
## Example
-**Request**
+### Request example
-Here is an example of a request to get all investigations:
+Here is an example of a request to get all investigations:
-```
+```http
GET https://api.securitycenter.microsoft.com/api/investigations ```
-**Response**
+### Response example
Here is an example of the response:
Here is an example of the response:
"computerDnsName": "desktop-gtrcon0", "triggeringAlertId": "da637139166940871892_-598649278" }
- ...
+ ...
] } ```
security Get Investigation Object https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-investigation-object.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves specific [Investigation](investigation.md) by its ID.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Application|Alert.Read.All|'Read all alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
-```
+
+```http
GET https://api.securitycenter.microsoft.com/api/investigations/{id} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. - ## Request body+ Empty ## Response+ If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity.
security Get Ip Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-related-alerts.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of alerts related to a given IP address.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Application|Alert.Read.All|'Read all alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request
-```
+
+```http
GET /api/ips/{ip}/alerts ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. - ## Request body+ Empty ## Response
-If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP do not exist - 404 Not Found.
+If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP do not exist - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
security Get Ip Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-statistics.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves the statistics for the given IP.
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Ip.Read.All | 'Read IP address profiles'
-Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
+Application|Ip.Read.All|'Read IP address profiles'
+Delegated (work or school account)|Ip.Read.All|'Read IP address profiles'
->[!NOTE]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
GET /api/ips/{ip}/stats
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
+Authorization|String|Bearer {token}. **Required**.
## Request URI parameters
-Name | Type | Description
+Name|Type|Description
:|:|:
-lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
+lookBackHours|Int32|Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body+ Empty ## Response
-If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
+If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48 ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
Here is an example of the response.
} ``` -
-| Name | Description |
-| : | :- |
-| Organization prevalence | the distinct count of devices that opened network connection to this IP. |
-| Org first seen | the first connection for this IP in the organization. |
-| Org last seen | the last connection for this IP in the organization. |
+|Name|Description|
+|||
+|Organization prevalence|the distinct count of devices that opened network connection to this IP.|
+|Org first seen|the first connection for this IP in the organization.|
+|Org last seen|the last connection for this IP in the organization.|
> [!NOTE]
-> This statistic information is based on data from the past 30 days.
+> This statistic information is based on data from the past 30 days.
security Get Kbinfo Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-kbinfo-collection.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
ms.technology: mde
Retrieves a collection of KB's and KB details. ## Permissions+ User needs read permissions. ## HTTP request
-```
+
+```http
GET /testwdatppreview/kbinfo ``` ## Request headers
-Header | Value
+Header|Value
:|:
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
+Authorization|Bearer {token}. **Required**.
+Content type|application/json
## Request body+ Empty ## Response+ If successful - 200 OK. ## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://graph.microsoft.com/testwdatppreview/KbInfo ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
"version": "10.0.10240.16549", "architecture": "Amd64" },
- …
+ ...
} ```
security Get Live Response Result https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-live-response-result.md
[!include[Prerelease information](../../includes/prerelease.md)]
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a specific live response command result by its index.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per
hour. ## Permissions
One of the following permissions is required to call this API. To learn more,
including how to choose permissions, see [Get started](apis-intro.md).
-| Permission type | Permission | Permission display name |
-||-|-|
-| Application | Machine.LiveResponse | Run live response on a specific machine |
-| Delegated (work or school account) | Machine.LiveResponse | Run live response on a specific machine |
+|Permission type|Permission|Permission display name|
+||||
+|Application|Machine.LiveResponse|Run live response on a specific machine|
+|Delegated (work or school account)|Machine.LiveResponse|Run live response on a specific machine|
## HTTP request
id}/GetLiveResponseResultDownloadLink(index={command-index})
## Request headers
-| Name | Type | Description |
-||-|-|
-| Authorization | String | Bearer {token}. Required. |
+|Name|Type|Description|
+||||
+|Authorization|String|Bearer {token}. Required.|
## Request body
need to run live response again.
*Runscript transcript properties:*
-| Property | Description |
-|||
-| name | Executed script name |
-| exit_code | Executed script exit code |
-| script_output | Executed script standard output |
-| script_error | Executed script standard error output |
+|Property|Description|
+|||
+|name|Executed script name|
+|exit_code|Executed script exit code|
+|script_output|Executed script standard output|
+|script_error|Executed script standard error output|
## Example
-**Request**
+### Request example
Here is an example of the request. ```HTTP
-GET
-https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-ab65-54970c5d5018/GetLiveResponseResultDownloadLink(index=0)
+GET https://api.securitycenter.microsoft.com/api/machineactions/988cc94e-7a8f-4b28-ab65-54970c5d5018/GetLiveResponseResultDownloadLink(index=0)
```
-**Response**
+### Response example
Here is an example of the response.
Content-type: application/json
} ```
-*File content:*
+*File content:*
```JSON {
security Get Machine By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-by-id.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description Retrieves specific [Machine](machine.md) by its device ID or computer name. - ## Limitations+ 1. You can get devices last seen according to your configured retention policy. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
Delegated (work or school account) | Machine.Read | 'Read machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request+ ```http GET /api/machines/{id} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. - ## Request body+ Empty ## Response+ If successful and device exists - 200 OK with the [machine](machine.md) entity in the body. If machine with the specified ID was not found - 404 Not Found. - ## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 ```
-**Response**
+### Response example
Here is an example of the response. - ```http HTTP/1.1 200 OK Content-type: application/json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "osPlatform": "Windows10",
+ "version": "1709",
+ "osProcessor": "x64",
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "osBuild": 18209,
+ "healthStatus": "Active",
+ "rbacGroupId": 140,
+ "rbacGroupName": "The-A-Team",
+ "riskScore": "Low",
+ "exposureLevel": "Medium",
+ "isAadJoined": true,
+ "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+ "machineTags": [ "test tag 1", "test tag 2" ]
}- ```
security Get Machine Group Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-group-exposure-score.md
localization_priority: Normal audience: ITPro-+ MS.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of alerts related to a given domain address.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
-:|:|:
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
+Permission type|Permission|Permission display name
+||
+Application|Score.Read.All|'Read Threat and Vulnerability Management score'
+Delegated (work or school account)|Score.Read|'Read Threat and Vulnerability Management score'
## HTTP request
-```
+```http
GET /api/exposureScore/ByMachineGroups ``` ## Request headers
-| Name | Type | Description
-|:--|:-|:--|
-| Authorization | String | Bearer {token}.**Required**.
+Name|Type|Description
+||
+|Authorization|String|Bearer {token}.**Required**.
## Request body
If successful, this method returns 200 OK, with a list of exposure score per dev
## Example
-### Request
+### Example request
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups ```
-### Response
+### Example response
Here is an example of the response. ```json- { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#ExposureScore", "value": [
Here is an example of the response.
"score": 37.403726933165366, "rbacGroupName": "GroupTwo" }
- ...
+ ...
] } ```
security Get Machine Log On Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-log-on-users.md
Retrieves a collection of logged on users on a specific device.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type |Permission|Permission display name
+Permission type|Permission|Permission display name
:|:|: Application |User.Read.All |'Read user profiles' Delegated (work or school account) | User.Read.All | 'Read user profiles'
GET /api/machines/{id}/logonusers
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
security Get Machine Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-related-alerts.md
Title: Get machine related alerts API
-description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender for Endpoint.
+description: Learn how to use the Get machine related alerts API. This API allows you to retrieve all alerts that are related to a specific device in Microsoft Defender for Endpoint.
keywords: apis, graph api, supported apis, get, devices, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10
localization_priority: Normal audience: ITPro-+ MS.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description
-Retrieves all [Alerts](alerts.md) related to a specific device.
+Retrieves all [Alerts](alerts.md) related to a specific device.
## Limitations+ 1. You can query on devices last updated according to your configured retention period. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Application|Alert.Read.All|'Read all alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data'. For more information about permissions, see [Create and manage roles](user-roles.md).
+> - The user needs to have access to the device, based on device group settings. For more information about device group settings, see [Create and manage device groups](machine-groups.md).
## HTTP request+ ```http GET /api/machines/{id}/alerts ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. - ## Request body+ Empty ## Response
-If successful and device exists - 200 OK with list of [alert](alerts.md) entities in the body. If device was not found - 404 Not Found.
+
+If successful and device exists: 200 OK with list of [alert](alerts.md) entities in the body. If device was not found: 404 Not Found.
security Get Machineaction Object https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machineaction-object.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Retrieves specific [Machine Action](machineaction.md) by its ID.
+Retrieves specific [Machine Action](machineaction.md) by its ID.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
-```
+
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions/{id} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response+ If successful, this method returns 200, Ok response code with a [Machine Action](machineaction.md) entity. If machine action entity with the specified id was not found - 404 Not Found. ## Example
-**Request**
+### Example request
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ```
-**Response**
+### Response example
Here is an example of the response. -
-```
+```json
HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity", "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", "type": "Isolate",
- "scope": "Selective",
+ "scope": "Selective",
"requestor": "Analyst@TestPrd.onmicrosoft.com", "requestorComment": "test for docs", "status": "Succeeded",
Content-type: application/json
"lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z", "relatedFileInfo": null }-- ```
security Get Machineactions Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machineactions-collection.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description+ Retrieves a collection of [Machine Actions](machineaction.md).
-<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties.
-<br>See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
+Supports [OData V4 queries](https://www.odata.org/documentation/).
+
+The OData's `$filter` query is supported on: `status`, `machineId`, `type`, `requestor` and `creationDateTimeUtc` properties.
+
+See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
## Limitations+ 1. Maximum page size is 10,000. 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
-```
+
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction.md) entities.
+If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction.md) entities.
## Example 1
-**Request**
+### Example 1 request
Here is an example of the request on an organization that has three MachineActions.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions ```
-**Response**
+### Example 1 response
Here is an example of the response. -
-```
+```json
HTTP/1.1 200 Ok Content-type: application/json {
Content-type: application/json
{ "id": "69dc3630-1ccc-4342-acf3-35286eec741d", "type": "CollectInvestigationPackage",
- "scope": null,
+ "scope": null,
"requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded",
Content-type: application/json
"computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
- "relatedFileInfo": null
+ "relatedFileInfo": null
}, { "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan",
- "scope": "Full",
+ "scope": "Full",
"requestor": "Analyst@contoso.com", "requestorComment": "Check machine for viruses due to alert 3212", "status": "Succeeded",
Content-type: application/json
"computerDnsName": "desktop-39g9tgl", "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
- "relatedFileInfo": null
+ "relatedFileInfo": null
}, { "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", "type": "StopAndQuarantineFile",
- "scope": null,
+ "scope": null,
"requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
+ "computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
- "relatedFileInfo": {
+ "relatedFileInfo": {
"fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508", "fileIdentifierType": "Sha1"
- }
+ }
} ] }
Content-type: application/json
## Example 2
-**Request**
+### Example 2 request
Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 ```
-**Response**
+### Example 2 response
Here is an example of the response.
-```
+```json
HTTP/1.1 200 Ok Content-type: application/json {
Content-type: application/json
{ "id": "69dc3630-1ccc-4342-acf3-35286eec741d", "type": "CollectInvestigationPackage",
- "scope": null,
+ "scope": null,
"requestor": "Analyst@contoso.com", "requestorComment": "test", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
+ "computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
- "relatedFileInfo": null
+ "relatedFileInfo": null
}, { "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", "type": "RunAntiVirusScan",
- "scope": "Full",
+ "scope": "Full",
"requestor": "Analyst@contoso.com", "requestorComment": "Check machine for viruses due to alert 3212", "status": "Succeeded", "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
+ "computerDnsName": "desktop-39g9tgl",
"creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
- "relatedFileInfo": null
+ "relatedFileInfo": null
} ] } ``` ## Related topics+ - [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
security Get Machinegroups Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machinegroups-collection.md
Last updated 10/07/2018
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of RBAC device groups.
User needs read permissions. ## HTTP request
-```
+
+```http
GET /testwdatppreview/machinegroups ```
Authorization | Bearer {token}. **Required**.
Content type | application/json ## Request body+ Empty ## Response+ If successful - 200 OK. ## Example
-**Request**
+### Request
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/machinegroups Content-type: application/json ```
-**Response**
+### Response example
Here is an example of the response. Field id contains device group **id** and equal to field **rbacGroupId** in devices info.
Content-type: application/json
"name":"UnassignedGroup", "description":"", "ungrouped":true},
- …
+ ...
} ```
security Get Machines By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-software.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieve a list of device references that has this software installed. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+Application|Software.Read.All|'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management Software information'
## HTTP request
-```
+
+```http
GET /api/Software/{Id}/machineReferences ``` ## Request headers
-| Name | Type | Description
-|:--|:-|:--|
-| Authorization | String | Bearer {token}.**Required**.
+|Name|Type|Description
+||||
+|Authorization|String|Bearer {token}.**Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK and a list of devices with the software installed in the body.
+If successful, this method returns 200 OK and a list of devices with the software installed in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
"osPlatform": "Windows10", "rbacGroupName": "GroupTwo" }
- ...
- ]
+ ...
+ ]
} ``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security Get Machines By Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-vulnerability.md
Retrieves a list of devices affected by a vulnerability. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
-```
+
+```http
GET /api/vulnerabilities/{cveId}/machineReferences ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
+If successful, this method returns 200 OK with the vulnerability information in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
Here is an example of the response.
"osPlatform": "Windows10", "rbacGroupName": "GroupTwo" }
- ...
+ ...
] } ``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security Get Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description+ Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
-<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
-<br>See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
+Supports [OData V4 queries](https://www.odata.org/documentation/).
+
+The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
+
+See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md)
## Limitations+ 1. You can get devices last seen according to your configured retention period. 2. Maximum page size is 10,000. 3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. - ## Permissions
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
+Application|Machine.Read.All|'Read all machine profiles'
+Application|Machine.ReadWrite.All|'Read and write all machine information'
+Delegated (work or school account)|Machine.Read|'Read machine information'
+Delegated (work or school account)|Machine.ReadWrite|'Read and write machine information'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
GET https://api.securitycenter.microsoft.com/api/machines
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful and machines exists - 200 OK with list of [machine](machine.md) entities in the body. If no recent machines - 404 Not Found.
+If successful and machines exists - 200 OK with list of [machine](machine.md) entities in the body. If no recent machines - 404 Not Found.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/machines ```
-**Response**
+### Response example
Here is an example of the response.
Content-type: application/json
"value": [ { "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
+ "computerDnsName": "mymachine1.contoso.com",
+ "firstSeen": "2018-08-02T14:55:03.7791856Z",
+ "lastSeen": "2018-08-02T14:55:03.7791856Z",
+ "osPlatform": "Windows10",
+ "version": "1709",
+ "osProcessor": "x64",
+ "lastIpAddress": "172.17.230.209",
+ "lastExternalIpAddress": "167.220.196.71",
+ "osBuild": 18209,
+ "healthStatus": "Active",
+ "rbacGroupId": 140,
+ "rbacGroupName": "The-A-Team",
+ "riskScore": "Low",
+ "exposureLevel": "Medium",
+ "isAadJoined": true,
+ "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
+ "machineTags": [ "test tag 1", "test tag 2" ]
}
- ...
+ ...
] } ``` ## Related topics+ - [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
security Get Machinesecuritystates Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machinesecuritystates-collection.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of devices security states. ## Permissions+ User needs read permissions. ## HTTP request
-```
+
+```http
GET /testwdatppreview/machinesecuritystates ``` ## Request headers
-Header | Value
+Header|Value
:|:
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
+Authorization|Bearer {token}. **Required**.
+Content type|application/json
## Request body+ Empty ## Response+ If successful - 200 OK. ## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates Content-type: application/json ```
-**Response**
+### Response example
Here is an example of the response.
-Field *id* contains device id and equal to the field *id** in devices info.
-```
+Field *id* contains device id and equal to the field *id** in devices info.
+
+```json
HTTP/1.1 200 OK Content-type: application/json {
Content-type: application/json
"EdrImpairedCommunications" ] },
- …
+ ...
] } ```
security Get Missing Kbs Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-machine.md
Retrieves missing KBs (security updates) by device ID
## HTTP request
-```
+```http
GET /api/machines/{machineId}/getmissingkbs ``` ## Request header
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
If successful, this method returns 200 OK, with the specified device missing kb
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs ```
security Get Missing Kbs Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-software.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerab
## HTTP request
-```
+```http
GET /api/Software/{Id}/getmissingkbs ``` ## Request header
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
If successful, this method returns 200 OK, with the specified software missing k
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs ```
security Get Package Sas Uri https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-package-sas-uri.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Get a URI that allows downloading of an [Investigation package](collect-investig
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Access the Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.CollectForensics | 'Collect forensics'
-Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
+Application|Machine.CollectForensics|'Collect forensics'
+Delegated (work or school account)|Machine.CollectForensics|'Collect forensics'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
GET https://api.securitycenter.microsoft.com/api/machineactions/{machine action
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body
Empty
## Response
-If successful, this method returns 200, Ok response code with object that holds the link to the package in the ΓÇ£valueΓÇ¥ parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
-
+If successful, this method returns 200, Ok response code with object that holds the link to the package in the "value" parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
## Example
-**Request**
+### Request example
Here is an example of the request. ```http GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri- ```
-**Response**
+### Response example
Here is an example of the response.
-```http
+```json
HTTP/1.1 200 Ok Content-type: application/json
security Get Recommendation By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-by-id.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a security recommendation by its ID. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
-```
+
+```http
GET /api/recommendations/{id} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
+If successful, this method returns 200 OK with the security recommendations in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security Get Recommendation Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-machines.md
Retrieves a list of devices associated with the security recommendation. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
-```
+
+```http
GET /api/recommendations/{id}/machineReferences ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
+If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
"osPlatform": "Windows10", "rbacGroupName": "GroupTwo" }
- ...
+ ...
] } ``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security Get Recommendation Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-software.md
Retrieves a security recommendation related to a specific software. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
-```
+
+```http
GET /api/recommendations/{id}/software ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
+If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security Get Recommendation Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-vulnerabilities.md
Retrieves a list of vulnerabilities associated with the security recommendation. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
-```
+
+```http
GET /api/recommendations/{id}/vulnerabilities ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
+If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
"exploitTypes": [], "exploitUris": [] }
- ...
+ ...
] } ``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security Get Remediation All Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-all-activities.md
Returns information about all remediation activities.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | RemediationTask.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | RemediationTask.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|RemediationTask.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|RemediationTask.Read|\'Read Threat and Vulnerability Management vulnerability information\'
## Properties
-Property (id) | Data type | Description | Example of a returned value
+Property (id)|Data type|Description|Example of a returned value
:|:|:|:
-category | String | Category of the remediation activity (Software/Security configuration) | Software
-completerEmail | String | If the remediation activity was manually completed by someone, this column contains their email | null
-completerId | String | If the remediation activity was manually completed by someone, this column contains their object id | null
-completionMethod | String | A remediation activity can be completed ΓÇ£automaticallyΓÇ¥ (if all the devices are patched) or ΓÇ£manuallyΓÇ¥ by a person who selects ΓÇ£mark as completedΓÇ¥ | Automatic
-createdOn | DateTime | Time this remediation activity was created | 2021-01-12T18:54:11.5499478Z
-description | String | Description of this remediation activity | Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices.
-dueOn | DateTime | Due date the creator set for this remediation activity | 2021-01-13T00:00:00Z
-fixedDevices | . | The number of devices that have been fixed | 2
-id | String | ID of this remediation activity | 097d9735-5479-4899-b1b7-77398899df92
-nameId | String | Related product name | Microsoft Silverlight
-priority | String | Priority the creator set for this remediation activity (High\Medium\Low) | High
-productId | String | Related product ID | microsoft-_-silverlight
-productivityImpactRemediationType | String | A few configuration changes could be requested only for devices with no user impact. This value indicates the selection between ΓÇ£all exposed devicesΓÇ¥ or ΓÇ£only devices with no user impact.ΓÇ¥ | AllExposedAssets
-rbacGroupNames | String | Related device group names | [ "Windows Servers", "Windows 10" ]
-recommendedProgram | String | Recommended program to upgrade to | null
-recommendedVendor | String | Recommended vendor to upgrade to | null
-recommendedVersion | String | Recommended version to update/upgrade to | null
-relatedComponent | String | Related component of this remediation activity (similar to the related component for a security recommendation) | Microsoft Silverlight
-requesterEmail | String | Creator email address | globaladmin@UserName.contoso.com
-requesterId | String | Creator object id | r647211f-2e16-43f2-a480-16ar3a2a796r
-requesterNotes | String | The notes (free text) the creator added for this remediation activity | null
-scid | String | SCID of the related security recommendation | null
-status | String | Remediation activity status (Active/Completed) | Active
-statusLastModifiedOn | DateTime | Date when the status field was updated | 2021-01-12T18:54:11.5499487Z
-targetDevices | Long | Number of exposed devices that this remediation is applicable to | 43
-title | String | Title of this remediation activity | Update Microsoft Silverlight
-type | String | Remediation type | Update
-vendorId | String | Related vendor name | Microsoft
+category|String|Category of the remediation activity (Software/Security configuration)|Software
+completerEmail|String|If the remediation activity was manually completed by someone, this column contains their email|null
+completerId|String|If the remediation activity was manually completed by someone, this column contains their object id|null
+completionMethod|String|A remediation activity can be completed "automatically" (if all the devices are patched) or "manually" by a person who selects "mark as completed"|Automatic
+createdOn|DateTime|Time this remediation activity was created|2021-01-12T18:54:11.5499478Z
+description|String|Description of this remediation activity|Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices.
+dueOn|DateTime|Due date the creator set for this remediation activity|2021-01-13T00:00:00Z
+fixedDevices|.|The number of devices that have been fixed|2
+id|String|ID of this remediation activity|097d9735-5479-4899-b1b7-77398899df92
+nameId|String|Related product name|Microsoft Silverlight
+priority|String|Priority the creator set for this remediation activity (High\Medium\Low)|High
+productId|String|Related product ID|microsoft-_-silverlight
+productivityImpactRemediationType|String|A few configuration changes could be requested only for devices with no user impact. This value indicates the selection between "all exposed devices" or "only devices with no user impact."|AllExposedAssets
+rbacGroupNames|String|Related device group names|[ "Windows Servers", "Windows 10" ]
+recommendedProgram|String|Recommended program to upgrade to|null
+recommendedVendor|String|Recommended vendor to upgrade to|null
+recommendedVersion|String|Recommended version to update/upgrade to|null
+relatedComponent|String|Related component of this remediation activity (similar to the related component for a security recommendation)|Microsoft Silverlight
+requesterEmail|String|Creator email address|globaladmin@UserName.contoso.com
+requesterId|String|Creator object id|r647211f-2e16-43f2-a480-16ar3a2a796r
+requesterNotes|String|The notes (free text) the creator added for this remediation activity|null
+scid|String|SCID of the related security recommendation|null
+status|String|Remediation activity status (Active/Completed)|Active
+statusLastModifiedOn|DateTime|Date when the status field was updated|2021-01-12T18:54:11.5499487Z
+targetDevices|Long|Number of exposed devices that this remediation is applicable to|43
+title|String|Title of this remediation activity|Update Microsoft Silverlight
+type|String|Remediation type|Update
+vendorId|String|Related vendor name|Microsoft
## Example
GET https://api-luna.securitycenter.windows.com/api/remediationtasks/
## See also - [Remediation methods and properties](get-remediation-methods-properties.md)- - [Get one remediation activity by Id](get-remediation-one-activity.md)- - [List exposed devices of one remediation activity](get-remediation-exposed-devices-activities.md)- - [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)- - [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Remediation Exposed Devices Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-exposed-devices-activities.md
Returns information about exposed devices for the specified remediation task.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | RemediationTask.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | RemediationTask.Read.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|RemediationTask.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|RemediationTask.Read.Read|\'Read Threat and Vulnerability Management vulnerability information\'
## Properties details
-Property (id) | Data type | Description | Example
+Property (id)|Data type|Description|Example
:|:|:|:
-id | String | Device ID | w2957837fwda8w9ae7f023dba081059dw8d94503
-computerDnsName | String | Device name | PC-SRV2012R2Foo.UserNameVldNet.local
-osPlatform | String | Device operating system | WindowsServer2012R2
-rbacGroupName | String | Name of the device group this device is associated with | Servers
+id|String|Device ID|w2957837fwda8w9ae7f023dba081059dw8d94503
+computerDnsName|String|Device name|PC-SRV2012R2Foo.UserNameVldNet.local
+osPlatform|String|Device operating system|WindowsServer2012R2
+rbacGroupName|String|Name of the device group this device is associated with|Servers
## Example
GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-ae
## See also - [Remediation methods and properties](get-remediation-methods-properties.md)- - [Get one remediation activity by Id](get-remediation-one-activity.md)- - [List all remediation activities](get-remediation-all-activities.md)- - [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)- - [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Remediation Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-methods-properties.md
The API response contains [Threat & vulnerability management](next-gen-threa
## Methods
-Method | Data type | Description
+Method|Data type|Description
:|:|:
-[List all remediation activities](get-remediation-all-activities.md) | Investigation collection | Returns information about all remediation activities.
-[List exposed devices of one remediation activity](get-remediation-exposed-devices-activities.md) | Investigation entity | Returns information about exposed devices for the specified remediation activity.
-[Get one remediation activity by Id](get-remediation-one-activity.md) | Investigation entity | Returns information for the specified remediation activity.
+[List all remediation activities](get-remediation-all-activities.md)|Investigation collection|Returns information about all remediation activities.
+[List exposed devices of one remediation activity](get-remediation-exposed-devices-activities.md)|Investigation entity|Returns information about exposed devices for the specified remediation activity.
+[Get one remediation activity by Id](get-remediation-one-activity.md)|Investigation entity|Returns information for the specified remediation activity.
Learn more about [remediation activities](tvm-remediation.md). ## Properties
-Property id | Data type | Description
+Property id|Data type|Description
:|:|:
-category | String | Category of the remediation activity (Software/Security configuration)
-completerEmail | String | If the remediation activity was manually completed by someone, this column contains their email
-completerId | String | If the remediation activity was manually completed by someone, this column contains their object id
-completionMethod | String | A remediation activity can be completed ΓÇ£automaticallyΓÇ¥ (if all the devices are patched) or ΓÇ£manuallyΓÇ¥ by a person who selects ΓÇ£mark as completed.ΓÇ¥
-createdOn | DateTime | Time this remediation activity was created
-description | String | Description of this remediation activity
-dueOn | DateTime | Due date the creator set for this remediation activity
-fixedDevices | | The number of devices that have been fixed
-id | String | ID of this remediation activity
-nameId | String | Related product name
-priority | String | Priority the creator set for this remediation activity (High\Medium\Low)
-productId | String | Related product ID
-productivityImpactRemediationType | String | A few configuration changes could be requested only for devices with no user impact. This value indicate the selection between ΓÇ£all exposed devicesΓÇ¥ or ΓÇ£only devices with no user impact.ΓÇ¥
-rbacGroupNames | String | Related device group names
-recommendedProgram | String | Recommended program to upgrade to
-recommendedVendor | String | Recommended vendor to upgrade to
-recommendedVersion | String | Recommended version to update/upgrade to
-relatedComponent | String | Related component of this remediation activity (similar to the related component for a security recommendation)
-requesterEmail | String | Creator email address
-requesterId | String | Creator object id
-requesterNotes | String | The notes (free text) the creator added for this remediation activity
-scid | String | SCID of the related security recommendation
-status | String | Remediation activity status (Active/Completed)
-statusLastModifiedOn | DateTime | Date when the status field was updated
-targetDevices | Long | Number of exposed devices that this remediation is applicable to
-title | String | Title of this remediation activity
-type | String | Remediation type
-vendorId | String | Related vendor name
+category|String|Category of the remediation activity (Software/Security configuration)
+completerEmail|String|If the remediation activity was manually completed by someone, this column contains their email
+completerId|String|If the remediation activity was manually completed by someone, this column contains their object id
+completionMethod|String|A remediation activity can be completed "automatically" (if all the devices are patched) or "manually" by a person who selects "mark as completed."
+createdOn|DateTime|Time this remediation activity was created
+description|String|Description of this remediation activity
+dueOn|DateTime|Due date the creator set for this remediation activity
+fixedDevices||The number of devices that have been fixed
+id|String|ID of this remediation activity
+nameId|String|Related product name
+priority|String|Priority the creator set for this remediation activity (High\Medium\Low)
+productId|String|Related product ID
+productivityImpactRemediationType|String|A few configuration changes could be requested only for devices with no user impact. This value indicate the selection between "all exposed devices" or "only devices with no user impact."
+rbacGroupNames|String|Related device group names
+recommendedProgram|String|Recommended program to upgrade to
+recommendedVendor|String|Recommended vendor to upgrade to
+recommendedVersion|String|Recommended version to update/upgrade to
+relatedComponent|String|Related component of this remediation activity (similar to the related component for a security recommendation)
+requesterEmail|String|Creator email address
+requesterId|String|Creator object id
+requesterNotes|String|The notes (free text) the creator added for this remediation activity
+scid|String|SCID of the related security recommendation
+status|String|Remediation activity status (Active/Completed)
+statusLastModifiedOn|DateTime|Date when the status field was updated
+targetDevices|Long|Number of exposed devices that this remediation is applicable to
+title|String|Title of this remediation activity
+type|String|Remediation type
+vendorId|String|Related vendor name
## See also
security Get Remediation One Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-one-activity.md
Returns information for the specified remediation activity. Presents the same co
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs for details.](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | RemediationTask.Read.All | \'Read Threat and Vulnerability Management vulnerability information\'
-Delegated (work or school account) | RemediationTask.Read.Read | \'Read Threat and Vulnerability Management vulnerability information\'
+Application|RemediationTask.Read.All|\'Read Threat and Vulnerability Management vulnerability information\'
+Delegated (work or school account)|RemediationTask.Read.Read|\'Read Threat and Vulnerability Management vulnerability information\'
## Properties
-Property (id) | Data type | Description | Example of a returned value
+Property (id)|Data type|Description|Example of a returned value
:|:|:|:
-category | String | Category of the remediation activity (Software/Security configuration) | Software
-completerEmail | String | If the remediation activity was manually completed by someone, this column contains their email | null
-completerId | String | If the remediation activity was manually completed by someone, this column contains their object id | null
-completionMethod | String | A remediation activity can be completed ΓÇ£automaticallyΓÇ¥ (if all the devices are patched) or ΓÇ£manuallyΓÇ¥ by a person who selects ΓÇ£mark as completedΓÇ¥ | Automatic
-createdOn | DateTime | Time this remediation activity was created | 2021-01-12T18:54:11.5499478Z
-description | String | Description of this remediation activity | Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices.
-dueOn | DateTime | Due date the creator set for this remediation activity | 2021-01-13T00:00:00Z
-fixedDevices | | The number of devices that have been fixed | 2
-id | String | ID of this remediation activity | 097d9735-5479-4899-b1b7-77398899df92
-nameId | String | Related product name | Microsoft Silverlight
-priority | String | Priority the creator set for this remediation activity (High\Medium\Low) | High
-productId | String | Related product ID | microsoft-_-silverlight
-productivityImpactRemediationType | String | A few configuration changes could be requested only for devices with no user impact. This value indicate the selection between ΓÇ£all exposed devicesΓÇ¥ or ΓÇ£only devices with no user impact.ΓÇ¥ | AllExposedAssets
-rbacGroupNames | String | Related device group names | [ "Windows Servers", "Windows 10" ]
-recommendedProgram | String | Recommended program to upgrade to | null
-recommendedVendor | String | Recommended vendor to upgrade to | null
-recommendedVersion | String | Recommended version to update/upgrade to | null
-relatedComponent | String | Related component of this remediation activity (similar to the related component for a security recommendation) | Microsoft Microsoft Silverlight
-requesterEmail | String | Creator email address | globaladmin@UserName.contoso.com
-requesterId | String | Creator object id | r647211f-2e16-43f2-a480-16ar3a2a796r
-requesterNotes | String | The notes (free text) the creator added for this remediation activity | null
-scid | String | SCID of the related security recommendation | null
-status | String | Remediation activity status (Active/Completed) | Active
-statusLastModifiedOn | DateTime | Date when the status field was updated | 2021-01-12T18:54:11.5499487Z
-targetDevices | Long | Number of exposed devices that this remediation is applicable to | 43
-title | String | Title of this remediation activity | Microsoft Silverlight
-type | String | Remediation type | Update
-vendorId | String | Related vendor name | Microsoft
+category|String|Category of the remediation activity (Software/Security configuration)|Software
+completerEmail|String|If the remediation activity was manually completed by someone, this column contains their email|null
+completerId|String|If the remediation activity was manually completed by someone, this column contains their object id|null
+completionMethod|String|A remediation activity can be completed "automatically" (if all the devices are patched) or "manually" by a person who selects "mark as completed"|Automatic
+createdOn|DateTime|Time this remediation activity was created|2021-01-12T18:54:11.5499478Z
+description|String|Description of this remediation activity|Update Microsoft Silverlight  to a later version to mitigate known vulnerabilities affecting your devices.
+dueOn|DateTime|Due date the creator set for this remediation activity|2021-01-13T00:00:00Z
+fixedDevices||The number of devices that have been fixed|2
+id|String|ID of this remediation activity|097d9735-5479-4899-b1b7-77398899df92
+nameId|String|Related product name|Microsoft Silverlight
+priority|String|Priority the creator set for this remediation activity (High\Medium\Low)|High
+productId|String|Related product ID|microsoft-_-silverlight
+productivityImpactRemediationType|String|A few configuration changes could be requested only for devices with no user impact. This value indicate the selection between "all exposed devices" or "only devices with no user impact."|AllExposedAssets
+rbacGroupNames|String|Related device group names|[ "Windows Servers", "Windows 10" ]
+recommendedProgram|String|Recommended program to upgrade to|null
+recommendedVendor|String|Recommended vendor to upgrade to|null
+recommendedVersion|String|Recommended version to update/upgrade to|null
+relatedComponent|String|Related component of this remediation activity (similar to the related component for a security recommendation)|Microsoft Microsoft Silverlight
+requesterEmail|String|Creator email address|globaladmin@UserName.contoso.com
+requesterId|String|Creator object id|r647211f-2e16-43f2-a480-16ar3a2a796r
+requesterNotes|String|The notes (free text) the creator added for this remediation activity|null
+scid|String|SCID of the related security recommendation|null
+status|String|Remediation activity status (Active/Completed)|Active
+statusLastModifiedOn|DateTime|Date when the status field was updated|2021-01-12T18:54:11.5499487Z
+targetDevices|Long|Number of exposed devices that this remediation is applicable to|43
+title|String|Title of this remediation activity|Microsoft Silverlight
+type|String|Remediation type|Update
+vendorId|String|Related vendor name|Microsoft
## Example
GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-ae
## See also - [Remediation methods and properties](get-remediation-methods-properties.md)- - [List all remediation activities](get-remediation-all-activities.md)- - [List exposed devices of one remediation activity](get-remediation-exposed-devices-activities.md)- - [Risk-based threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)- - [Vulnerabilities in your organization](tvm-weaknesses.md)
security Get Security Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-recommendations.md
Retrieves a collection of security recommendations related to a given device ID. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
+Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
-```
+
+```http
GET /api/machines/{machineId}/recommendations ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
+If successful, this method returns 200 OK with the security recommendations in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations ```
-**Response**
+### Response example
Here is an example of the response. -
-```
+```json
{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [
Here is an example of the response.
"nonProductivityImpactedAssets": 0, "relatedComponent": "Git" },
-…
+...
} ``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability security recommendation](/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
security Get Software By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-by-id.md
Title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
+description: Retrieves a list of software details by ID.
keywords: apis, graph api, supported apis, get, software, Microsoft Defender for Endpoint tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10
localization_priority: Normal audience: ITPro-+ MS.technology: mde
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves software details by ID. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
-:|:|:
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+Permission type|Permission|Permission display name
+||
+Application|Software.Read.All|'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management Software information'
## HTTP request
-```
+
+```http
GET /api/Software/{Id} ``` ## Request headers
-| Name | Type | Description
-|:--|:-|:--|
-| Authorization | String | Bearer {token}.**Required**.
+Name|Type|Description
+||
+Authorization|String|Bearer {token}.**Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the specified software data in the body.
+If successful, this method returns 200 OK with the specified software data in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge ```
-**Response**
+### Response example
Here is an example of the response. ```json- { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity", "id": "microsoft-_-edge",
Here is an example of the response.
``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security Get Software Ver Distribution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-ver-distribution.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a list of your organization's software version distribution. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+Application|Software.Read.All|'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management Software information'
## HTTP request
-```
+
+```http
GET /api/Software/{Id}/distributions ``` ## Request headers
-| Name | Type | Description
-|:--|:-|:--|
-| Authorization | String | Bearer {token}.**Required**.
+|Name|Type|Description
+||||
+|Authorization|String|Bearer {token}.**Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
+If successful, this method returns 200 OK with a list of software distributions data in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
"installations": 750, "vulnerabilities": 0 }
- ...
+ ...
] } ``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security Get Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves the organization software inventory. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+Application|Software.Read.All|'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management Software information'
## HTTP request
-```
+
+```http
GET /api/Software ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the software inventory in the body.
+If successful, this method returns 200 OK with the software inventory in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software ```
-**Response**
+### Response example
Here is an example of the response. - ```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software", "value": [
- {
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
- }
- ...
+ {
+ "id": "microsoft-_-edge",
+ "name": "edge",
+ "vendor": "microsoft",
+ "weaknesses": 467,
+ "publicExploit": true,
+ "activeAlert": false,
+ "exposedMachines": 172,
+ "impactScore": 2.39947438
+ }
+ ...
] } ``` ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability software inventory](/microsoft-365/security/defender-endpoint/tvm-software-inventory)
security Get Ti Indicators Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ti-indicators-collection.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description+ Retrieves a collection of all active [Indicators](ti-indicator.md).
-<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
-<br>The OData's ```$filter``` query is supported on: ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```action``` and ```severity``` properties.
-<br>See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
+Supports [OData V4 queries](https://www.odata.org/documentation/).
+
+The OData's `$filter` query is supported on: `indicatorValue`, `indicatorType`, `creationTimeDateTimeUtc`, `createdBy`, `action` and `severity` properties.
+
+See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
+Application|Ti.ReadWrite|'Read and write Indicators'
+Application|Ti.ReadWrite.All|'Read and write All Indicators'
+Delegated (work or school account)|Ti.ReadWrite|'Read and write Indicators'
## HTTP request
-```
+
+```http
GET https://api.securitycenter.microsoft.com/api/indicators ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response+ If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator.md) entities.
->[!Note]
+> [!NOTE]
> If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created.
-## Example 1:
+## Example 1
-**Request**
+### Example 1 request
Here is an example of a request that gets all Indicators
-```
+```http
GET https://api.securitycenter.microsoft.com/api/indicators ```
-**Response**
+### Example 1 response
Here is an example of the response.
-```
+```json
HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ {
- "id": "995",
+ "id": "995",
"indicatorValue": "12.13.14.15", "indicatorType": "IpAddress",
- "action": "Alert",
- "application": "demo-test",
- "source": "TestPrdApp",
- "sourceType": "AadApp",
+ "action": "Alert",
+ "application": "demo-test",
+ "source": "TestPrdApp",
+ "sourceType": "AadApp",
"title": "test", "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z", "createdBy": "45097602-1234-5678-1234-9f453233e62c", "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
+ "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
+ "lastUpdatedBy": TestPrdApp,
"severity": "Informational", "description": "test", "recommendedActions": "test",
- "rbacGroupNames": []
+ "rbacGroupNames": []
}, {
- "id": "996",
+ "id": "996",
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1",
- "action": "AlertAndBlock",
- "application": null,
- "source": "TestPrdApp",
- "sourceType": "AadApp",
+ "action": "AlertAndBlock",
+ "application": null,
+ "source": "TestPrdApp",
+ "sourceType": "AadApp",
"title": "test", "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", "createdBy": "45097602-1234-5678-1234-9f453233e62c", "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
+ "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
+ "lastUpdatedBy": TestPrdApp,
"severity": "Informational", "description": "test", "recommendedActions": "TEST",
- "rbacGroupNames": [ "Group1", "Group2" ]
+ "rbacGroupNames": [ "Group1", "Group2" ]
}
- ...
+ ...
] } ```
-## Example 2:
+## Example 2
-**Request**
+### Example 2 request
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
-```
+```http
GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' ```
-**Response**
+### Example 2 response
Here is an example of the response.
-```
+```json
HTTP/1.1 200 Ok Content-type: application/json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ {
- "id": "997",
+ "id": "997",
"indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1",
- "action": "AlertAndBlock",
- "application": null,
- "source": "TestPrdApp",
- "sourceType": "AadApp",
+ "action": "AlertAndBlock",
+ "application": null,
+ "source": "TestPrdApp",
+ "sourceType": "AadApp",
"title": "test", "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", "createdBy": "45097602-1234-5678-1234-9f453233e62c", "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
+ "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
+ "lastUpdatedBy": TestPrdApp,
"severity": "Informational", "description": "test", "recommendedActions": "TEST",
- "rbacGroupNames": [ "Group1", "Group2" ]
+ "rbacGroupNames": [ "Group1", "Group2" ]
}
- ...
+ ...
] } ```
security Get User Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-information.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieve a User entity by key (user name). ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | User.Read.All | 'Read all user profiles'
+Application|User.Read.All|'Read all user profiles'
## HTTP request
-```
+
+```http
GET /api/users/{id}/ ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. - ## Request body+ Empty ## Response
-If successful and user exists - 200 OK with [user](user.md) entity in the body. If user does not exist - 404 Not Found.
+If successful and user exists - 200 OK with [user](user.md) entity in the body. If user does not exist - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/users/user1 Content-type: application/json ```
-**Response**
+### Response example
Here is an example of the response.
security Get User Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-alerts.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves a collection of alerts related to a given user ID.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
+Application|Alert.Read.All|'Read all alerts'
+Application|Alert.ReadWrite.All|'Read and write all alerts'
Delegated (work or school account) | Alert.Read | 'Read alerts' Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md).
+>
+> - The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md).
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request
-```
+
+```http
GET /api/users/{id}/alerts ```
GET /api/users/{id}/alerts
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**. - ## Request body+ Empty ## Response
-If successful and user exists - 200 OK. If the user does not exist - 404 Not Found.
+If successful and user exists - 200 OK. If the user does not exist - 404 Not Found.
## Example
-**Request**
+### Request
Here is an example of the request.
security Get User Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-machines.md
Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type |Permission|Permission display name
+Permission type|Permission|Permission display name
:|:|: Application |Machine.Read.All|'Read all machine profiles' Application |Machine.ReadWrite.All |'Read and write all machine information'
GET /api/users/{id}/machines
## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|: Authorization | String | Bearer {token}. **Required**.
security Get Vuln By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vuln-by-software.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieve a list of vulnerabilities in the installed software. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
+Application|Software.Read.All|'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management Software information'
## HTTP request
-```
+
+```http
GET /api/Software/{Id}/vulnerabilities ``` ## Request headers
-| Name | Type | Description
-|:--|:-|:--|
-| Authorization | String | Bearer {token}.**Required**.
+|Name|Type|Description
+||||
+|Authorization|String|Bearer {token}.**Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with a list of vulnerabilities exposed by the specified software.
+If successful, this method returns 200 OK with a list of vulnerabilities exposed by the specified software.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [
- {
- "id": "CVE-2017-0140",
- "name": "CVE-2017-0140",
- "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
- "severity": "Medium",
- "cvssV3": 4.2,
- "exposedMachines": 1,
- "publishedOn": "2017-03-14T00:00:00Z",
- "updatedOn": "2019-10-03T00:03:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
+ {
+ "id": "CVE-2017-0140",
+ "name": "CVE-2017-0140",
+ "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
+ "severity": "Medium",
+ "cvssV3": 4.2,
+ "exposedMachines": 1,
+ "publishedOn": "2017-03-14T00:00:00Z",
+ "updatedOn": "2019-10-03T00:03:00Z",
+ "publicExploit": false,
+ "exploitVerified": false,
+ "exploitInKit": false,
+ "exploitTypes": [],
+ "exploitUris": []
+ }
+ ...
] } ```-
security Get Vulnerability By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vulnerability-by-id.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
Retrieves vulnerability information by its ID. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details.
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management vulnerability information'
+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management vulnerability information'
## HTTP request
-```
+
+```http
GET /api/vulnerabilities/{cveId} ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-
+Authorization|String|Bearer {token}. **Required**.
## Request body+ Empty ## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
+If successful, this method returns 200 OK with the vulnerability information in the body.
## Example
-**Request**
+### Request example
Here is an example of the request.
Here is an example of the request.
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
"exploitUris": [] } ```+ ## Related topics+ - [Risk-based Threat & Vulnerability Management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](/microsoft-365/security/defender-endpoint/tvm-weaknesses)
security Import Export Exploit Protection Emet Xml https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network. Then, they all have the same set of mitigation settings.
-The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an [Enhanced Mitigation Experience Toolkit (no longer supported)](https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit) configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and review the settings in the Windows Security app.
+The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an [Enhanced Mitigation Experience Toolkit (no longer supported)](https://support.microsoft.com/help/2458544/the-enhanced-mitigation-experience-toolkit) configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and review the settings in the Windows Security app.
## Create and export a configuration file
When you've configured exploit protection to your desired state (including both
![Highlight of the Export Settings option](/microsoft-365/security/defender-endpoint/images/wdsc-exp-prot-export) > [!NOTE]
- > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sectionsΓÇöeither section will export all settings.
+ > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections (either section will export all settings).
### Use PowerShell to export a configuration file
When you've configured exploit protection to your desired state (including both
Example command:
- `Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml`
+ ```powershell
+ Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml
+ ```
> [!IMPORTANT] > When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
After importing, the settings will be instantly applied and can be reviewed in t
Example command:
- `Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml`
+ ```powershell
+ Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml
+ ```
> [!IMPORTANT]
->
> Ensure you import a configuration file that is created specifically for exploit protection. ## Manage or deploy a configuration
You can use Group Policy to deploy the configuration you've created to multiple
5. In the **Options:** section, enter the location and file name of the Exploit protection configuration file that you want to use, such as in the following examples:
- * `C:\MitigationSettings\Config.XML`
- * `\\Server\Share\Config.xml`
- * `https://localhost:8080/Config.xml`
- * `C:\ExploitConfigfile.xml`
+ - `C:\MitigationSettings\Config.XML`
+ - `\\Server\Share\Config.xml`
+ - `https://localhost:8080/Config.xml`
+ - `C:\ExploitConfigfile.xml`
6. Select **OK** and [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy).
security Import Ti Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-ti-indicators.md
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description+ Submits or Updates batch of [Indicator](ti-indicator.md) entities.
-<br>CIDR notation for IPs is not supported.
+
+CIDR notation for IPs is not supported.
## Limitations+ 1. Rate limitations for this API are 30 calls per minute.
-2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant.
+2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant.
3. Maximum batch size for one API call is 500. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
-
+Application|Ti.ReadWrite|'Read and write Indicators'
+Application|Ti.ReadWrite.All|'Read and write All Indicators'
+Delegated (work or school account)|Ti.ReadWrite|'Read and write Indicators'
## HTTP request
-```
+
+```http
POST https://api.securitycenter.microsoft.com/api/indicators/import ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body+ In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required**
-
+Indicators|List<[Indicator](ti-indicator.md)>|List of [Indicators](ti-indicator.md). **Required**
## Response+ - If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below. - If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body. ## Example
-**Request**
+### Request example
Here is an example of the request.
POST https://api.securitycenter.microsoft.com/api/indicators/import
```json {
- "Indicators":
- [
- {
+ "Indicators":
+ [
+ {
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", "title": "demo",
POST https://api.securitycenter.microsoft.com/api/indicators/import
"recommendedActions": "nothing", "rbacGroupNames": [] }
- ]
+ ]
} ```
-**Response**
+### Response example
Here is an example of the response.
Here is an example of the response.
``` ## Related topic+ - [Manage indicators](manage-indicators.md)
security Information Protection In Windows Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)] Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. - >[!TIP] > Read our blog post about how Microsoft Defender for Endpoint integrates with Microsoft Information Protection to [discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). Defender for Endpoint applies the following methods to discover, classify, and protect data: - **Data discovery** - Identify sensitive data on Windows devices at risk-- **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it.-
+- **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn't manually classified it.
## Data discovery and data classification
Turn on the Azure Information Protection integration so that when a file that co
![Image of settings page with Azure Information Protection](images/atp-settings-aip.png)
-The reported signals can be viewed on the Azure Information Protection ΓÇô Data discovery dashboard.
+The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard.
## Azure Information Protection - Data discovery dashboard
Notice the Device Risk column on the right, this device risk is derived directly
Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
->[!NOTE]
->Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
+> [!NOTE]
+> Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
## Log Analytics
Open Azure Log Analytics in Azure portal and open a query builder (standard or c
To view Defender for Endpoint data, perform a query that contains:
-```
+```text
InformationProtectionLogs_CL | where Workload_s == "Windows Defender" ```
-**Prerequisites:**
+### Prerequisites
- Customers must have a subscription for Azure Information Protection. - Enable Azure Information Protection integration in Microsoft Defender Security Center:
- - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
---
+ - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
security Information Protection Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
Learn how to use data sensitivity labels to prioritize incident investigation.
>[!TIP]
->These data points are also exposed through the ΓÇÿDeviceFileEventsΓÇÖ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
+>These data points are also exposed through the 'DeviceFileEvents' in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-alerts.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
security Investigate Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-domain.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain.
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
For more information on these actions, see [Take response action on a file](resp
The file details, incident, malware detection, and file prevalence cards display various attributes about the file.
-You'll see details such as the fileΓÇÖs MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the fileΓÇÖs prevalence.
+You'll see details such as the file's MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file's prevalence.
The file prevalence card shows where the file was seen in devices in the organization and worldwide.
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-incidents.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
+Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
When you investigate an incident, you'll see:+ - Incident details - Incident comments and actions - Tabs (alerts, devices, investigations, evidence, graph)
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUV]
+## Analyze incident details
-## Analyze incident details
-Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph).
+Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph).
![Image of incident details1](images/atp-incident-details.png) ### Alerts
-You can investigate the alerts and see how they were linked together in an incident.
-Alerts are grouped into incidents based on the following reasons:
-- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert +
+You can investigate the alerts and see how they were linked together in an incident. Alerts are grouped into incidents based on the following reasons:
+
+- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert
- File characteristics - The files associated with the alert have similar characteristics - Manual association - A user manually linked the alerts - Proximate time - The alerts were triggered on the same device within a certain timeframe
Alerts are grouped into incidents based on the following reasons:
![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-reason.png)
-You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
+You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
### Devices+ You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md). ![Image of devices tab in incident details page](images/atp-incident-device-tab.png) ### Investigations+ Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts. ![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png) ## Going through the evidence
-Microsoft Defender for Endpoint automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with autoresponse and information about the important files, processes, services, and more.
-Each of the analyzed entities will be marked as infected, remediated, or suspicious.
+Microsoft Defender for Endpoint automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with autoresponse and information about the important files, processes, services, and more.
+
+Each of the analyzed entities will be marked as infected, remediated, or suspicious.
![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png)
-## Visualizing associated cybersecurity threats
+## Visualizing associated cybersecurity threats
+ Microsoft Defender for Endpoint aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph+ The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc. ![Image of the incident graph](images/atp-incident-graph-tab.png)
-You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether itΓÇÖs been observed in your organization, if so, how many instances.
+You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it's been observed in your organization, if so, how many instances.
![Image of incident details](images/atp-incident-graph-details.png) ## Related topics+ - [Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue) - [Investigate incidents in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-incidents) - [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents)
security Investigate Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-ip.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Examine possible communication between your devices and external internet protocol (IP) addresses.
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
## Investigate user account entities
security Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigation.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] Represent an Automated Investigation entity in Defender for Endpoint.
-<br> See [Overview of automated investigations](automated-investigations.md) for more information.
+
+See [Overview of automated investigations](automated-investigations.md) for more information.
## Methods
-Method|Return Type |Description
-:|:|:
-[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation
-[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity.
-[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device.
+Method|Return Type|Description
+:|:|:
+[List Investigations](get-investigation-collection.md)|Investigation collection|Get collection of Investigation
+[Get single Investigation](get-investigation-object.md)|Investigation entity|Gets single Investigation entity.
+[Start Investigation](initiate-autoir-investigation.md)|Investigation entity|Starts Investigation on a device.
## Properties
-Property | Type | Description
-:|:|:
-id | String | Identity of the investigation entity.
-startTime | DateTime Nullable | The date and time when the investigation was created.
-endTime | DateTime Nullable | The date and time when the investigation was completed.
-cancelledBy | String | The ID of the user/application that canceled that investigation.
-investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
-statusDetails | String | Additional information about the state of the investigation.
-machineId | String | The ID of the device on which the investigation is executed.
-computerDnsName | String | The name of the device on which the investigation is executed.
-triggeringAlertId | String | The ID of the alert that triggered the investigation.
+Property|Type|Description
+:|:|:
+id|String|Identity of the investigation entity.
+startTime|DateTime Nullable|The date and time when the investigation was created.
+endTime|DateTime Nullable|The date and time when the investigation was completed.
+cancelledBy|String|The ID of the user/application that canceled that investigation.
+investigationState|Enum|The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
+statusDetails|String|Additional information about the state of the investigation.
+machineId|String|The ID of the device on which the investigation is executed.
+computerDnsName|String|The name of the device on which the investigation is executed.
+triggeringAlertId|String|The ID of the alert that triggered the investigation.
## Json representation
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Title: Configure Microsoft Defender for Endpoint on iOS features
-description: Describes how to deploy Microsoft Defender for Endpoint on iOS features
+description: Describes how to deploy Microsoft Defender for Endpoint on iOS features.
keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios search.product: eADQiWindows 10XVcnh search.appverid: met150
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
> [!NOTE] > Defender for Endpoint on iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-## Conditional Access with Defender for Endpoint on iOS
+## Conditional Access with Defender for Endpoint on iOS
+ Microsoft Defender for Endpoint on iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk score. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. For more information about how to set up Conditional Access with Defender for Endpoint on iOS, see [Defender for Endpoint and Intune](/mem/intune/protect/advanced-threat-protection). ### Jailbreak detection by Microsoft Defender for Endpoint+ Microsoft Defender for Endpoint has the capability of detecting unmanaged and managed devices that are jailbroken. If a device is detected to be jailbroken, a **High**-risk alert will be reported to Security Center and if Conditional Access is setup based on device risk score, then the device will be blocked from accessing corporate data. ## Web Protection and VPN
Defender for Endpoint on iOS enables admins to configure custom indicators on iO
## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.-
security Ios Install Unmanaged https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md
Title: Deploy Microsoft Defender for Endpoint on iOS features
-description: Describes how to deploy Microsoft Defender for Endpoint on iOS features
+description: Describes how to deploy Microsoft Defender for Endpoint on unenrolled iOS devices.
keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios search.product: eADQiWindows 10XVcnh search.appverid: met150
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
> [!NOTE] > Defender for Endpoint on iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
This topic provides troubleshooting information to help you address issues that may arise as you use Microsoft Defender for Endpoint on iOS.
security Isolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/isolate-machine.md
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Isolates a device from accessing external network.
+Isolates a device from accessing external network.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Isolate | 'Isolate machine'
-Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
+Application|Machine.Isolate|'Isolate machine'
+Delegated (work or school account)|Machine.Isolate|'Isolate machine'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
+>
+> - The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
POST https://api.securitycenter.microsoft.com/api/machines/{id}/isolate ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body+ In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Comment | String | Comment to associate with the action. **Required**.
-IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'.
+Comment|String|Comment to associate with the action. **Required**.
+IsolationType|String|Type of the isolation. Allowed values are: 'Full' or 'Selective'.
**IsolationType** controls the type of isolation to perform and can be one of the following:-- Full ΓÇô Full isolation-- Selective ΓÇô Restrict only limited set of applications from accessing the network (see [Isolate devices from the network](respond-machine-alerts.md#isolate-devices-from-the-network) for more details)
+- Full: Full isolation
+- Selective: Restrict only limited set of applications from accessing the network (see [Isolate devices from the network](respond-machine-alerts.md#isolate-devices-from-the-network) for more details)
## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
security Linux Deploy Defender For Endpoint With Chef https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md
ms.technology: mde
# Deploy Defender for Endpoint on Linux with Chef
-Before you begin:
+Before you begin: Install unzip if it's not already installed.
-- Install unzip if itΓÇÖs not already installed.
-The Chef components are already installed and a Chef repository exists (chef generate repo <reponame>) to store the cookbook that will be used to deploy to Defender for Endpoint on Chef managed Linux servers.
+The Chef components are already installed and a Chef repository exists (chef generate repo \<reponame\>) to store the cookbook that will be used to deploy to Defender for Endpoint on Chef managed Linux servers.
-You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:</br>
-`chef generate cookbook mdatp`
+You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:
-This command will create a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one youΓÇÖd like to use to add the MDE deployment into.
+```bash
+chef generate cookbook mdatp
+```
+
+This command will create a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one you'd like to use to add the MDE deployment into.
After the cookbook is created, create a files folder inside the cookbook folder that just got created:
-`mkdir mdatp/files`
+```bash
+mkdir mdatp/files
+```
Transfer the Linux Server Onboarding zip file that can be downloaded from the Microsoft Defender Security Center portal to this new files folder. On the Chef Workstation, navigate to the mdatp/recipes folder. This folder is created when the cookbook was generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the default.rb file:-- include_recipe '::onboard_mdatp'+
+- include_recipe '::onboard_mdatp'
- include_recipe '::install_mdatp' Then save and close the default.rb file.+ Next create a new recipe file named install_mdatp.rb in the recipes folder and add this text to the file: ```powershell-
-#Add Microsoft Defender
-Repo
+#Add Microsoft Defender
+Repo
case node['platform_family'] when 'debian' apt_repository 'MDAPRepo' do
when 'rhel'
end ```
-YouΓÇÖll need to modify the version number, distribution, and repo name to match the version youΓÇÖre deploying to and the channel youΓÇÖd like to deploy.
-Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file:
+You'll need to modify the version number, distribution, and repo name to match the version you're deploying to and the channel you'd like to deploy.
+Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file:
```powershell- #Create MDATP Directory mdatp = "/etc/opt/microsoft/mdatp" zip_path = "/path/to/chef-repo/cookbooks/mdatp/files/WindowsDefenderATPOnboardingPackage.zip"
end
Make sure to update the path name to the location of the onboarding file. To test deploy it on the Chef workstation, just run ``sudo chef-client -z -o mdatp``.
-After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](/linux-preferences.md).
-After you've created and tested your configuration file, you can place it into the cookbook/mdatp/files folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
+After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](/linux-preferences.md).
+After you've created and tested your configuration file, you can place it into the cookbook/mdatp/files folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
```powershell #Copy the configuration file
when 'debian'
action :remove end when 'rhel'
- if node['platform_version'] <= 8
+ if node['platform_version'] <= 8
then yum_package "mdatp" do action :remove
then
end end ```-
security Linux Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
Exclusions can be useful to avoid incorrect detections on files or software that
The follow table shows the exclusion types supported by Defender for Endpoint on Linux.
-Exclusion | Definition | Examples
+Exclusion|Definition|Examples
||
-File extension | All files with the extension, anywhere on the device | `.test`
-File | A specific file identified by the full path | `/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
-Folder | All files under the specified folder (recursively) | `/var/log/`<br/>`/var/*/`
-Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`<br/>`c?t`
+File extension|All files with the extension, anywhere on the device|`.test`
+File|A specific file identified by the full path|`/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
+Folder|All files under the specified folder (recursively)|`/var/log/`<br/>`/var/*/`
+Process|A specific process (specified either by the full path or file name) and all files opened by it|`/bin/cat`<br/>`cat`<br/>`c?t`
> [!IMPORTANT] > The paths above must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`. File, folder, and process exclusions support the following wildcards:
-Wildcard | Description | Example | Matches | Does not match
+Wildcard|Description|Example|Matches|Does not match
||||
-\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
-? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log` | `file123.log`
+\*|Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder)|`/var/\*/\*.log`|`/var/log/system.log`|`/var/log/nested/system.log`
+?|Matches any single character|`file?.log`|`file1.log`<br/>`file2.log`|`file123.log`
## How to configure the list of exclusions
Examples:
```bash mdatp exclusion extension add --name .txt ```+ ```Output Extension exclusion configured successfully ```
Examples:
```bash mdatp exclusion file add --path /var/log/dummy.log ```+ ```Output File exclusion configured successfully ```
Examples:
```bash mdatp exclusion folder add --path /var/log/ ```+ ```Output Folder exclusion configured successfully ``` - - Add an exclusion for a second folder: ```bash mdatp exclusion folder add --path /var/log/ mdatp exclusion folder add --path /other/folder ```+ ```Output Folder exclusion configured successfully ``` - - Add an exclusion for a folder with a wildcard in it: ```bash
Examples:
> [!NOTE] > This will only exclude paths one level below */var/*, but not folders which are more deeply nested; for example, */var/this-subfolder/but-not-this-subfolder*.
-
+ ```bash mdatp exclusion folder add --path "/var/" ```+ > [!NOTE] > This will exclude all paths whose parent is */var/*; for example, */var/this-subfolder/and-this-subfolder-as-well*.
Examples:
```bash mdatp exclusion process add --name cat ```
- ```Output
+
+ ```Output
Process exclusion configured successfully ``` - - Add an exclusion for a second process: ```bash mdatp exclusion process add --name cat mdatp exclusion process add --name dog ```
- ```Output
+
+ ```Output
Process exclusion configured successfully ```
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Create a subtask or role files that contribute to a playbook or task.
In the following commands, replace *[distro]* and *[version]* with the information you've identified. > [!NOTE]
- > In case of Oracle Linux, replace *[distro]* with ΓÇ£rhelΓÇ¥.
+ > In case of Oracle Linux, replace *[distro]* with "rhel".
```bash - name: Add Microsoft APT key
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youΓÇÖre using Defender for Endpoint on Linux.
+Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you're using Defender for Endpoint on Linux.
This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
Some diagnostic data is required, while some diagnostic data is optional. We giv
There are two levels of diagnostic data for Defender for Endpoint client software that you can choose from:
-* **Required**: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device itΓÇÖs installed on.
+* **Required**: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device it's installed on.
* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
The following fields are considered common for all events:
### Required diagnostic data
-**Required diagnostic data** is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device itΓÇÖs installed on.
+**Required diagnostic data** is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device it's installed on.
Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
security Linux Schedule Scan Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-atp.md
Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b
> To get a list of all the time zones, run the following command: > `timedatectl list-timezones`<br> > Examples for timezones:
+>
> - `America/Los_Angeles` > - `America/New_York` > - `America/Chicago` > - `America/Denver` ## To set the Cron job+ Use the following commands:
-**To backup crontab entries**
+### Backup crontab entries
-`sudo crontab -l > /var/tmp/cron_backup_200919.dat`
+```bash
+sudo crontab -l > /var/tmp/cron_backup_200919.dat
+```
> [!NOTE] > Where 200919 == YRMMDD > [!TIP]
-> Do this before you edit or remove. <br>
+> Do this before you edit or remove.
+
+To edit the crontab, and add a new job as a root user:
-To edit the crontab, and add a new job as a root user: <br>
-`sudo crontab -e`
+```bash
+sudo crontab -e
+```
> [!NOTE] > The default editor is VIM. You might see:
+```outbou
0 * * * * /etc/opt/microsoft/mdatp/logrorate.sh
+```
-Press ΓÇ£InsertΓÇ¥
+Press "Insert"
Add the following entries:
+```bash
CRON_TZ=America/Los_Angeles 0 2 * * sat /bin/mdatp scan quick > ~/mdatp_cron_job.log
+```
> [!NOTE]
->In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC ΓÇô8).
+> In this example, we have set it to 00 minutes, 2 a.m. (hour in 24 hour format), any day of the month, any month, on Saturdays. Meaning it will run Saturdays at 2:00 a.m. Pacific (UTC -8).
-Press ΓÇ£EscΓÇ¥
+Press "Esc"
-Type ΓÇ£:wqΓÇ¥ without the double quotes.
+Type "`:wq`" without the double quotes.
> [!NOTE] > w == write, q == quit
To view your cron jobs, type `sudo crontab -l`
:::image type="content" source="/microsoft-365/security/defender-endpoint/images/linux-mdatp-1" alt-text="linux mdatp":::
-**To inspect cron job runs**
+#### To inspect cron job runs
-`sudo grep mdatp /var/log/cron`
+```bash
+sudo grep mdatp /var/log/cron
+```
-**To inspect the mdatp_cron_job.log**
+#### To inspect the mdatp_cron_job.log*
-`sudo nano mdatp_cron_job.log`
+```bash
+sudo nano mdatp_cron_job.log
+```
## For those who use Ansible, Chef, or Puppet Use the following commands:+ ### To set cron jobs in Ansible
-`cron ΓÇô Manage cron.d and crontab entries`
+```bash
+cron - Manage cron.d and crontab entries
See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information. ### To set crontabs in Chef
-`cron resource`
-See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information.
+```bash
+cron resource
+```bash
+
+```
+See <https://docs.chef.io/resources/cron/> for more information.
### To set cron jobs in Puppet+
+```bash
Resource Type: cron
+```
-See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information.
+See <https://puppet.com/docs/puppet/5.5/types/cron.html> for more information.
Automating with Puppet: Cron jobs and scheduled tasks
See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](h
## Additional information
-**To get help with crontab**
+### To get help with crontab
-`man crontab`
+```bash
+man crontab
+```
-**To get a list of crontab file of the current user**
+### To get a list of crontab file of the current user
-`crontab -l`
+```bash
+crontab -l
+```
-**To get a list of crontab file of another user**
+### To get a list of crontab file of another user
-`crontab -u username -l`
+```bash
+crontab -u username -l
+```
-**To backup crontab entries**
+### To backup crontab entries
-`crontab -l > /var/tmp/cron_backup.dat`
+```bash
+crontab -l > /var/tmp/cron_backup.dat
+```
> [!TIP]
-> Do this before you edit or remove. <br>
+> Do this before you edit or remove.
-**To restore crontab entries**
+### To restore crontab entries
-`crontab /var/tmp/cron_backup.dat`
+```bash
+crontab /var/tmp/cron_backup.dat
+```
-**To edit the crontab and add a new job as a root user**
+### To edit the crontab and add a new job as a root user
-`sudo crontab -e`
+```bash
+sudo crontab -e
+```
-**To edit the crontab and add a new job**
+### To edit the crontab and add a new job
-`crontab -e`
+```bash
+crontab -e
+```
-**To edit other userΓÇÖs crontab entries**
+### To edit other user's crontab entries
-`crontab -u username -e`
+```bash
+crontab -u username -e
+```
-**To remove all crontab entries**
+### To remove all crontab entries
-`crontab -r`
+```bash
+crontab -r
+```
-**To remove other userΓÇÖs crontab entries**
+### To remove other user's crontab entries
-`crontab -u username -r`
+```bash
+crontab -u username -r
+```
-**Explanation**
+### Explanation
-+ΓÇöΓÇöΓÇöΓÇöΓÇö- minute (values: 0 ΓÇô 59) (special characters: , ΓÇô * /) <br>
-| +ΓÇöΓÇöΓÇöΓÇö- hour (values: 0 ΓÇô 23) (special characters: , ΓÇô * /) <br>
-| | +ΓÇöΓÇöΓÇö- day of month (values: 1 ΓÇô 31) (special characters: , ΓÇô * / L W C) <br>
-| | | +ΓÇöΓÇö- month (values: 1 ΓÇô 12) (special characters: ,- * / ) <br>
-| | | | +ΓÇö- day of week (values: 0 ΓÇô 6) (Sunday=0 or 7) (special characters: , ΓÇô * / L W C) <br>
++ΓÇöΓÇöΓÇöΓÇöΓÇö- minute (values: 0 - 59) (special characters: , - * /) <br>
+| +ΓÇöΓÇöΓÇöΓÇö- hour (values: 0 - 23) (special characters: , - * /) <br>
+| | +ΓÇöΓÇöΓÇö- day of month (values: 1 - 31) (special characters: , - * / L W C) <br>
+| | | +ΓÇöΓÇö- month (values: 1 - 12) (special characters: ,- * / ) <br>
+| | | | +ΓÇö- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , - * / L W C) <br>
| | | | |*****command to be executed--
security Linux Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-install.md
systemctl status mdatp
id "mdatp" ```
- If thereΓÇÖs no output, run
+ If there's no output, run
```bash sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
systemctl status mdatp
distributions and `/usr/lib/systemd/system` for Rhel, CentOS, Oracle and SLES. Then rerun step 2.
-4. If the above steps donΓÇÖt work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
+4. If the above steps don't work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot. 5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`.
Now try restarting the mdatp service using step 2. Revert the configuration chan
Currently supported file systems for on-access activity are listed [here](microsoft-defender-endpoint-linux.md#system-requirements). Any files outside these file systems won't be scanned.
-## Command-line tool ΓÇ£mdatpΓÇ¥ isn't working
+## Command-line tool "mdatp" isn't working
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
security Linux Update MDE Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-MDE-Linux.md
Linux (and Unix) have a tool called **crontab** (similar to Task Scheduler) to b
> [!NOTE] > To get a list of all the time zones, run the following command:
-> `timedatectl list-timezones`<br>
-> Examples for timezones: <br>
+> `timedatectl list-timezones`
+>
+> Examples for timezones:
+>
> - `America/Los_Angeles` > - `America/New_York` > - `America/Chicago` > - `America/Denver` ## To set the Cron job+ Use the following commands:
-**To backup crontab entries**
+### Backup crontab entries
-`sudo crontab -l > /var/tmp/cron_backup_201118.dat`
+```bash
+sudo crontab -l > /var/tmp/cron_backup_201118.dat
+```
> [!NOTE] > Where 201118 == YYMMDD > [!TIP]
-> Do this before you edit or remove. <br>
+> Do this before you edit or remove.
+
+To edit the crontab, and add a new job as a root user:
-To edit the crontab, and add a new job as a root user: <br>
-`sudo crontab -e`
+```bash
+sudo crontab -e
+```
> [!NOTE] > The default editor is VIM. You might see:
+```output
0****/etc/opt/microsoft/mdatp/logrorate.sh
+```
And
+```output
02**sat /bin/mdatp scan quick>~/mdatp_cron_job.log
+```
See [Schedule scans with Microsoft Defender for Endpoint (Linux)](linux-schedule-scan-atp.md)
-Press ΓÇ£InsertΓÇ¥
+Press "Insert"
Add the following entries:
+```bash
CRON_TZ=America/Los_Angeles
+```
> #!RHEL and variants (CentOS and Oracle Linux)-
-`0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp >> ~/mdatp_cron_job.log`
+>
+> ```bash
+> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp >> ~/mdatp_cron_job.log
+> ```
> #!SLES and variants-
-`0 6 * * sun [ $(date +%d) -le 15 ] && sudo zypper update mdatp >> ~/mdatp_cron_job.log`
+>
+> ```bash
+> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo zypper update mdatp >> ~/mdatp_cron_job.log
+> ```
> #!Ubuntu and Debian systems-
-`0 6 * * sun [ $(date +%d) -le 15 ] && sudo apt-get install --only-upgrade mdatp >> ~/mdatp_cron_job.log`
+>
+> ```bash
+> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo apt-get install --only-upgrade mdatp >> ~/mdatp_cron_job.log
+> ```
> [!NOTE]
-> In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == WonΓÇÖt run unless itΓÇÖs equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8).
+> In the examples above, we are setting it to 00 minutes, 6 a.m.(hour in 24 hour format), any day of the month, any month, on Sundays.[$(date +\%d) -le 15] == Won't run unless it's equal or less than the 15th day (3rd week). Meaning it will run every 3rd Sundays(7) of the month at 6:00 a.m. Pacific (UTC -8).
-Press ΓÇ£EscΓÇ¥
+Press "Esc"
-Type ΓÇ£:wqΓÇ¥ w/o the double quotes.
+Type "`:wq`" w/o the double quotes.
> [!NOTE] > w == write, q == quit
To view your cron jobs, type `sudo crontab -l`
:::image type="content" source="images/update-MDE-linux-4634577.jpg" alt-text="update Defender for Endpoint on Linux"::: To inspect cron job runs:
-`sudo grep mdatp /var/log/cron`
+
+```bash
+sudo grep mdatp /var/log/cron
+```
To inspect the mdatp_cron_job.log
-`sudo nano mdatp_cron_job.log`
+
+```bash
+sudo nano mdatp_cron_job.log
+```
## For those who use Ansible, Chef, or Puppet Use the following commands:+ ### To set cron jobs in Ansible
-`cron ΓÇô Manage cron.d and crontab entries`
+```bash
+cron - Manage cron.d and crontab entries
+```
-See [https://docs.ansible.com/ansible/latest/modules/cron_module.html](https://docs.ansible.com/ansible/latest/modules/cron_module.html) for more information.
+See <https://docs.ansible.com/ansible/latest/modules/cron_module.html> for more information.
### To set crontabs in Chef
-`cron resource`
-See [https://docs.chef.io/resources/cron/](https://docs.chef.io/resources/cron/) for more information.
+```bash
+cron resource
+```
+
+See <https://docs.chef.io/resources/cron/> for more information.
### To set cron jobs in Puppet+ Resource Type: cron
-See [https://puppet.com/docs/puppet/5.5/types/cron.html](https://puppet.com/docs/puppet/5.5/types/cron.html) for more information.
+See <https://puppet.com/docs/puppet/5.5/types/cron.html> for more information.
Automating with Puppet: Cron jobs and scheduled tasks
-See [https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/](https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/) for more information.
+See <https://puppet.com/blog/automating-puppet-cron-jobs-and-scheduled-tasks/> for more information.
## Additional information
-**To get help with crontab**
+### To get help with crontab
-`man crontab`
+```bash
+man crontab
+```
-**To get a list of crontab file of the current user**
+### To get a list of crontab file of the current user
-`crontab -l`
+```bash
+crontab -l
+```
-**To get a list of crontab file of another user**
+### To get a list of crontab file of another user
-`crontab -u username -l`
+```bash
+crontab -u username -l
+```
-**To backup crontab entries**
+### To backup crontab entries
-`crontab -l > /var/tmp/cron_backup.dat`
+```bash
+crontab -l > /var/tmp/cron_backup.dat
+```
> [!TIP]
-> Do this before you edit or remove. <br>
+> Do this before you edit or remove.
-**To restore crontab entries**
+### To restore crontab entries
-`crontab /var/tmp/cron_backup.dat`
+```bash
+crontab /var/tmp/cron_backup.dat
+```
-**To edit the crontab and add a new job as a root user**
+### To edit the crontab and add a new job as a root user
-`sudo crontab -e`
+```bash
+sudo crontab -e
+```
-**To edit the crontab and add a new job**
+### To edit the crontab and add a new job
-`crontab -e`
+```bash
+crontab -e
+```
-**To edit other userΓÇÖs crontab entries**
+### To edit other user's crontab entries
-`crontab -u username -e`
+```bash
+crontab -u username -e
+```
-**To remove all crontab entries**
+### To remove all crontab entries
-`crontab -r`
+```bash
+crontab -r
+```
-**To remove other userΓÇÖs crontab entries**
+### To remove other user's crontab entries
-`crontab -u username -r`
+```bash
+crontab -u username -r
+```
-**Explanation**
+### Explanation
<pre>
-+ΓÇöΓÇöΓÇöΓÇöΓÇö- minute (values: 0 ΓÇô 59) (special characters: , ΓÇô * /) <br>
-| +ΓÇöΓÇöΓÇöΓÇö- hour (values: 0 ΓÇô 23) (special characters: , ΓÇô * /) <br>
-| | +ΓÇöΓÇöΓÇö- day of month (values: 1 ΓÇô 31) (special characters: , ΓÇô * / L W C) <br>
-| | | +ΓÇöΓÇö- month (values: 1 ΓÇô 12) (special characters: ,- * / ) <br>
-| | | | +ΓÇö- day of week (values: 0 ΓÇô 6) (Sunday=0 or 7) (special characters: , ΓÇô * / L W C) <br>
++ΓÇöΓÇöΓÇöΓÇöΓÇö- minute (values: 0 - 59) (special characters: , - * /) <br>
+| +ΓÇöΓÇöΓÇöΓÇö- hour (values: 0 - 23) (special characters: , - * /) <br>
+| | +ΓÇöΓÇöΓÇö- day of month (values: 1 - 31) (special characters: , - * / L W C) <br>
+| | | +ΓÇöΓÇö- month (values: 1 - 12) (special characters: ,- * / ) <br>
+| | | | +ΓÇö- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , - * / L W C) <br>
| | | | |*****command to be executed </pre>-
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
ms.technology: mde
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
->[!IMPORTANT]
->The exclusions described in this article don't apply to other Defender for Endpoint on Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+> [!IMPORTANT]
+> The exclusions described in this article don't apply to other Defender for Endpoint on Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint on Mac scans. Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint on Mac.
->[!WARNING]
->Defining exclusions lowers the protection offered by Defender for Endpoint on Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
+> [!WARNING]
+> Defining exclusions lowers the protection offered by Defender for Endpoint on Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types The follow table shows the exclusion types supported by Defender for Endpoint on Mac.
-Exclusion | Definition | Examples
+Exclusion|Definition|Examples
||
-File extension | All files with the extension, anywhere on the machine | `.test`
-File | A specific file identified by the full path | `/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
-Folder | All files under the specified folder (recursively) | `/var/log/`<br/>`/var/*/`
-Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`<br/>`c?t`
+File extension|All files with the extension, anywhere on the machine|`.test`
+File|A specific file identified by the full path|`/var/log/test.log` <p> `/var/log/*.log` <p> `/var/log/install.?.log`
+Folder|All files under the specified folder (recursively)|`/var/log/` <p> `/var/*/`
+Process|A specific process (specified either by the full path or file name) and all files opened by it|`/bin/cat` <p> `cat` <p> `c?t`
File, folder, and process exclusions support the following wildcards:
-Wildcard | Description | Example | Matches | Does not match
+Wildcard|Description|Example|Matches|Does not match
||||
-\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
-? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log` | `file123.log`
+\*|Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder)|`/var/*/*.log`|`/var/log/system.log`|`/var/log/nested/system.log`
+?|Matches any single character|`file?.log`|`file1.log` <p> `file2.log`|`file123.log`
>[!NOTE] >The product attempts to resolve firmlinks when evaluating exclusions. Firmlink resolution does not work when the exclusion contains wildcards or the target file (on the `Data` volume) does not exist.
security Mac Install With Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-jamf.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
Learn how to deploy Microsoft Defender for Endpoint on macOS with Jamf Pro.
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
You'll need to take the following steps:
11. [Deploy Microsoft Defender for Endpoint on macOS](#step-11-deploy-microsoft-defender-for-endpoint-on-macos) - ## Step 1: Get the Microsoft Defender for Endpoint onboarding package 1. In [Microsoft Defender Security Center](https://securitycenter.microsoft.com), navigate to **Settings > Onboarding**.
You'll need to take the following steps:
![Image of WindowsDefenderATPOnboarding file](images/plist-onboarding-file.png) - 2. In the Jamf Pro dashboard, select **New**. ![Image of creating a new Jamf Pro dashboard](images/jamf-pro-configure-profile.png)
All you need to do to have updates is to download an updated schema, edit existi
- enableRealTimeProtection - passiveMode
- >[!NOTE]
- >Not turned on by default, if you are planning to run a third-party AV for macOS, set it to `true`.
+ > [!NOTE]
+ > Not turned on by default, if you are planning to run a third-party AV for macOS, set it to `true`.
- exclusions - excludedPath
All you need to do to have updates is to download an updated schema, edit existi
- exclusionsMergePolicy - allowedThreats
- >[!NOTE]
- >EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.
+ > [!NOTE]
+ > EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.
- disallowedThreatActions - potentially_unwanted_application
All you need to do to have updates is to download an updated schema, edit existi
>If you happen to upload the Intune file, you'll get the following error:<br> >![Image of configuration settings intune file upload](images/8e69f867664668796a3b2904896f0436.png) - 11. Select **Save**. ![Image of configuration settings Save image](images/1b6b5a4edcb42d97f1e70a6a0fa48e3a.png)
These steps are applicable of macOS 10.15 (Catalina) or newer.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>
- <key>ChannelName</key>
- <string>Current</string>
- <key>HowToCheck</key>
- <string>AutomaticDownload</string>
- <key>EnableCheckForUpdatesButton</key>
- <true/>
+ <key>ChannelName</key>
+ <string>Current</string>
+ <key>HowToCheck</key>
+ <string>AutomaticDownload</string>
+ <key>EnableCheckForUpdatesButton</key>
+ <true/>
<key>DisableInsiderCheckbox</key> <false/>
- <key>SendAllTelemetryEnabled</key>
- <true/>
+ <key>SendAllTelemetryEnabled</key>
+ <true/>
</dict> </plist> ```
Alternatively, you can download [fulldisk.mobileconfig](https://github.com/micro
![Image of configuration settings approved kernel ext](images/30be88b63abc5e8dde11b73f1b1ade6a.png) - 4. In **Approved Kernel Extensions** Enter the following details: - Display Name: Microsoft Corp.
These steps are applicable of macOS 10.15 (Catalina) or newer.
Alternatively, you can download [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig) and upload it to JAMF Configuration Profiles as described in [Deploying Custom Configuration Profiles using Jamf Pro|Method 2: Upload a Configuration Profile to Jamf Pro](https://www.jamf.com/jamf-nation/articles/648/deploying-custom-configuration-profiles-using-jamf-pro). - ## Step 10: Schedule scans with Microsoft Defender for Endpoint on macOS
-Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint on macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
+Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint on macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp).
## Step 11: Deploy Microsoft Defender for Endpoint on macOS
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
![Image of configuration settings recur checkin](images/68bdbc5754dfc80aa1a024dde0fce7b0.png) - 13. Select **Save**. 14. Select **Packages > Configure**.
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
![Image of configuration settings do1img](images/99679a7835b0d27d0a222bc3fdaf7f3b.png) ![Image of configuration settings do2img](images/632aaab79ae18d0d2b8e0c16b6ba39e2.png)----
security Mac Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
The *antivirusEngine* section of the configuration profile is used to manage the
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | antivirusEngine |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|antivirusEngine|
+|**Data type**|Dictionary (nested preference)|
+|**Comments**|See the following sections for a description of the dictionary contents.|
#### Enable / disable real-time protection
Specify whether to enable real-time protection, which scans files as they are ac
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | enableRealTimeProtection |
-| **Data type** | Boolean |
-| **Possible values** | true (default) <br/> false |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|enableRealTimeProtection|
+|**Data type**|Boolean|
+|**Possible values**|true (default) <p> false|
#### Enable / disable passive mode
-Specify whether the antivirus engine runs in passive mode. Passive mode has the following implications:
+Specify whether the antivirus engine runs in passive mode. Passive mode has the following implications:
+ - Real-time protection is turned off - On-demand scanning is turned on - Automatic threat remediation is turned off
Specify whether the antivirus engine runs in passive mode. Passive mode has the
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | passiveMode |
-| **Data type** | Boolean |
-| **Possible values** | false (default) <br/> true |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.67.60 or higher. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|passiveMode|
+|**Data type**|Boolean|
+|**Possible values**|false (default) <p> true|
+|**Comments**|Available in Microsoft Defender for Endpoint version 100.67.60 or higher.|
#### Exclusion merge policy
Specify the merge policy for exclusions. This can be a combination of administra
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | exclusionsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default) <br/> admin_only |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|exclusionsMergePolicy|
+|**Data type**|String|
+|**Possible values**|merge (default) <p> admin_only|
+|**Comments**|Available in Microsoft Defender for Endpoint version 100.83.73 or higher.|
#### Scan exclusions
Specify entities excluded from being scanned. Exclusions can be specified by ful
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | exclusions |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|exclusions|
+|**Data type**|Dictionary (nested preference)|
+|**Comments**|See the following sections for a description of the dictionary contents.|
##### Type of exclusion
Specify content excluded from being scanned by type.
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | $type |
-| **Data type** | String |
-| **Possible values** | excludedPath <br/> excludedFileExtension <br/> excludedFileName |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|$type|
+|**Data type**|String|
+|**Possible values**|excludedPath <p> excludedFileExtension <p> excludedFileName|
##### Path to excluded content
Specify content excluded from being scanned by full file path.
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | path |
-| **Data type** | String |
-| **Possible values** | valid paths |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|path|
+|**Data type**|String|
+|**Possible values**|valid paths|
+|**Comments**|Applicable only if *$type* is *excludedPath*|
## Supported exclusion types The follow table shows the exclusion types supported by Defender for Endpoint on Mac.
-Exclusion | Definition | Examples
+Exclusion|Definition|Examples
||
-File extension | All files with the extension, anywhere on the device | `.test`
-File | A specific file identified by the full path | `/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
-Folder | All files under the specified folder (recursively) | `/var/log/`<br/>`/var/*/`
-Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`<br/>`c?t`
+File extension|All files with the extension, anywhere on the device|`.test`
+File|A specific file identified by the full path|`/var/log/test.log` <p> `/var/log/*.log` <p> `/var/log/install.?.log`
+Folder|All files under the specified folder (recursively)|`/var/log/` <p> `/var/*/`
+Process|A specific process (specified either by the full path or file name) and all files opened by it|`/bin/cat` <p> `cat` <p> `c?t`
> [!IMPORTANT] > The paths above must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file <path-name>`. File, folder, and process exclusions support the following wildcards:
-Wildcard | Description | Example | Matches | Does not match
+Wildcard|Description|Example|Matches|Does not match
||||
-\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/\*/\*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
-? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log` | `file123.log`
+\*|Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder)|`/var/\*/\*.log`|`/var/log/system.log`|`/var/log/nested/system.log`
+?|Matches any single character|`file?.log`|`file1.log` <p> `file2.log`|`file123.log`
##### Path type (file / directory)
-Indicate if the *path* property refers to a file or directory.
+Indicate if the *path* property refers to a file or directory.
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | isDirectory |
-| **Data type** | Boolean |
-| **Possible values** | false (default) <br/> true |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|isDirectory|
+|**Data type**|Boolean|
+|**Possible values**|false (default) <p> true|
+|**Comments**|Applicable only if *$type* is *excludedPath*|
##### File extension excluded from the scan
Specify content excluded from being scanned by file extension.
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | extension |
-| **Data type** | String |
-| **Possible values** | valid file extensions |
-| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|extension|
+|**Data type**|String|
+|**Possible values**|valid file extensions|
+|**Comments**|Applicable only if *$type* is *excludedFileExtension*|
##### Process excluded from the scan
Specify a process for which all file activity is excluded from scanning. The pro
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | name |
-| **Data type** | String |
-| **Possible values** | any string |
-| **Comments** | Applicable only if *$type* is *excludedFileName* |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|name|
+|**Data type**|String|
+|**Possible values**|any string|
+|**Comments**|Applicable only if *$type* is *excludedFileName*|
#### Allowed threats
Specify threats by name that are not blocked by Defender for Endpoint on Mac. Th
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | allowedThreats |
-| **Data type** | Array of strings |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|allowedThreats|
+|**Data type**|Array of strings|
#### Disallowed threat actions
Restricts the actions that the local user of a device can take when threats are
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | disallowedThreatActions |
-| **Data type** | Array of strings |
-| **Possible values** | allow (restricts users from allowing threats) <br/> restore (restricts users from restoring threats from the quarantine) |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|disallowedThreatActions|
+|**Data type**|Array of strings|
+|**Possible values**|allow (restricts users from allowing threats) <p> restore (restricts users from restoring threats from the quarantine)|
+|**Comments**|Available in Microsoft Defender for Endpoint version 100.83.73 or higher.|
#### Threat type settings
Specify how certain threat types are handled by Microsoft Defender for Endpoint
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | threatTypeSettings |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|threatTypeSettings|
+|**Data type**|Dictionary (nested preference)|
+|**Comments**|See the following sections for a description of the dictionary contents.|
##### Threat type
Specify threat types.
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | potentially_unwanted_application <br/> archive_bomb |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|key|
+|**Data type**|String|
+|**Possible values**|potentially_unwanted_application <p> archive_bomb|
##### Action to take
Specify what action to take when a threat of the type specified in the preceding
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | audit (default) <br/> block <br/> off |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|value|
+|**Data type**|String|
+|**Possible values**|audit (default) <p> block <p> off|
#### Threat type settings merge policy
Specify the merge policy for threat type settings. This can be a combination of
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | threatTypeSettingsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default) <br/> admin_only |
-| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|threatTypeSettingsMergePolicy|
+|**Data type**|String|
+|**Possible values**|merge (default) <p> admin_only|
+|**Comments**|Available in Microsoft Defender for Endpoint version 100.83.73 or higher.|
#### Antivirus scan history retention (in days)
Specify the number of days that results are retained in the scan history on the
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | scanResultsRetentionDays |
-| **Data type** | String |
-| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
-| **Comments** | Available in Microsoft Defender for Endpoint version 101.07.23 or higher. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|scanResultsRetentionDays|
+|**Data type**|String|
+|**Possible values**|90 (default). Allowed values are from 1 day to 180 days.|
+|**Comments**|Available in Microsoft Defender for Endpoint version 101.07.23 or higher.|
#### Maximum number of items in the antivirus scan history
Specify the maximum number of entries to keep in the scan history. Entries inclu
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | scanHistoryMaximumItems |
-| **Data type** | String |
-| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
-| **Comments** | Available in Microsoft Defender for Endpoint version 101.07.23 or higher. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|scanHistoryMaximumItems|
+|**Data type**|String|
+|**Possible values**|10000 (default). Allowed values are from 5000 items to 15000 items.|
+|**Comments**|Available in Microsoft Defender for Endpoint version 101.07.23 or higher.|
### Cloud-delivered protection preferences
Configure the cloud-driven protection features of Microsoft Defender for Endpoin
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | cloudService |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|cloudService|
+|**Data type**|Dictionary (nested preference)|
+|**Comments**|See the following sections for a description of the dictionary contents.|
#### Enable / disable cloud-delivered protection
Specify whether to enable cloud-delivered protection the device or not. To impro
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | enabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default) <br/> false |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|enabled|
+|**Data type**|Boolean|
+|**Possible values**|true (default) <p> false|
#### Diagnostic collection level
Diagnostic data is used to keep Microsoft Defender for Endpoint secure and up-to
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | diagnosticLevel |
-| **Data type** | String |
-| **Possible values** | optional (default) <br/> required |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|diagnosticLevel|
+|**Data type**|String|
+|**Possible values**|optional (default) <p> required|
#### Enable / disable automatic sample submissions
Determines whether suspicious samples (that are likely to contain threats) are s
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | automaticSampleSubmission |
-| **Data type** | Boolean |
-| **Possible values** | true (default) <br/> false |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|automaticSampleSubmission|
+|**Data type**|Boolean|
+|**Possible values**|true (default) <p> false|
#### Enable / disable automatic security intelligence updates
Determines whether security intelligence updates are installed automatically:
|Section|Value| |:|:|
-| **Key** | automaticDefinitionUpdateEnabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default) <br/> false |
+|**Key**|automaticDefinitionUpdateEnabled|
+|**Data type**|Boolean|
+|**Possible values**|true (default) <p> false|
### User interface preferences
Manage the preferences for the user interface of Microsoft Defender for Endpoint
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | userInterface |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|userInterface|
+|**Data type**|Dictionary (nested preference)|
+|**Comments**|See the following sections for a description of the dictionary contents.|
#### Show / hide status menu icon
Specify whether to show or hide the status menu icon in the top-right corner of
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | hideStatusMenuIcon |
-| **Data type** | Boolean |
-| **Possible values** | false (default) <br/> true |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|hideStatusMenuIcon|
+|**Data type**|Boolean|
+|**Possible values**|false (default) <p> true|
#### Show / hide option to send feedback
Specify whether users can submit feedback to Microsoft by going to `Help` > `Sen
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | userInitiatedFeedback |
-| **Data type** | String |
-| **Possible values** | enabled (default) <br/> disabled |
-| **Comments** | Available in Microsoft Defender for Endpoint version 101.19.61 or higher. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|userInitiatedFeedback|
+|**Data type**|String|
+|**Possible values**|enabled (default) <p> disabled|
+|**Comments**|Available in Microsoft Defender for Endpoint version 101.19.61 or higher.|
### Endpoint detection and response preferences
Manage the preferences of the endpoint detection and response (EDR) component of
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | edr |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|edr|
+|**Data type**|Dictionary (nested preference)|
+|**Comments**|See the following sections for a description of the dictionary contents.|
#### Device tags
-Specify a tag name and its value.
+Specify a tag name and its value.
- The GROUP tag, tags the device with the specified value. The tag is reflected in the portal under the device page and can be used for filtering and grouping devices. |Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | tags |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|tags|
+|**Data type**|Dictionary (nested preference)|
+|**Comments**|See the following sections for a description of the dictionary contents.|
##### Type of tag
Specifies the type of tag
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | `GROUP` |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|key|
+|**Data type**|String|
+|**Possible values**|`GROUP`|
##### Value of tag
Specifies the value of tag
|Section|Value| |:|:|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | any string |
+|**Domain**|`com.microsoft.wdav`|
+|**Key**|value|
+|**Data type**|String|
+|**Possible values**|any string|
-> [!IMPORTANT]
+> [!IMPORTANT]
+>
> - Only one value per tag type can be set. > - Type of tags are unique, and should not be repeated in the same configuration profile.
Specifies the value of tag
To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender for Endpoint provides. The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will:+ - Enable real-time protection (RTP) - Specify how the following threat types are handled: - **Potentially unwanted applications (PUA)** are blocked
The following templates contain entries for all settings described in this docum
<key>hideStatusMenuIcon</key> <false/> <key>userInitiatedFeedback</key>
- <string>enabled</string>
+ <string>enabled</string>
</dict> </dict> </plist>
The following templates contain entries for all settings described in this docum
<key>hideStatusMenuIcon</key> <false/> <key>userInitiatedFeedback</key>
- <string>enabled</string>
+ <string>enabled</string>
</dict> </dict> </array>
The property list must be a valid *.plist* file. This can be checked by executin
```bash plutil -lint com.microsoft.wdav.plist ```+ ```Output com.microsoft.wdav.plist: OK ```
Once you've built the configuration profile for your enterprise, you can deploy
From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the *.plist* produced earlier.
->[!CAUTION]
->You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender for Endpoint.
+> [!CAUTION]
+> You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender for Endpoint.
### Intune deployment
From the JAMF console, open **Computers** > **Configuration Profiles**, navigate
7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
->[!CAUTION]
->You must enter the correct custom configuration profile name; otherwise, these preferences will not be recognized by Microsoft Defender for Endpoint.
+> [!CAUTION]
+> You must enter the correct custom configuration profile name; otherwise, these preferences will not be recognized by Microsoft Defender for Endpoint.
## Resources
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when youΓÇÖre using Microsoft Defender for Endpoint on macOS.
+Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you're using Microsoft Defender for Endpoint on macOS.
This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
Some diagnostic data is required, while some diagnostic data is optional. We giv
There are two levels of diagnostic data for Microsoft Defender for Endpoint client software that you can choose from:
-* **Required**: The minimum data necessary to help keep Microsoft Defender for Endpoint secure, up-to-date, and performing as expected on the device itΓÇÖs installed on.
+* **Required**: The minimum data necessary to help keep Microsoft Defender for Endpoint secure, up-to-date, and performing as expected on the device it's installed on.
* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
The following fields are considered common for all events:
### Required diagnostic data
-**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender for Endpoint secure, up-to-date, and perform as expected on the device itΓÇÖs installed on.
+**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender for Endpoint secure, up-to-date, and perform as expected on the device it's installed on.
Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
security Mac Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
The potentially unwanted application (PUA) protection feature in Microsoft Defender for Endpoint on macOS can detect and block PUA files on endpoints in your network.
security Mac Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md
MAU includes a command-line tool, called *msupdate*, that is designed for IT adm
In MAU, the application identifier for Microsoft Defender for Endpoint on macOS is *WDAV00*. To download and install the latest updates for Microsoft Defender for Endpoint on macOS, execute the following command from a Terminal window:
-```
+```dos
./msupdate --install --apps wdav00 ```
This section describes the most common preferences that can be used to configure
### Set the channel name
-The channel determines the type and frequency of updates that are offered through MAU. Devices in `Beta` can try out new features before devices in `Preview` and `Current`.
+The channel determines the type and frequency of updates that are offered through MAU. Devices in `Beta` can try out new features before devices in `Preview` and `Current`.
The `Current` channel contains the most stable version of the product.
->[!IMPORTANT]
-> Prior to Microsoft AutoUpdate version 4.29, channels had different names:
->
+> [!IMPORTANT]
+> Prior to Microsoft AutoUpdate version 4.29, channels had different names:
+>
> - `Beta` was named `InsiderFast` (Insider Fast) > - `Preview` was named `External` (Insider Slow) > - `Current` was named `Production`
The `Current` channel contains the most stable version of the product.
>In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`. |Section|Value|
-|:--|:--|
-| **Domain** | `com.microsoft.autoupdate2` |
-| **Key** | ChannelName |
-| **Data type** | String |
-| **Possible values** | Beta <br/> Preview <br/> Current |
+|||
+|**Domain**|`com.microsoft.autoupdate2`|
+|**Key**|ChannelName|
+|**Data type**|String|
+|**Possible values**|Beta <p> Preview <p> Current|
||| >[!WARNING] >This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint on macOS, execute the following command after replacing `[channel-name]` with the desired channel:
+>
> ```bash > defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }" > ```
The `Current` channel contains the most stable version of the product.
Change how often MAU searches for updates. |Section|Value|
-|:--|:--|
-| **Domain** | `com.microsoft.autoupdate2` |
-| **Key** | UpdateCheckFrequency |
-| **Data type** | Integer |
-| **Default value** | 720 (minutes) |
-| **Comment** | This value is set in minutes. |
-
+|||
+|**Domain**|`com.microsoft.autoupdate2`|
+|**Key**|UpdateCheckFrequency|
+|**Data type**|Integer|
+|**Default value**|720 (minutes)|
+|**Comment**|This value is set in minutes.|
### Change how MAU interacts with updates Change how MAU searches for updates. |Section|Value|
-|:--|:--|
-| **Domain** | `com.microsoft.autoupdate2` |
-| **Key** | HowToCheck |
-| **Data type** | String |
-| **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
-| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
-
+|||
+|**Domain**|`com.microsoft.autoupdate2`|
+|**Key**|HowToCheck|
+|**Data type**|String|
+|**Possible values**|Manual <p> AutomaticCheck <p> AutomaticDownload|
+|**Comment**|Note that AutomaticDownload will do a download and install silently if possible.|
### Change whether the "Check for Updates" button is enabled Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface. |Section|Value|
-|:--|:--|
-| **Domain** | `com.microsoft.autoupdate2` |
-| **Key** | EnableCheckForUpdatesButton |
-| **Data type** | Boolean |
-| **Possible values** | True (default) <br/> False |
-
+|||
+|**Domain**|`com.microsoft.autoupdate2`|
+|**Key**|EnableCheckForUpdatesButton|
+|**Data type**|Boolean|
+|**Possible values**|True (default) <p> False|
### Disable Insider checkbox Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users. |Section|Value|
-|:--|:--|
-| **Domain** | `com.microsoft.autoupdate2` |
-| **Key** | DisableInsiderCheckbox |
-| **Data type** | Boolean |
-| **Possible values** | False (default) <br/> True |
-
+|||
+|**Domain**|`com.microsoft.autoupdate2`|
+|**Key**|DisableInsiderCheckbox|
+|**Data type**|Boolean|
+|**Possible values**|False (default) <p> True|
### Limit the telemetry that is sent from MAU Set to false to send minimal heartbeat data, no application usage, and no environment details. |Section|Value|
-|:--|:--|
-| **Domain** | `com.microsoft.autoupdate2` |
-| **Key** | SendAllTelemetryEnabled |
-| **Data type** | Boolean |
-| **Possible values** | True (default) <br/> False |
-
+|||
+|**Domain**|`com.microsoft.autoupdate2`|
+|**Key**|SendAllTelemetryEnabled|
+|**Data type**|Boolean|
+|**Possible values**|True (default) <p> False|
## Example configuration profile The following configuration profile is used to:+ - Place the device in the Production channel - Automatically download and install updates - Enable the "Check for updates" button in the user interface - Allow users on the device to enroll into the Insider channels
+> [!WARNING]
+> The below configuration is an example configuration and should not be used in production without proper review of settings and tailor of configurations.
->[!WARNING]
->The below configuration is an example configuration and should not be used in production without proper review of settings and tailor of configurations.
-
->[!TIP]
->In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
+> [!TIP]
+> In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to `Beta` or `Preview`.
### JAMF
The following configuration profile is used to:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>
- <key>ChannelName</key>
- <string>Production</string>
- <key>HowToCheck</key>
- <string>AutomaticDownload</string>
- <key>EnableCheckForUpdatesButton</key>
- <true/>
+ <key>ChannelName</key>
+ <string>Production</string>
+ <key>HowToCheck</key>
+ <string>AutomaticDownload</string>
+ <key>EnableCheckForUpdatesButton</key>
+ <true/>
<key>DisableInsiderCheckbox</key> <false/>
- <key>SendAllTelemetryEnabled</key>
- <true/>
+ <key>SendAllTelemetryEnabled</key>
+ <true/>
</dict> </plist> ```
The following configuration profile is used to:
``` To configure MAU, you can deploy this configuration profile from the management tool that your enterprise is using:+ - From JAMF, upload this configuration profile and set the Preference Domain to *com.microsoft.autoupdate2*. - From Intune, upload this configuration profile and set the custom configuration profile name to *com.microsoft.autoupdate2*.
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
ms.technology: mde
> [!IMPORTANT] > On macOS 11 (Big Sur), Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on [this page](mac-sysext-policies.md).
+## 101.34.28 (20.121061.13428.0)
+
+- Bug fixes
+ ## 101.34.27 (20.121052.13427.0) - Bug fixes
ms.technology: mde
> [!IMPORTANT] > We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.
->
+>
> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months. - Addressed a kernel panic that occurred sometimes when accessing SMB file shares
ms.technology: mde
## 100.86.91 > [!CAUTION]
-> To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current ΓÇô 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].
+> To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current - 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].
> > If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection.
ms.technology: mde
- Fixed an issue where Microsoft Defender for Endpoint on Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service+ ```bash mdatp connectivity test ```+ - Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view) - Performance improvements & bug fixes
security Machine Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-groups.md
As part of the process of creating a device group, you'll:
- Rank the device group relative to other groups after it's created. >[!NOTE]
->A device group is accessible to all users if you donΓÇÖt assign any Azure AD groups to it.
+>A device group is accessible to all users if you don't assign any Azure AD groups to it.
## Create a device group
security Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink) - The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
The exposure level reflects the current exposure of the device based on the cumu
If the exposure level says "No data available," there are a few reasons why this may be the case: -- Device stopped reporting for more than 30 days ΓÇô in that case it is considered inactive, and the exposure isn't computed
+- Device stopped reporting for more than 30 days. In that case it is considered inactive, and the exposure isn't computed
- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md) - Device with stale agent (very unlikely)
Select only the OS platforms you're interested in investigating.
Filter by the following device health states: -- **Active** ΓÇô Devices that are actively reporting sensor data to the service.-- **Inactive** ΓÇô Devices that have completely stopped sending signals for more than 7 days.-- **Misconfigured** ΓÇô Devices that have impaired communications with service or are unable to send sensor data. Misconfigured devices can further be classified to:
+- **Active**: Devices that are actively reporting sensor data to the service.
+- **Inactive**: Devices that have completely stopped sending signals for more than 7 days.
+- **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data. Misconfigured devices can further be classified to:
- No sensor data - Impaired communications
security Manage Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md
You can use the examples in the following table to help you choose the context f
| **Suppress alert in my organization** | Alerts with the same alert title on any device will be suppressed. | <ul><li>A benign administrative tool is used by everyone in your organization.</li></ul> | ### Suppress an alert and create a new suppression rule:
-Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, youΓÇÖll be able to configure the action and scope on the alert.
+Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you'll be able to configure the action and scope on the alert.
1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
security Manage Auto Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-auto-investigation.md
Depending on
- the resulting verdict, and - how your organization's [device groups](/microsoft-365/security/defender-endpoint/machine-groups) are configured,
-remediation actions can occur automatically or only upon approval by your organizationΓÇÖs security operations team.
+remediation actions can occur automatically or only upon approval by your organization's security operations team.
Here are a few examples:
Whether taken automatically or upon approval, an automated investigation can res
## Undo completed actions
-If youΓÇÖve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:
+If you've determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. In the Action center, on the **History** tab, you can undo any of the following actions:
| Action source | Supported Actions | |:|:|
security Manage Automation File Uploads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
security Manage Automation Folder Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
ms.technology: mde
<a id="protection-updates"></a> <!-- this has been used as anchor in VDI content -->
-Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Microsoft Defender Antivirus:
-- *Where* the updates are downloaded from; and -- *When* updates are downloaded and applied.
+Keeping your antivirus protection up to date is critical. There are two components to managing protection updates for Microsoft Defender Antivirus:
+
+- *Where* the updates are downloaded from; and
+- *When* updates are downloaded and applied.
This article describes how to specify from where updates should be downloaded (this is also known as the fallback order). See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). > [!IMPORTANT]
-> Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
-
+> Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update and starting Monday, October 21, 2019, all security intelligence updates will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to update your security intelligence. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
<a id="fallback-order"></a>- ## Fallback order Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately. When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:-- The age of the last update on the device; and -- The source used to download and apply updates.
-The older the updates on an endpoint, the larger the download will be. However, you must also consider download frequency as well. A more frequent update schedule can result in more network usage, whereas a less-frequent schedule can result in larger file sizes per download.
+- The age of the last update on the device; and
+- The source used to download and apply updates.
+
+The older the updates on an endpoint, the larger the download will be. However, you must also consider download frequency as well. A more frequent update schedule can result in more network usage, whereas a less-frequent schedule can result in larger file sizes per download.
-There are five locations where you can specify where an endpoint should obtain updates:
+There are five locations where you can specify where an endpoint should obtain updates:
- [Microsoft Update](https://support.microsoft.com/help/12373/windows-update-faq) - [Windows Server Update Service](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) - [Microsoft Endpoint Configuration Manager](/configmgr/core/servers/manage/updates) - [Network file share](#unc-share)-- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
+- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/wdsi/defenderupdates) (Your policy and registry might have this listed as Microsoft Malware Protection Center (MMPC) security intelligence, its former name.)
-To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
+To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
> [!IMPORTANT] > If you have set [Microsoft Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
To ensure the best level of protection, Microsoft Update allows for rapid releas
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
-|Location | Sample scenario |
+|Location|Sample scenario|
|||
-|Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.|
-|Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
-|File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
-|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.|
-|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
+|Windows Server Update Service|You are using Windows Server Update Service to manage updates for your network.|
+|Microsoft Update|You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.|
+|File share|You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.|
+|Microsoft Endpoint Manager|You are using Microsoft Endpoint Manager to update your endpoints.|
+|Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC)|[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. <br/>Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
The procedures in this article first describe how to set the order, and then how
4. Expand the tree to **Windows components** > **Windows Defender** > **Signature updates** and configure the following settings:
- 1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
+ 1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
- 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
+ 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
:::image type="content" source="../../media/wdav-order-update-sources.png" alt-text="group policy setting listing the order of sources":::
The procedures in this article first describe how to set the order, and then how
See [Configure Security intelligence Updates for Endpoint Protection](/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch). - ## Use PowerShell cmdlets to manage the update location Use the following PowerShell cmdlets to set the update order.
Use the following PowerShell cmdlets to set the update order.
Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION} Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH} ```+ See the following articles for more information:+ - [Set-MpPreference -SignatureFallbackOrder](/powershell/module/defender/set-mppreference) - [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](/powershell/module/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) - [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md)
SignatureDefinitionUpdateFileSharesSource
``` See the following articles for more information:+ - [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal) ## Use Mobile Device Management (MDM) to manage the update location
See [Policy CSP - Defender/SignatureUpdateFallbackOrder](/windows/client-managem
## What if we're using a third-party vendor?
-This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks.
+This article describes how to configure and manage updates for Microsoft Defender Antivirus. However, third-party vendors can be used to perform these tasks.
-For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](./use-wmi-microsoft-defender-antivirus.md), [PowerShell cmdlets](./use-powershell-cmdlets-microsoft-defender-antivirus.md), or [Windows command-line](./command-line-arguments-microsoft-defender-antivirus.md) to deploy patches and updates.
+For example, suppose that Contoso has hired Fabrikam to manage their security solution, which includes Microsoft Defender Antivirus. Fabrikam typically uses [Windows Management Instrumentation](./use-wmi-microsoft-defender-antivirus.md), [PowerShell cmdlets](./use-powershell-cmdlets-microsoft-defender-antivirus.md), or [Windows command-line](./command-line-arguments-microsoft-defender-antivirus.md) to deploy patches and updates.
> [!NOTE] > Microsoft does not test third-party solutions for managing Microsoft Defender Antivirus.
For example, suppose that Contoso has hired Fabrikam to manage their security so
Set up a network file share (UNC/mapped drive) to download security intelligence updates from the MMPC site by using a scheduled task. 1. On the system on which you want to provision the share and download the updates, create a folder to which you will save the script.+ ```DOS Start, CMD (Run as admin) MD C:\Tool\PS-Scripts\ ``` 2. Create the folder to which you will save the signature updates.+ ```DOS MD C:\Temp\TempSigs\x64 MD C:\Temp\TempSigs\x86
Set up a network file share (UNC/mapped drive) to download security intelligence
7. Copy the file SignatureDownloadCustomTask.ps1 to the folder you previously created, C:\Tool\PS-Scripts\ . 8. Use the command line to set up the scheduled task.+ > [!NOTE] > There are two types of updates: full and delta.+ - For x64 delta: ```DOS Powershell (Run as admin)
-
+ C:\Tool\PS-Scripts\
-
+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $true -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1" ```
Set up a network file share (UNC/mapped drive) to download security intelligence
```DOS Powershell (Run as admin)
-
+ C:\Tool\PS-Scripts\
-
+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x64 -isDelta $false -destDir C:\Temp\TempSigs\x64 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1" ```
Set up a network file share (UNC/mapped drive) to download security intelligence
```DOS Powershell (Run as admin)
-
+ C:\Tool\PS-Scripts\
-
+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $true -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1" ```
Set up a network file share (UNC/mapped drive) to download security intelligence
```DOS Powershell (Run as admin)
-
+ C:\Tool\PS-Scripts\
-
+ ".\SignatureDownloadCustomTask.ps1 -action create -arch x86 -isDelta $false -destDir C:\Temp\TempSigs\x86 -scriptPath C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1 -daysInterval 1" ```
Set up a network file share (UNC/mapped drive) to download security intelligence
```DOS C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $False -destDir C:\Temp\TempSigs\x64"
-
+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x64 -isDelta $True -destDir C:\Temp\TempSigs\x64"
-
+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x86 -isDelta $False -destDir C:\Temp\TempSigs\x86"
-
+ C:\windows\system32\windowspowershell\v1.0\powershell.exe -NoProfile -executionpolicy allsigned -command "&\"C:\Tool\PS-Scripts\SignatureDownloadCustomTask.ps1\" -action run -arch x86 -isDelta $True -destDir C:\Temp\TempSigs\x86" ```+ > [!NOTE] > Issues could also be due to execution policy.
-
+ 10. Create a share pointing to C:\Temp\TempSigs (e.g. \\server\updates).+ > [!NOTE] > At a minimum, authenticated users must have "Read" access.+ 11. Set the share location in the policy to the share. > [!NOTE]
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
Keeping Microsoft Defender Antivirus up to date is critical to assure your devic
- Product updates > [!TIP]
-> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates)
+> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/wdsi/defenderupdates)
## Security intelligence updates
Platform and engine updates are provided on a monthly cadence. To be fully suppo
\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
-During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and MicrosoftΓÇÖs managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
+During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsoft's managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
### Platform version included with Windows 10 releases The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
The Defender for Endpoint APIs can be grouped into three:
Defender for Endpoint offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. Watch this video for a quick overview of Defender for Endpoint's APIs.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4d73M]
The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see [Supported APIs](exposed-apis-list.md).
security Microsoft Cloud App Security Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration.md
Title: Microsoft Cloud App Security integration overview-+ description: Microsoft Defender for Endpoint integrates with Cloud App Security by forwarding all cloud app networking activities. keywords: cloud, app, networking, visibility, usage search.product: eADQiWindows 10XVcnh
ms.technology: mde
Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](/cloud-app-security/what-is-cloud-app-security).
->[!NOTE]
->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later.
+> [!NOTE]
+> This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later.
-## Microsoft Defender for Endpoint and Cloud App Security integration
+## Microsoft Defender for Endpoint and Cloud App Security integration
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender for Endpoint integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4r4yQ]
+The integration provides the following major improvements to the existing Cloud App Security discovery:
-The integration provides the following major improvements to the existing Cloud App Security discovery:
+- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.
-- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.
+- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Defender for Endpoint and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go.\
-- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Defender for Endpoint and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go. --- Device context - Cloud traffic logs lack device context. Defender for Endpoint network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it.
+- Device context - Cloud traffic logs lack device context. Defender for Endpoint network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it.
For more information about cloud discovery, see [Working with discovered apps](/cloud-app-security/discovered-apps).
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
This topic describes how to install, configure, update, and use Defender for End
> [!CAUTION] > Running other third-party endpoint protection products alongside Microsoft Defender for Endpoint on Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of Defender for Endpoint on Mac EDR functionality after configuring the antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode).
-## WhatΓÇÖs new in the latest release
+## What's new in the latest release
[What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-atp.md)
Microsoft Defender for Endpoint on Mac requires one of the following Microsoft V
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. --
-|**Spreadsheet of domains list**|**Description**|
-|:--|:--|
-|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>Download the spreadsheet here: [mdatp-urls.xlsx](https://download.microsoft.com/download/8/e-urls.xlsx).
+|Spreadsheet of domains list|Description|
+|||
+|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> Download the spreadsheet here: [mdatp-urls.xlsx](https://download.microsoft.com/download/8/e-urls.xlsx).
Microsoft Defender for Endpoint can discover a proxy server by using the following discovery methods:+ - Proxy autoconfig (PAC) - Web Proxy Autodiscovery Protocol (WPAD) - Manual static proxy configuration
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous t
> > SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender for Endpoint on macOS to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
+To test that a connection is not blocked, open <https://x.cp.wd.microsoft.com/api/report> and <https://cdn.x.cp.wd.microsoft.com/ping> in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
The output from this command should be similar to the following:
`OK https://cdn.x.cp.wd.microsoft.com/ping` > [!CAUTION]
-> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
+> We recommend that you keep [System Integrity Protection](https://support.apple.com/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal:+ ```bash mdatp connectivity test ```
In alignment with macOS evolution, we are preparing a Microsoft Defender for End
## Resources - For more information about logging, uninstalling, or other topics, see [Resources for Microsoft Defender for Endpoint on Mac](mac-resources.md).- - [Privacy for Microsoft Defender for Endpoint on Mac](mac-privacy.md).
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-threat-experts.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Microsoft Threat Experts is a managed threat hunting service that provides your Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in your unique environments donΓÇÖt get missed.
+Microsoft Threat Experts is a managed threat hunting service that provides your Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in your unique environments don't get missed.
This managed threat hunting service provides expert-driven insights and data through these two capabilities: targeted attack notification and access to experts on demand.
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
> [!NOTE] > The [Network device discovery and vulnerability assessments](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548) Blog \(published 04-13-2021\) provides insights into the new **Network device discovery** capabilities in Defender for Endpoint. This article provides an overview of the challenge that **Network device discovery** is designed to address, and detailed information about how get started using these new capabilities. Network discovery capabilities are available in the **Device inventory** section of the Microsoft 365 security center and Microsoft 365 Defender consoles.
-A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for EndpointΓÇÖs threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.
+A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint's threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.
Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations. ## Approach
-Network devices are not managed as standard endpoints since Defender for Endpoint doesnΓÇÖt have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan will obtain the necessary information from the devices. Depending on the network topology and characteristics, a single device or a few devices onboarded to Microsoft Defender for Endpoint will perform authenticated scans of network devices using SNMP (read-only).
+Network devices are not managed as standard endpoints since Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan will obtain the necessary information from the devices. Depending on the network topology and characteristics, a single device or a few devices onboarded to Microsoft Defender for Endpoint will perform authenticated scans of network devices using SNMP (read-only).
There will be two types of devices to keep in mind:
The following operating systems are currently supported:
- HPE ArubaOS, Procurve Switch Software - Palo Alto Networks PAN-OS
-More networking vendors and OS will be added over time, based on data gathered from customer usage. Therefore, you are encouraged to configure all your network devices, even if theyΓÇÖre not specified in this list.
+More networking vendors and OS will be added over time, based on data gathered from customer usage. Therefore, you are encouraged to configure all your network devices, even if they're not specified in this list.
## How to get started
Your first step is to select a device that will perform the authenticated networ
3. Decide which network devices will be assessed for vulnerabilities (for example: a Cisco switch or a Palo Alto Networks firewall).
-4. Make sure SNMP read-only is enabled on all configured network devices to allow the Defender for Endpoint assessment device to query the configured network devices. ΓÇÿSNMP writeΓÇÖ isn't needed for the proper functionality of this feature.
+4. Make sure SNMP read-only is enabled on all configured network devices to allow the Defender for Endpoint assessment device to query the configured network devices. 'SNMP write' isn't needed for the proper functionality of this feature.
5. Obtain the IP addresses of the network devices to be scanned (or the subnets where these devices are deployed).
-6. Obtain the SNMP credentials of the network devices (for example: Community String, noAuthNoPriv, authNoPriv, authPriv). YouΓÇÖll be required to provide the credentials when configuring a new assessment job.
+6. Obtain the SNMP credentials of the network devices (for example: Community String, noAuthNoPriv, authNoPriv, authPriv). You'll be required to provide the credentials when configuring a new assessment job.
7. Proxy client configuration: No extra configuration is required other than the Defender for Endpoint device proxy requirements.
To prevent device duplication in the network device inventory, make sure each IP
Adding a network assessment job steps:
-1. Choose an ΓÇÿAssessment jobΓÇÖ name and the ΓÇÿAssessment deviceΓÇÖ on which the network scanner was installed. This device will perform the periodic authenticated scans.
+1. Choose an 'Assessment job' name and the 'Assessment device' on which the network scanner was installed. This device will perform the periodic authenticated scans.
2. Add IP addresses of target network devices to be scanned (or the subnets where these devices are deployed).
Each assessment device can support up to 1,500 successful IP addresses scan. For
If there are multiple IP address ranges/subnets to scan, the test scan results will take several minutes to show up. A test scan will be available for up to 1,024 addresses.
-Once the results show up, you can choose which devices will be included in the periodic scan. If you skip viewing the scan results, all configured IP addresses will be added to the network assessment job (regardless of the deviceΓÇÖs response). The scan results can also be exported.
+Once the results show up, you can choose which devices will be included in the periodic scan. If you skip viewing the scan results, all configured IP addresses will be added to the network assessment job (regardless of the device's response). The scan results can also be exported.
## Device inventory
Verify that the required URLs are added to the allowed domains in your firewall.
The scan results should be updated a few hours after the initial scan that took place after completing the assessment job configuration.
-If devices are still not shown, verify that the service ΓÇÿMdatpNetworkScanServiceΓÇÖ is running on your assessment devices, on which you installed the network scanner, and perform a ΓÇ£Run scanΓÇ¥ in the relevant assessment job configuration.
+If devices are still not shown, verify that the service 'MdatpNetworkScanService' is running on your assessment devices, on which you installed the network scanner, and perform a "Run scan" in the relevant assessment job configuration.
-If you still donΓÇÖt get results after 5 minutes, restart the service.
+If you still don't get results after 5 minutes, restart the service.
### Devices last seen time is longer than 24 hours
-Validate that the scanner is running properly. Then go to the scan definition and select ΓÇ£Run test.ΓÇ¥ Check what error messages are returning from the relevant IP addresses.
+Validate that the scanner is running properly. Then go to the scan definition and select "Run test." Check what error messages are returning from the relevant IP addresses.
### Required threat and vulnerability management user permission
Ask your system administrator to assign you the required permissions. Alternatel
Try a different browser or copy the sign-in link and code to a different device.
-### Text too small or canΓÇÖt copy text from command line
+### Text too small or can't copy text from command line
Change command-line settings on your device to allow copying and change text size.
security Next Gen Threat And Vuln Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
Discover vulnerabilities and misconfigurations in real time with sensors, and wi
Watch this video for a quick overview of threat and vulnerability management.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
+>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mLsn]
## Bridging the workflow gaps
-Threat and vulnerability management is built in, real time, and cloud powered. It's fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
+Threat and vulnerability management is built in, real time, and cloud powered. It's fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager.
security Offboard Machine Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machine-api.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Improve request performance](../../includes/improve-request-performance.md)] - ## API description
-Offboard device from Defender for Endpoint.
+Offboard device from Defender for Endpoint.
## Limitations
+- Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
[!include[Machine actions note](../../includes/machineactionsnote.md)] >[!Note]
-> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later.
+> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later.
> This API is not supported on MacOS or Linux devices. ## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Machine.Offboard | 'Offboard machine'
-Delegated (work or school account) | Machine.Offboard | 'Offboard machine'
+Application|Machine.Offboard|'Offboard machine'
+Delegated (work or school account)|Machine.Offboard|'Offboard machine'
->[!Note]
+> [!NOTE]
> When obtaining a token using user credentials:
->- The user needs to 'Global Admin' AD role
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+>
+> - The user needs to 'Global Admin' AD role
+> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
-```
+
+```http
POST https://api.securitycenter.microsoft.com/api/machines/{id}/offboard ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body+ In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-Comment | String | Comment to associate with the action. **Required**.
+Comment|String|Comment to associate with the action. **Required**.
## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
+If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
## Example
-**Request**
+### Request
Here is an example of the request.
security Offboard Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md
ms.technology: mde
- Windows Server 2012 R2 - Windows Server 2016
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink)
Follow the corresponding instructions depending on your preferred deployment method.
security Old Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/old-index.md
# Threat Protection+ [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. > [!TIP]
<a name="tvm"></a> -
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4obJq]
**[Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md)**<br> This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)]
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
+You'll need to go the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
In general, to onboard devices to the service:
In general, to onboard devices to the service:
- Use the appropriate management tool and deployment method for your devices - Run a detection test to verify that the devices are properly onboarded and reporting to the service
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqr]
## Onboarding tool options
-The following table lists the available tools based on the endpoint that you need to onboard.
-
-| Endpoint | Tool options |
-|--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
-| **macOS** | [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
-
+The following table lists the available tools based on the endpoint that you need to onboard.
+|Endpoint|Tool options|
+|||
+|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <p> [Group Policy](configure-endpoints-gp.md) <p> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <p> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <p> [VDI scripts](configure-endpoints-vdi.md) <p> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender)|
+|**macOS**|[Local scripts](mac-install-manually.md) <p> [Microsoft Endpoint Manager](mac-install-with-intune.md) <p> [JAMF Pro](mac-install-with-jamf.md) <p> [Mobile Device Management](mac-install-with-other-mdm.md)|
+|**Linux Server**|[Local script](linux-install-manually.md) <p> [Puppet](linux-install-with-puppet.md) <p> [Ansible](linux-install-with-ansible.md)|
+|**iOS**|[App-based](ios-install.md)|
+|**Android**|[Microsoft Endpoint Manager](android-intune.md)|
## In this section
-Topic | Description
-:|:
-[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 devices to Defender for Endpoint.
-[Onboard Windows 10 devices](configure-endpoints.md) | You'll need to onboard devices for it to report to the Defender for Endpoint service. Learn about the tools and methods you can use to configure devices in your enterprise.
-[Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, Windows Server 2016, Windows Server (SAC) version 1803 and later, Windows Server 2019 and later, and Windows Server 2019 core edition to Defender for Endpoint.
-[Onboard non-Windows devices](configure-endpoints-non-windows.md) | Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
-[Run a detection test on a newly onboarded device](run-detection-test.md) | Run a script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.
-[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Defender for Endpoint cloud service by configuring the proxy and Internet connectivity settings.
-[Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding.
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+Topic|Description
+:|:
+[Onboard previous versions of Windows](onboard-downlevel.md)|Onboard Windows 7 and Windows 8.1 devices to Defender for Endpoint.
+[Onboard Windows 10 devices](configure-endpoints.md)|You'll need to onboard devices for it to report to the Defender for Endpoint service. Learn about the tools and methods you can use to configure devices in your enterprise.
+[Onboard servers](configure-server-endpoints.md)|Onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, Windows Server 2016, Windows Server (SAC) version 1803 and later, Windows Server 2019 and later, and Windows Server 2019 core edition to Defender for Endpoint.
+[Onboard non-Windows devices](configure-endpoints-non-windows.md)|Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
+[Run a detection test on a newly onboarded device](run-detection-test.md)|Run a script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.
+[Configure proxy and Internet settings](configure-proxy-internet.md)|Enable communication with the Defender for Endpoint cloud service by configuring the proxy and Internet connectivity settings.
+[Troubleshoot onboarding issues](troubleshoot-onboarding.md)|Learn about resolving issues that might arise during onboarding.
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
ms.technology: mde
- Windows 8.1 Enterprise
->Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink).
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
Defender for Endpoint extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. To onboard down-level Windows client endpoints to Defender for Endpoint, you'll need to:+ - Configure and update System Center Endpoint Protection clients. - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Defender for Endpoint as instructed below.
To onboard down-level Windows client endpoints to Defender for Endpoint, you'll
> [!IMPORTANT] > This step is required only if your organization uses System Center Endpoint Protection (SCEP).
-Defender for Endpoint integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
+Defender for Endpoint integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
+
+The following steps are required to enable this integration:
-The following steps are required to enable this integration:
- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting - Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud)
The following steps are required to enable this integration:
## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint ### Before you begin+ Review the following details to verify minimum system requirements:+ - Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) > [!NOTE]
- > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+ > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
Review the following details to verify minimum system requirements:
- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](/azure/log-analytics/log-analytics-concept-hybrid#prerequisites). -- 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). 2. Obtain the workspace ID:
Review the following details to verify minimum system requirements:
- Copy the workspace ID and workspace key 3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
- - [Manually install the agent using setup](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard). <br>
+ - [Manually install the agent using setup](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard).
+ On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**+ - [Install the agent using the command line](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). - [Configure the agent using a script](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation).
Review the following details to verify minimum system requirements:
Once completed, you should see onboarded endpoints in the portal within an hour. ### Configure proxy and Internet connectivity settings
-
+ - Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Defender for Endpoint service URLs](/microsoft-365/security/defender-endpoint/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). ## Offboard client endpoints
-To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the endpoint will no longer send sensor data to Defender for Endpoint.
-> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink).
+To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the endpoint will no longer send sensor data to Defender for Endpoint.
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
security Onboarding Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md
First is a configuration policy to select which groups of users or devices will
Then you will continue by creating several different types of endpoint security policies: - [Next-generation protection](#next-generation-protection)-- [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules)
+- [Attack surface reduction](#attack-surface-reductionattack-surface-reduction-rules)
### Endpoint detection and response
Then you will continue by creating several different types of endpoint security
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager portal12](images/6b728d6e0d71108d768e368b416ff8ba.png)
-3. Select **Platform - Windows 10 and Later - Windows and Profile ΓÇô Microsoft
+3. Select **Platform - Windows 10 and Later - Windows and Profile - Microsoft
Defender Antivirus > Create**. 4. Enter name and description, then select **Next**.
Then you will continue by creating several different types of endpoint security
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager portal18](images/38180219e632d6e4ec7bd25a46398da8.png)
-### Attack Surface Reduction ΓÇô Attack surface reduction rules
+### Attack Surface Reduction - Attack surface reduction rules
1. Open the MEM portal.
Then you will continue by creating several different types of endpoint security
3. Select **Create Policy**.
-4. Select **Platform - Windows 10 and Later ΓÇô Profile - Attack surface reduction
+4. Select **Platform - Windows 10 and Later - Profile - Attack surface reduction
rules > Create**. > [!div class="mx-imgBorder"]
Then you will continue by creating several different types of endpoint security
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager portal25](images/7a631d17cc42500dacad4e995823ffef.png)
-### Attack Surface Reduction ΓÇô Web Protection
+### Attack Surface Reduction - Web Protection
1. Open the MEM portal.
Then you will continue by creating several different types of endpoint security
3. Select **Create Policy**.
-4. Select **Windows 10 and Later ΓÇô Web protection > Create**.
+4. Select **Windows 10 and Later - Web protection > Create**.
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager portal26](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png)
Then you will continue by creating several different types of endpoint security
## Validate configuration settings
-### Confirm Policies have been applied
+### Confirm policies have been applied
Once the Configuration policy has been assigned, it will take some time to apply.
To confirm that the configuration policy has been applied to your test device, f
steps above. The following example shows the next generation protection settings. > [!div class="mx-imgBorder"]
- > [ ![Image of Microsoft Endpoint Manager portal33](images/43ab6aa74471ee2977e154a4a5ef2d39.png) ](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox)
+ > [![Image of Microsoft Endpoint Manager portal33](images/43ab6aa74471ee2977e154a4a5ef2d39.png)](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox)
2. Select the **Configuration Policy** to view the policy status. > [!div class="mx-imgBorder"]
- > [ ![Image of Microsoft Endpoint Manager portal34](images/55ecaca0e4a022f0e29d45aeed724e6c.png) ](images/55ecaca0e4a022f0e29d45aeed724e6c.png#lightbox)
+ > [![Image of Microsoft Endpoint Manager portal34](images/55ecaca0e4a022f0e29d45aeed724e6c.png)](images/55ecaca0e4a022f0e29d45aeed724e6c.png#lightbox)
3. Select **Device Status** to see the status. > [!div class="mx-imgBorder"]
- > [ ![Image of Microsoft Endpoint Manager portal35](images/18a50df62cc38749000dbfb48e9a4c9b.png) ](images/18a50df62cc38749000dbfb48e9a4c9b.png#lightbox)
+ > [![Image of Microsoft Endpoint Manager portal35](images/18a50df62cc38749000dbfb48e9a4c9b.png)](images/18a50df62cc38749000dbfb48e9a4c9b.png#lightbox)
4. Select **User Status** to see the status. > [!div class="mx-imgBorder"]
- > [ ![Image of Microsoft Endpoint Manager portal36](images/4e965749ff71178af8873bc91f9fe525.png) ](images/4e965749ff71178af8873bc91f9fe525.png#lightbox)
+ > [![Image of Microsoft Endpoint Manager portal36](images/4e965749ff71178af8873bc91f9fe525.png)](images/4e965749ff71178af8873bc91f9fe525.png#lightbox)
5. Select **Per-setting status** to see the status.
To confirm that the configuration policy has been applied to your test device, f
> This view is very useful to identify any settings that conflict with another policy. > [!div class="mx-imgBorder"]
- > [ ![Image of Microsoft Endpoint Manager portal37](images/42acc69d0128ed09804010bdbdf0a43c.png) ](images/42acc69d0128ed09804010bdbdf0a43c.png#lightbox)
+ > [![Image of Microsoft Endpoint Manager portal37](images/42acc69d0128ed09804010bdbdf0a43c.png)](images/42acc69d0128ed09804010bdbdf0a43c.png#lightbox)
-### Endpoint detection and response
+### Confirm endpoint detection and response
-1. Before applying the configuration, the Defender for Endpoint
- Protection service should not be started.
+1. Before applying the configuration, the Defender for Endpoint Protection service should not be started.
> [!div class="mx-imgBorder"]
- > [ ![Image of Services panel1](images/b418a232a12b3d0a65fc98248dbb0e31.png) ](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox)
+ > [![Image of Services panel1](images/b418a232a12b3d0a65fc98248dbb0e31.png)](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox)
2. After the configuration has been applied, the Defender for Endpoint Protection Service should be started. > [!div class="mx-imgBorder"]
- > [ ![Image of Services panel2](images/a621b699899f1b41db211170074ea59e.png) ](images/a621b699899f1b41db211170074ea59e.png#lightbox)
+ > [![Image of Services panel2](images/a621b699899f1b41db211170074ea59e.png)](images/a621b699899f1b41db211170074ea59e.png#lightbox)
3. After the services are running on the device, the device appears in Microsoft Defender Security Center. > [!div class="mx-imgBorder"]
- > [ ![Image of Microsoft Defender Security Center](images/df0c64001b9219cfbd10f8f81a273190.png) ](images/df0c64001b9219cfbd10f8f81a273190.png#lightbox)
+ > [![Image of Microsoft Defender Security Center](images/df0c64001b9219cfbd10f8f81a273190.png)](images/df0c64001b9219cfbd10f8f81a273190.png#lightbox)
-### Next-generation protection
+### Confirm next-generation protection
1. Before applying the policy on a test device, you should be able to manually manage the settings as shown below.
To confirm that the configuration policy has been applied to your test device, f
> [!div class="mx-imgBorder"] > ![Image of setting page2](images/9341428b2d3164ca63d7d4eaa5cff642.png)
-### Attack Surface Reduction ΓÇô Attack surface reduction rules
+### Confirm Attack Surface Reduction - Attack surface reduction rules
1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
To confirm that the configuration policy has been applied to your test device, f
![Image of command line2](images/619fb877791b1fc8bc7dfae1a579043d.png)
-### Attack Surface Reduction ΓÇô Web Protection
+### Confirm Attack Surface Reduction - Web Protection
1. On the test device, open a PowerShell Windows and type `(Get-MpPreference).EnableNetworkProtection`.
security Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md
localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365solution-endpointprotect - m365solution-scenario
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Learn about the various phases of deploying Microsoft Defender for Endpoint and how to configure the capabilities within the solution.
+Learn about the various phases of deploying Microsoft Defender for Endpoint and how to configure the capabilities within the solution.
Deploying Defender for Endpoint is a three-phase process:
-| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | [![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md)<br>[Phase 2: Setup](production-deployment.md) | ![deployment phase - onboard](images/phase-diagrams/onboard.png)<br>Phase 3: Onboard |
-| -- | -- | -- |
-| | |*You are here!*|
+|[![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md) <br> [Phase 1: Prepare](prepare-deployment.md)|[![deployment phase - setup](images/phase-diagrams/setup.png)](production-deployment.md) <br> [Phase 2: Setup](production-deployment.md)|![deployment phase - onboard](images/phase-diagrams/onboard.png) <br> Phase 3: Onboard|
+||||
+|||*You are here!*|
You are currently in the onboarding phase. These are the steps you need to take to deploy Defender for Endpoint: -- Step 1: Onboard endpoints to the service -- Step 2: Configure capabilities
+- Step 1: Onboard endpoints to the service
+- Step 2: Configure capabilities
## Step 1: Onboard endpoints using any of the supported management tools
-The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
+The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint.
Watch this video for a quick overview of the onboarding process and learn about the available tools and methods.
-<br />
-<br />
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqr]
-After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
+After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
### Onboarding tool options The following table lists the available tools based on the endpoint that you need to onboard.
-| Endpoint | Tool options |
-|--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
-| **macOS** | [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
-| **iOS** | [App-based](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
-
+|Endpoint|Tool options|
+|||
+|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender)|
+|**macOS**|[Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)|
+|**Linux Server**|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
+|**iOS**|[App-based](ios-install.md)|
+|**Android**|[Microsoft Endpoint Manager](android-intune.md)|
## Step 2: Configure capabilities
-After onboarding the endpoints, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
+After onboarding the endpoints, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
## Example deployments+ In this deployment guide, we'll guide you through using two deployment tools to onboard endpoints and how to configure capabilities. The tools in the example deployments are:+ - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) Using the mentioned deployment tools above, you'll then be guided in configuring the following Defender for Endpoint capabilities:+ - Endpoint detection and response configuration - Next-generation protection configuration - Attack surface reduction configuration ## Related topics+ - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) - [Safe Documents in Microsoft 365 E5](../office-365-security/safe-docs.md)
security Overview Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response.md
Defender for Endpoint endpoint detection and response capabilities provide advan
When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4o1j5]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4o1j5]
Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors. The response capabilities give you the power to promptly remediate threats by acting on the affected entities. - ## Related topics+ - [Security operations dashboard](security-operations-dashboard.md) - [Incidents queue](view-incidents-queue.md) - [Alerts queue](alerts-queue.md) - [Devices list](machines-view-overview.md)-
security Overview Hardware Based Isolation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation.md
Hardware-based isolation helps protect system integrity in Windows 10 and is int
| Feature | Description | ||-|
-| [Windows Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application GuardΓÇÖs secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
+| [Windows Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard's secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
| [Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. |
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
Title: Partner applications in Microsoft Defender for Endpoint-+ description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh
ms.technology: mde
-# Partner applications in Microsoft Defender for Endpoint
+# Partner applications in Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
ms.technology: mde
Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. - The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender for Endpoint; enabling security teams to effectively respond better to modern threats. Microsoft Defender for Endpoint seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as:
Microsoft Defender for Endpoint seamlessly integrates with existing security sol
## Supported applications - ### Security information and analytics
-Logo |Partner name | Description
+Logo|Partner name|Description
:|:|:
-![Image of AttackIQ logo](images/attackiq-logo.png)| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets
-![Image of Azure Sentinel logo](images/sentinel-logo.png)| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender for Endpoint into Azure Sentinel
-![Image of Cymulate logo](images/cymulate-logo.png) | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions
-![Image of Elastic security logo](images/elastic-security-logo.png) | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats
-![Image of IBM QRadar logo](images/ibm-qradar-logo.png) | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Defender for Endpoint
-![Image of Micro Focus ArcSight logo](images/arcsight-logo.png) | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Defender for Endpoint detections
-![Image of RSA NetWitness logo](images/rsa-netwitness-logo.png) | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API
-![Image of SafeBreach logo](images/safebreach-logo.png) | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations
-![Image of Skybox Vulnerability Control logo](images/skybox-logo.png) | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities
-![Image of Splunk logo](images/splunk-logo.png) | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
-![Image of XM Cyber logo](images/xmcyber-logo.png) | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets
+![Image of AttackIQ logo](images/attackiq-logo.png)|[AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502)|AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets
+![Image of Azure Sentinel logo](images/sentinel-logo.png)|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Azure Sentinel
+![Image of Cymulate logo](images/cymulate-logo.png)|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions
+![Image of Elastic security logo](images/elastic-security-logo.png)|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats
+![Image of IBM QRadar logo](images/ibm-qradar-logo.png)|[IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903)|Configure IBM QRadar to collect detections from Defender for Endpoint
+![Image of Micro Focus ArcSight logo](images/arcsight-logo.png)|[Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548)|Use Micro Focus ArcSight to pull Defender for Endpoint detections
+![Image of RSA NetWitness logo](images/rsa-netwitness-logo.png)|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API
+![Image of SafeBreach logo](images/safebreach-logo.png)|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations
+![Image of Skybox Vulnerability Control logo](images/skybox-logo.png)|[Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467)|Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities
+![Image of Splunk logo](images/splunk-logo.png)|[Splunk](https://go.microsoft.com/fwlink/?linkid=2129805)|The Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
+![Image of XM Cyber logo](images/xmcyber-logo.png)|[XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700)|Prioritize your response to an alert based on risk factors and high value assets
### Orchestration and automation -
-Logo |Partner name | Description
+Logo|Partner name|Description
:|:|:
-![Image of CyberSponse CyOps logo](images/cybersponse-logo.png) | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Defender for Endpoint to automate customers' high-speed incident response playbooks
-![Image of Delta Risk ActiveEye logo](images/delta-risk-activeeye-logo.png) | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye.
-![Image of Demisto, a Palo Alto Networks Company logo](images/demisto-logo.png) | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response
-![Image of Microsoft Flow & Azure Functions logo](images/ms-flow-logo.png) | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
-![Image of Rapid7 InsightConnect logo](images/rapid7-logo.png) | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes
-![Image of ServiceNow logo](images/servicenow-logo.png) | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
-![Image of Swimlane logo](images/swimlane-logo.png) | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together
-
+![Image of CyberSponse CyOps logo](images/cybersponse-logo.png)|[CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943)|CyOps integrates with Defender for Endpoint to automate customers' high-speed incident response playbooks
+![Image of Delta Risk ActiveEye logo](images/delta-risk-activeeye-logo.png)|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye.
+![Image of Demisto, a Palo Alto Networks Company logo](images/demisto-logo.png)|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response
+![Image of Microsoft Flow & Azure Functions logo](images/ms-flow-logo.png)|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
+![Image of Rapid7 InsightConnect logo](images/rapid7-logo.png)|[Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040)|InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes
+![Image of ServiceNow logo](images/servicenow-logo.png)|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
+![Image of Swimlane logo](images/swimlane-logo.png)|[Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902)|Maximize incident response capabilities utilizing Swimlane and Defender for Endpoint together
### Threat intelligence
-Logo |Partner name | Description
+Logo|Partner name|Description
:|:|:
-![Image of MISP Malware Information Sharing Platform)logo](images/misp-logo.png) | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment
-![Image of Palo Alto Networks logo](images/paloalto-logo.png) | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld
-![Image of ThreatConnect logo](images/threatconnect-logo.png) | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators
--
+![Image of MISP Malware Information Sharing Platform)logo](images/misp-logo.png)|[MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543)|Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Defender for Endpoint environment
+![Image of Palo Alto Networks logo](images/paloalto-logo.png)|[Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582)|Enrich your endpoint protection by extending Autofocus and other threat feeds to Defender for Endpoint using MineMeld
+![Image of ThreatConnect logo](images/threatconnect-logo.png)|[ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115)|Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Defender for Endpoint indicators
### Network security
-Logo |Partner name | Description
-:|:|:
-![Image of Aruba ClearPass Policy Manager logo](images/aruba-logo.png) | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network
-![Image of Blue Hexagon for Network logo](images/bluehexagon-logo.png) | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
-![Image of CyberMDX logo](images/cybermdx-logo.png) | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment
-![Image of HYAS Protect logo](images/hyas-logo.png) | [HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763) | HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks
-![Image of Vectra Network Detection and Response (NDR) logo](images/vectra-logo.png) |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time
-
-### Cross platform
-Logo |Partner name | Description
+Logo|Partner name|Description
:|:|:
-![Image of Bitdefender logo](images/bitdefender-logo.png)| [Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)| Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
-![Image of Better Mobile logo](images/bettermobile-logo.png) | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
-![Image of Corrata logo](images/corrata-logo.png)| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution ΓÇö Protect your mobile devices with granular visibility and control from Corrata
-![Image of Lookout logo](images/lookout-logo.png)| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
-![Image of Symantec Endpoint Protection Mobile logo](images/symantec-logo.png) | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices
-![Image of Zimperium logo](images/zimperium-logo.png)| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense
+![Image of Aruba ClearPass Policy Manager logo](images/aruba-logo.png)|[Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544)|Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network
+![Image of Blue Hexagon for Network logo](images/bluehexagon-logo.png)|[Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
+![Image of CyberMDX logo](images/cybermdx-logo.png)|[CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620)|Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment
+![Image of HYAS Protect logo](images/hyas-logo.png)|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks
+![Image of Vectra Network Detection and Response (NDR) logo](images/vectra-logo.png)|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time
+### Cross platform
+Logo|Partner name|Description
+:|:|:
+![Image of Bitdefender logo](images/bitdefender-logo.png)|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
+![Image of Better Mobile logo](images/bettermobile-logo.png)|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
+![Image of Corrata logo](images/corrata-logo.png)|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata
+![Image of Lookout logo](images/lookout-logo.png)|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
+![Image of Symantec Endpoint Protection Mobile logo](images/symantec-logo.png)|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices
+![Image of Zimperium logo](images/zimperium-logo.png)|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense
## Other integrations
-Logo |Partner name | Description
+Logo|Partner name|Description
:|:|:
-![Image of Cyren Web Filter logo](images/cyren-logo.png)| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Defender for Endpoint with advanced Web Filtering
-![Image of Morphisec logo](images/morphisec-logo.png)| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information
-![Image of THOR Cloud logo](images/nextron-thor-logo.png)| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)| Provides on-demand live forensics scans using a signature base with focus on persistent threats
+![Image of Cyren Web Filter logo](images/cyren-logo.png)|[Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)|Enhance your Defender for Endpoint with advanced Web Filtering
+![Image of Morphisec logo](images/morphisec-logo.png)|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information
+![Image of THOR Cloud logo](images/nextron-thor-logo.png)|[THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)|Provides on-demand live forensics scans using a signature base with focus on persistent threats
+## SIEM integration
+Defender for Endpoint supports SIEM integration through various of methods. This can include specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
+## Ticketing and IT service management
-## SIEM integration
-Defender for Endpoint supports SIEM integration through various of methods. This can include specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
+Ticketing solution integration helps to implement manual and automatic response processes. Defender for Endpoint can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
+## Security orchestration and automation response (SOAR) integration
-## Ticketing and IT service management
-Ticketing solution integration helps to implement manual and automatic response processes. Defender for Endpoint can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
+Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
-## Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Defender for Endpoint APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
+## External alert correlation and Automated investigation and remediation
-## External alert correlation and Automated investigation and remediation
Defender for Endpoint offers unique automated investigation and remediation capabilities to drive incident response at scale.
-
-Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
+Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-External alerts can be pushed to Defender for Endpoint. These alerts are shown side by side with additional device-based alerts from Defender for Endpoint. This view provides a full context of the alert and can reveal the full story of an attack.
+External alerts can be pushed to Defender for Endpoint. These alerts are shown side by side with additional device-based alerts from Defender for Endpoint. This view provides a full context of the alert and can reveal the full story of an attack.
## Indicators matching
-You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
+You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
Defender for Endpoint allows you to integrate with these solutions and act on IoCs by correlating rich telemetry to create alerts. You can also use prevention and automated response capabilities to block execution and take remediation actions when there's a match. -
-Defender for Endpoint currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
+Defender for Endpoint currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
## Support for non-Windows platforms
-Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
+
+Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
security Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-integration.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Defender for Endpoint.
security Portal Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/portal-overview.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Enterprise security teams can use Microsoft 365 Defender to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.
When you open the portal, you'll see:
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
-Area | Description
+Area|Description
:|:
-**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
-**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
-**Incidents** | View alerts that have been aggregated as incidents.
-**Devices list** | Displays the list of devices that are onboarded to Defender for Endpoint, some information about them, and their exposure and risk levels.
-**Alerts queue** | View alerts generated from devices in your organizations.
-**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
-**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
-**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
-**Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
-**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Defender for Endpoint capabilities through a guided walk-through in a trial environment.
-**Service health** | Provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
-**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. </br></br> **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. </br></br> **Localization** - Set time zones. </br></br> **Help and support** - Access the Defender for Endpoint guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Defender for Endpoint evaluation lab, consult a threat expert.</br></br> **Feedback** - Provide comments about what you like or what we can do better.
+**(1) Navigation pane**|Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
+**Dashboards**|Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
+**Incidents**|View alerts that have been aggregated as incidents.
+**Devices list**|Displays the list of devices that are onboarded to Defender for Endpoint, some information about them, and their exposure and risk levels.
+**Alerts queue**|View alerts generated from devices in your organizations.
+**Automated investigations**|Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
+**Advanced hunting**|Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
+**Reports**|View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
+**Partners & APIs**|View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
+**Threat & Vulnerability management**|View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
+**Evaluation and tutorials**|Manage test devices, attack simulations, and reports. Learn and experience the Defender for Endpoint capabilities through a guided walk-through in a trial environment.
+**Service health**|Provides information on the current status of the Defender for Endpoint service. You'll be able to verify that the service health is healthy or if there are current issues.
+**Configuration management**|Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
+**Settings**|Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
+**(2) Search, Community center, Localization, Help and support, Feedback**|**Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. <p> **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. <p> **Localization** - Set time zones. <p> **Help and support** - Access the Defender for Endpoint guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Defender for Endpoint evaluation lab, consult a threat expert. <p> **Feedback** - Provide comments about what you like or what we can do better.
> [!NOTE] > For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
Area | Description
The following table provides information on the icons used all throughout the portal:
-Icon | Description
+Icon|Description
:|:
-![ATP logo icon](images/atp-logo-icon.png)| Microsoft Defender for Endpoint logo
-![Alert icon](images/alert-icon.png)| Alert ΓÇô Indication of an activity correlated with advanced attacks.
-![Detection icon](images/detection-icon.png)| Detection ΓÇô Indication of a malware threat detection.
-![Active threat icon](images/active-threat-icon.png)| Active threat ΓÇô Threats actively executing at the time of detection.
-![Remediated icon1](images/remediated-icon.png)| Remediated ΓÇô Threat removed from the device.
-![Not remediated icon](images/not-remediated-icon.png)| Not remediated ΓÇô Threat not removed from the device.
-![Thunderbolt icon](images/atp-thunderbolt-icon.png)| Indicates events that triggered an alert in the **Alert process tree**.
-![Device icon](images/atp-machine-icon.png)| Device icon
-![Microsoft Defender AV events icon](images/atp-windows-defender-av-events-icon.png)| Microsoft Defender Antivirus events
-![Application Guard events icon](images/atp-Application-Guard-events-icon.png)| Windows Defender Application Guard events
-![Device Guard events icon](images/atp-Device-Guard-events-icon.png)| Windows Defender Device Guard events
-![Exploit Guard events icon](images/atp-Exploit-Guard-events-icon.png)| Windows Defender Exploit Guard events
-![SmartScreen events icon](images/atp-Smart-Screen-events-icon.png)| Windows Defender SmartScreen events
-![Firewall events icon](images/atp-Firewall-events-icon.png)| Windows Firewall events
-![Response action icon](images/atp-respond-action-icon.png)| Response action
-![Process events icon](images/atp-process-event-icon.png)| Process events
-![Network communication events icon](images/atp-network-communications-icon.png)| Network events
-![File observed events icon](images/atp-file-observed-icon.png)| File events
-![Registry events icon](images/atp-registry-event-icon.png)| Registry events
-![Module load DLL events icon](images/atp-module-load-icon.png)| Load DLL events
-![Other events icon](images/atp-Other-events-icon.png)| Other events
-![Access token modification icon](images/atp-access-token-modification-icon.png)| Access token modification
-![File creation icon](images/atp-file-creation-icon.png)| File creation
-![Signer icon](images/atp-signer-icon.png)| Signer
-![File path icon](images/atp-File-path-icon.png)| File path
-![Command line icon](images/atp-command-line-icon.png)| Command line
-![Unsigned file icon](images/atp-unsigned-file-icon.png)| Unsigned file
-![Process tree icon](images/atp-process-tree.png)| Process tree
-![Memory allocation icon](images/atp-memory-allocation-icon.png)| Memory allocation
-![Process injection icon](images/atp-process-injection.png)| Process injection
-![Powershell command run icon](images/atp-powershell-command-run-icon.png)| Powershell command run
-![Community center icon](images/atp-community-center.png) | Community center
-![Notifications icon](images/atp-notifications.png) | Notifications
-![No threats found](images/no-threats-found.png) | Automated investigation - no threats found
-![Failed icon](images/failed.png) | Automated investigation - failed
-![Partially remediated icon](images/partially-investigated.png) | Automated investigation - partially investigated
-![Terminated by system](images/terminated-by-system.png) | Automated investigation - terminated by system
-![Pending icon](images/pending.png) | Automated investigation - pending
-![Running icon](images/running.png) | Automated investigation - running
-![Remediated icon2](images/remediated.png) | Automated investigation - remediated
-![Partially investigated icon](images/partially_remediated.png) | Automated investigation - partially remediated
-![Threat insights icon](images/tvm_bug_icon.png) | Threat & Vulnerability Management - threat insights
-![Possible active alert icon](images/tvm_alert_icon.png) | Threat & Vulnerability Management - possible active alert
-![Recommendation insights icon](images/tvm_insight_icon.png) | Threat & Vulnerability Management - recommendation insights
+![ATP logo icon](images/atp-logo-icon.png)|Microsoft Defender for Endpoint logo
+![Alert icon](images/alert-icon.png)|Alert: Indication of an activity correlated with advanced attacks.
+![Detection icon](images/detection-icon.png)|Detection: Indication of a malware threat detection.
+![Active threat icon](images/active-threat-icon.png)|Active threat: Threats actively executing at the time of detection.
+![Remediated icon1](images/remediated-icon.png)|Remediated: Threat removed from the device.
+![Not remediated icon](images/not-remediated-icon.png)|Not remediated: Threat not removed from the device.
+![Thunderbolt icon](images/atp-thunderbolt-icon.png)|Indicates events that triggered an alert in the **Alert process tree**.
+![Device icon](images/atp-machine-icon.png)|Device icon
+![Microsoft Defender AV events icon](images/atp-windows-defender-av-events-icon.png)|Microsoft Defender Antivirus events
+![Application Guard events icon](images/atp-Application-Guard-events-icon.png)|Windows Defender Application Guard events
+![Device Guard events icon](images/atp-Device-Guard-events-icon.png)|Windows Defender Device Guard events
+![Exploit Guard events icon](images/atp-Exploit-Guard-events-icon.png)|Windows Defender Exploit Guard events
+![SmartScreen events icon](images/atp-Smart-Screen-events-icon.png)|Windows Defender SmartScreen events
+![Firewall events icon](images/atp-Firewall-events-icon.png)|Windows Firewall events
+![Response action icon](images/atp-respond-action-icon.png)|Response action
+![Process events icon](images/atp-process-event-icon.png)|Process events
+![Network communication events icon](images/atp-network-communications-icon.png)|Network events
+![File observed events icon](images/atp-file-observed-icon.png)|File events
+![Registry events icon](images/atp-registry-event-icon.png)|Registry events
+![Module load DLL events icon](images/atp-module-load-icon.png)|Load DLL events
+![Other events icon](images/atp-Other-events-icon.png)|Other events
+![Access token modification icon](images/atp-access-token-modification-icon.png)|Access token modification
+![File creation icon](images/atp-file-creation-icon.png)|File creation
+![Signer icon](images/atp-signer-icon.png)|Signer
+![File path icon](images/atp-File-path-icon.png)|File path
+![Command line icon](images/atp-command-line-icon.png)|Command line
+![Unsigned file icon](images/atp-unsigned-file-icon.png)|Unsigned file
+![Process tree icon](images/atp-process-tree.png)|Process tree
+![Memory allocation icon](images/atp-memory-allocation-icon.png)|Memory allocation
+![Process injection icon](images/atp-process-injection.png)|Process injection
+![Powershell command run icon](images/atp-powershell-command-run-icon.png)|Powershell command run
+![Community center icon](images/atp-community-center.png)|Community center
+![Notifications icon](images/atp-notifications.png)|Notifications
+![No threats found](images/no-threats-found.png)|Automated investigation - no threats found
+![Failed icon](images/failed.png)|Automated investigation - failed
+![Partially remediated icon](images/partially-investigated.png)|Automated investigation - partially investigated
+![Terminated by system](images/terminated-by-system.png)|Automated investigation - terminated by system
+![Pending icon](images/pending.png)|Automated investigation - pending
+![Running icon](images/running.png)|Automated investigation - running
+![Remediated icon2](images/remediated.png)|Automated investigation - remediated
+![Partially investigated icon](images/partially_remediated.png)|Automated investigation - partially remediated
+![Threat insights icon](images/tvm_bug_icon.png)|Threat & Vulnerability Management - threat insights
+![Possible active alert icon](images/tvm_alert_icon.png)|Threat & Vulnerability Management - possible active alert
+![Recommendation insights icon](images/tvm_insight_icon.png)|Threat & Vulnerability Management - recommendation insights
## Related topics
security Post Ti Indicator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/post-ti-indicator.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
[!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description+ Submits or Updates new [Indicator](ti-indicator.md) entity.
-<br>CIDR notation for IPs is not supported.
+
+CIDR notation for IPs is not supported.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-2. There is a limit of 15,000 active indicators per tenant.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+2. There is a limit of 15,000 active indicators per tenant.
## Permissions+ One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-Permission type | Permission | Permission display name
+Permission type|Permission|Permission display name
:|:|:
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
-
+Application|Ti.ReadWrite|'Read and write Indicators'
+Application|Ti.ReadWrite.All|'Read and write All Indicators'
+Delegated (work or school account)|Ti.ReadWrite|'Read and write Indicators'
## HTTP request
-```
+
+```http
POST https://api.securitycenter.microsoft.com/api/indicators ``` ## Request headers
-Name | Type | Description
+Name|Type|Description
:|:|:
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
+Authorization|String|Bearer {token}. **Required**.
+Content-Type|string|application/json. **Required**.
## Request body+ In the request body, supply a JSON object with the following parameters:
-Parameter | Type | Description
+Parameter|Type|Description
:|:|:
-indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-application | String | The application associated with the indicator. **Optional**
-title | String | Indicator alert title. **Required**
-description | String | Description of the indicator. **Required**
-expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
-severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-recommendedActions | String | TI indicator alert recommended actions. **Optional**
-rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-
+indicatorValue|String|Identity of the [Indicator](ti-indicator.md) entity. **Required**
+indicatorType|Enum|Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
+action|Enum|The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
+application|String|The application associated with the indicator. **Optional**
+title|String|Indicator alert title. **Required**
+description|String|Description of the indicator. **Required**
+expirationTime|DateTimeOffset|The expiration time of the indicator. **Optional**
+severity|Enum|The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
+recommendedActions|String|TI indicator alert recommended actions. **Optional**
+rbacGroupNames|String|Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
## Response+ - If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body. - If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body. ## Example
-**Request**
+### Request
Here is an example of the request.
POST https://api.securitycenter.microsoft.com/api/indicators
``` ## Related topic+ - [Manage indicators](manage-indicators.md)
security Preferences Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preferences-setup.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
ms.technology: mde Previously updated : 06/23/2021 Last updated : 07/27/2021 # Protect security settings with tamper protection
The following table provides details on the methods, tools, and dependencies.
Tamper protection can be turned on or off for your tenant using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Here are a few points to keep in mind: -- Currently, the option to manage tamper protection in the Microsoft 365 Defender portal is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis, with plans to make opting in the default method in the near future. (To opt in, in the Microsoft 365 Defender portal, choose **Settings** > **Endpoints** > **Advanced features** > **Tamper protection**.)
+- Currently, the option to manage tamper protection in the Microsoft 365 Defender portal is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis. To opt in, in the Microsoft 365 Defender portal, choose **Settings** > **Endpoints** > **Advanced features** > **Tamper protection**.
- When you use the Microsoft 365 Defender portal to manage tamper protection, you do not have to use Intune or the tenant attach method.
Tamper protection can be turned on or off for your tenant using the Microsoft 36
- [Windows Server 2019](/windows-server/get-started-19/whats-new-19) - Windows Server, version [1803](/windows/release-health/status-windows-10-1803) or later - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
- - For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).
+
+ For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).
- Your devices must be [onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/onboarding).
Tamper protection can be turned on or off for your tenant using the Microsoft 36
### Turn tamper protection on (or off) in the Microsoft 365 Defender portal
-::image type="content" source="../../media/mde-turn-tamperprotect-on-new.png" alt-text="Turn tamper protection ON in Microsoft 365 Defender portal":::
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
If you are using Windows Server 2016, Windows 10 version 1709, 1803, or [1809](/
On Windows Server 2016, the Settings app will not accurately reflect the status of real-time protection when tamper protection is enabled.
-#### Use PowerShell to determine whether tamper protection and/or real-time protection are turned on
+#### Use PowerShell to determine whether tamper protection and real-time protection are turned on
1. Open the Windows PowerShell app.
On Windows Server 2016, the Settings app will not accurately reflect the status
If you're using [version 2006 of Configuration Manager](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver endpoint security configuration policies to on-premises collections & devices. - > [!NOTE] > The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
See the following resources:
> [!NOTE] > Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry. >
-> To help ensure that tamper protection doesnΓÇÖt interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+> To help ensure that tamper protection doesn't interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
>
-> Once youΓÇÖve made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.
+> Once you've made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.
If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to manage tamper protection. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection.
To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili
## Frequently asked questions
-### To which Windows OS versions is configuring tamper protection is applicable?
+### On which versions of Windows can I configure tamper protection?
Windows 10 OS [1709](/windows/release-health/status-windows-10-1709), [1803](/windows/release-health/status-windows-10-1803), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint). If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](/mem/configmgr/tenant-attach/deploy-antivirus-policy).
-### Will tamper protection have any impact on third-party antivirus registration?
+### Will tamper protection affect non-Microsoft antivirus registration in the Windows Security app?
No. Third-party antivirus offerings will continue to register with the Windows Security application. ### What happens if Microsoft Defender Antivirus is not active on a device?
-Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features.
+Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. In these cases, tamper protection will continue to protect the service and its features.
-### How can I turn tamper protection on/off?
+### How do I turn tamper protection on or off?
If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device).
If you are an organization using [Microsoft Defender for Endpoint](/microsoft-36
- [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) - [Manage tamper protection using the Microsoft 365 Defender portal](#manage-tamper-protection-for-your-organization-using-the-microsoft-365-defender-portal)
-### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
+### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus with Group Policy?
-Your regular group policy doesnΓÇÖt apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
+Group policy doesnΓÇÖt apply to tamper protection. Changes made to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
-### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
+### If we use Microsoft Intune to configure tamper protection, does it apply only to the entire organization?
-Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups.
+You have flexibility in configuring tamper protection with Intune. You can target your entire organization, or select specific devices and user groups.
-### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
+### Can I configure Tamper Protection with Microsoft Endpoint Configuration Manager?
If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources: - [Manage tamper protection for your organization with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
Currently, configuring tamper protection in Intune is only available for custome
### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
-You wonΓÇÖt be able to change the features that are protected by tamper protection; such change requests are ignored.
+You won't be able to change the features that are protected by tamper protection; such change requests are ignored.
-### IΓÇÖm an enterprise customer. Can local admins change tamper protection on their devices?
+### I'm an enterprise customer. Can local admins change tamper protection on their devices?
No. Local admins cannot change or modify tamper protection settings.
No. Local admins cannot change or modify tamper protection settings.
If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
-### Will there be an alert about tamper protection status changing in the Microsoft 365 Defender portal?
+### If the status of tamper protection changes, are alerts shown in the Microsoft 365 Defender portal?
Yes. The alert is shown in [https://security.microsoft.com](https://security.microsoft.com) under **Alerts**.
security Preview Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md
ms.technology: mde
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
Turn on the preview experience setting to be among the first to try upcoming features.
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - The Defender for Endpoint service is constantly being updated to include new feature enhancements and capabilities. Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
->[!TIP]
->Get notified when this page is updated by copying and pasting the following URL into your feed reader: `/api/search/rss?search=%22In+the+navigation+pane%2C+select+Settings+%3E+Advanced+features+%3E+Preview+features.%22&locale=en-us&facet=`
+> [!TIP]
+> Get notified when this page is updated by copying and pasting the following URL into your feed reader: `/api/search/rss?search=%22In+the+navigation+pane%2C+select+Settings+%3E+Advanced+features+%3E+Preview+features.%22&locale=en-us&facet=`
For more information on new capabilities that are generally available, see [What's new in Defender for Endpoint](whats-new-in-microsoft-defender-atp.md).
- ## What you need to know
+## What you need to know
When working with features in public preview, these features:
When working with features in public preview, these features:
- Individual features in preview may have more usage and support restrictions. If so, this information is typically noted in the feature documentation. - The preview versions are provided with a standard support level, and can be used for production environments. -- ## Turn on preview features You'll have access to upcoming features that you can provide feedback on to help improve the overall experience before features are generally available.
Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release: -- [Web Content Filtering](web-content-filtering.md) <br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
+- [Web Content Filtering](web-content-filtering.md)
+
+ Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
+
+- [Device health and compliance report](machine-reports.md)
-- [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
+ The device health and compliance report provides high-level information about the devices in your organization.
-> [!TIP]
+> [!TIP]
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
ms.technology: mde
Deploying Defender for Endpoint is a three-phase process:
-| [![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](images/phase-diagrams/setup.png)<br>Phase 2: Setup | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md) |
-| -- | -- | -- |
-| | *You are here!*||
+|[![deployment phase - prepare](images/phase-diagrams/prepare.png)](prepare-deployment.md)<br>[Phase 1: Prepare](prepare-deployment.md) | ![deployment phase - setup](images/phase-diagrams/setup.png)<br>Phase 2: Setup | [![deployment phase - onboard](images/phase-diagrams/onboard.png)](onboarding.md)<br>[Phase 3: Onboard](onboarding.md)|
+||||
+||*You are here!*||
You are currently in the set-up phase. In this deployment scenario, you'll be guided through the steps on:+ - Licensing validation - Tenant configuration - Network configuration -
->[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but won't cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md).
+> [!NOTE]
+> For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Defender for Endpoint supports the use of other onboarding tools but won't cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender for Endpoint](onboard-configure.md).
## Check license state
Checking for the license state and whether it got properly provisioned, can be d
![Image of billing licenses](images/atp-billing-subscriptions.png) - ## Cloud Service Provider validation To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
To gain access into which licenses are provisioned to your company, and to check
![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png) -- ## Tenant Configuration+ Onboarding to Microsoft Defender for Endpoint is easy. From the navigation menu, select any item under the Endpoints section, or any Microsoft 365 Defender feature such as Incidents, Hunting, Action center, or Threat analytics to initiate the onboarding process. From a web browser, navigate to the [Microsoft 365 Security Center](https://security.microsoft.com). ## Network configuration
-If the organization doesn't require the endpoints to use a Proxy to access the
-Internet, skip this section.
-
-The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to
-report sensor data and communicate with the Microsoft Defender for Endpoint service. The
-embedded Microsoft Defender for Endpoint sensor runs in the system context using the
-LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP)
-to enable communication with the Microsoft Defender for Endpoint cloud service. The
-WinHTTP configuration setting is independent of the Windows Internet (WinINet)
-internet browsing proxy settings and can only discover a proxy server by using
-the following discovery methods:
-
-**Autodiscovery methods:**
-- Transparent proxy
+If the organization doesn't require the endpoints to use a Proxy to access the Internet, skip this section.
-- Web Proxy Autodiscovery Protocol (WPAD)
+The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. The embedded Microsoft Defender for Endpoint sensor runs in the system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender for Endpoint cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
-If a Transparent proxy or WPAD has been implemented in the network topology,
-there is no need for special configuration settings. For more information on
-Microsoft Defender for Endpoint URL exclusions in the proxy, see the
-[Proxy Service URLs](production-deployment.md#proxy-service-urls) section in this document for the URLs allow list or on
-[Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+- **Autodiscovery methods**:
+ - Transparent proxy
+ - Web Proxy Autodiscovery Protocol (WPAD)
-**Manual static proxy configuration:**
+ If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special configuration settings. For more information on Microsoft Defender for Endpoint URL exclusions in the proxy, see the [Proxy Service URLs](production-deployment.md#proxy-service-urls) section in this document for the URLs allow list or on [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
-- Registry-based configuration
+- **Manual static proxy configuration**:
+ - Registry-based configuration
+ - WinHTTP configured using netsh command
-- WinHTTP configured using netsh command <br> Suitable only for desktops in a
- stable topology (for example: a desktop in a corporate network behind the
- same proxy)
+ Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy).
### Configure the proxy server manually using a registry-based static proxy
-Configure a registry-based static proxy to allow only Microsoft Defender for Endpoint
-sensor to report diagnostic data and communicate with Microsoft Defender for Endpoint
-services if a computer isn't permitted to connect to the Internet. The static
-proxy is configurable through Group Policy (GP). The group policy can be found
-under:
+Configure a registry-based static proxy to allow only Microsoft Defender for Endpoint sensor to report diagnostic data and communicate with Microsoft Defender for Endpoint services if a computer isn't permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under:
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**
+- Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
+- Set it to **Enabled** and select **Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console. 2. Create a policy or edit an existing policy based off the organizational practices. 3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
- ![Image of Group Policy configuration](images/atp-gpo-proxy1.png)
+
+ ![Image of Group Policy configuration](images/atp-gpo-proxy1.png)
4. Select **Enabled**. 5. Select **Disable Authenticated Proxy usage**.
-
6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.+ ![Image of Group Policy configuration setting](images/atp-gpo-proxy2.png)+ 7. Select **Enabled**. 8. Enter the **Proxy Server Name**.
For example: 10.0.0.6:8080
The registry value `DisableEnterpriseAuthProxy` should be set to 1.
-### Configure the proxy server manually using netsh command
+### Configure the proxy server manually using netsh command
Use netsh to configure a system-wide static proxy. > [!NOTE]
-> - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
+>
+> - This will affect all applications including Windows services which use WinHTTP with default proxy.
> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration. 1. Open an elevated command line:- 1. Go to **Start** and type **cmd**.- 1. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**:
Use netsh to configure a system-wide static proxy.
For example: netsh winhttp set proxy 10.0.0.6:8080
+### Proxy Configuration for down-level devices
-### Proxy Configuration for down-level devices
-
-Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well
-as Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and
-versions of Windows Server 2016 prior to Windows Server CB 1803. These operating
-systems will have the proxy configured as part of the Microsoft Management Agent
-to handle communication from the endpoint to Azure. Refer to the
-Microsoft Management Agent Fast Deployment Guide for information on how a proxy
-is configured on these devices.
+Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well as Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and versions of Windows Server 2016 prior to Windows Server CB 1803. These operating systems will have the proxy configured as part of the Microsoft Management Agent to handle communication from the endpoint to Azure. Refer to the Microsoft Management Agent Fast Deployment Guide for information on how a proxy is configured on these devices.
### Proxy Service URLs
-URLs that include v20 in them are only needed if you have Windows 10, version
-1803 or later devices. For example, ```us-v20.events.data.microsoft.com``` is only
+
+URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later devices. For example, `us-v20.events.data.microsoft.com` is only
needed if the device is on Windows 10, version 1803 or later.
-
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs. The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
-|**Spreadsheet of domains list**|**Description**|
-|:--|:--|
-|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
+<br>
+
+****
+|Spreadsheet of domains list|Description|
+|||
+|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)|
+|
-### Microsoft Defender for Endpoint service backend IP ranges
+### Microsoft Defender for Endpoint service backend IP ranges
If your network devices don't support DNS-based rules, use IP ranges instead.
Defender for Endpoint is built in Azure cloud, deployed in the following regions
- AzureCloud.uksouth - AzureCloud.ukwest
-You can find the Azure IP ranges in [Azure IP Ranges and Service Tags ΓÇô Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519).
+You can find the Azure IP ranges in [Azure IP Ranges and Service Tags - Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519).
> [!NOTE] > As a cloud-based solution, the IP address ranges can change. It's recommended you move to DNS-based rules.
You can find the Azure IP ranges in [Azure IP Ranges and Service Tags ΓÇô Public
## Next step
-![**Phase 3: Onboard**](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
+![**Phase 3: Onboard**](images/onboard.png) <br> [Phase 3: Onboard](onboarding.md): Onboard devices to the service so that the Microsoft Defender for Endpoint service can get sensor data from them.
security Pull Alerts Using Rest Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/pull-alerts-using-rest-api.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin
6. Type your **Event Hubs name** and your **Event Hubs resource ID**.
- In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab > copy the text under **Resource ID**:
+ In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab \> copy the text under **Resource ID**:
![Image of event hub resource Id1](images/event-hub-resource-id.png)
## The schema of the events in Azure Event Hubs
-```
+```text
{
- "records": [
- {
- "time": "<The time WDATP received the event>"
- "tenantId": "<The Id of the tenant that the event belongs to>"
- "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
- "properties": { <WDATP Advanced Hunting event as Json> }
- }
- ...
- ]
+ "records": [
+ {
+ "time": "<The time WDATP received the event>"
+ "tenantId": "<The Id of the tenant that the event belongs to>"
+ "category": "<The Advanced Hunting table name with 'AdvancedHunting-' prefix>"
+ "properties": { <WDATP Advanced Hunting event as Json> }
+ }
+ ...
+ ]
} ```
To get the data types for event properties do the following:
1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com) and go to [Advanced Hunting page](https://securitycenter.windows.com/hunting-package). 2. Run the following query to get the data types mapping for each event:
-
- ```
+
+ ```text
{EventType} | getschema | project ColumnName, ColumnType ``` -- Here is an example for Device Info event:
+- Here is an example for Device Info event:
![Image of event hub resource Id2](images/machine-info-datatype-example.png) ## Related topics+ - [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Microsoft Defender for Endpoint streaming API](raw-data-export.md) - [Stream Microsoft Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md) - [Azure Event Hubs documentation](/azure/event-hubs/)-- [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
+- [Troubleshoot connectivity issues - Azure Event Hubs](/azure/event-hubs/troubleshooting-guide)
security Raw Data Export Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Before you begin
security Raw Data Export https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export.md
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
-
-## Stream Advanced Hunting events to Event Hubs and/or Azure storage account.
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
+## Stream Advanced Hunting events to Event Hubs and/or Azure storage account
Microsoft Defender for Endpoint supports streaming events available through [Advanced Hunting](../defender/advanced-hunting-overview.md) to an [Event Hubs](/azure/event-hubs/) and/or [Azure storage account](/azure/storage/common/storage-account-overview).
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga]
-
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4r4ga]
## In this section
-Topic | Description
+Topic|Description
:|:
-[Stream Microsoft Defender for Endpoint events to Azure Event Hubs](raw-data-export-event-hub.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs.
-[Stream Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)| Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
-
+[Stream Microsoft Defender for Endpoint events to Azure Event Hubs](raw-data-export-event-hub.md)|Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to Event Hubs.
+[Stream Defender for Endpoint events to your Azure storage account](raw-data-export-storage.md)|Learn about enabling the streaming API in your tenant and configure Defender for Endpoint to stream [Advanced Hunting](advanced-hunting-overview.md) to your Azure storage account.
## Related topics+ - [Overview of Advanced Hunting](advanced-hunting-overview.md) - [Azure Event Hubs documentation](/azure/event-hubs/) - [Azure Storage Account documentation](/azure/storage/common/storage-account-overview)
security Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/rbac.md
ms.technology: mde
Using role-based access control (RBAC), you can create roles and groups within your secur