Connectors Reference
Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Read more about it here: http://aka.ms/wdatp
|
Status: Production |
Tier: Premium |
Version: 1.0.0 |
|
Name |
Summary |
|
Triggers - Trigger when new WDATP alert occurs |
|
Name |
Summary |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Summary: Advanced Hunting
Description: Run a custom query in Windows Defender ATP
Syntax:
MicrosoftDefenderATP.AdvancedHunting (AdvancedHuntingParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
|
|
True |
Returns:
Summary: Advanced Hunting Schema
Description: Gets the schema for a Windows Defender ATP custom query
Syntax:
MicrosoftDefenderATP.AdvancedHuntingSchema (AdvancedHuntingSchemaParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
AdvancedHuntingSchemaParameterBody
|
|
True |
Returns:
Type:AdvancedHuntingSchemaResponse
Summary: Alerts - Create alert
Description: Create Alert based on specific Event
Syntax:
MicrosoftDefenderATP.CreateAlertByReference (CreateAlertByReferenceParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
body |
CreateAlertByReferenceParameterBody
|
|
True |
Returns:
Type:AlertAlert
Title: Alert
Description: A single alert entity
Summary: Alerts - Get list of alerts
Description: Retrieve from Windows Defender ATP the most recent alerts
Syntax:
MicrosoftDefenderATP.GetAlerts ([advanced][Optional]string $expand, [Optional]string $filter, [advanced][Optional]string $select, [advanced][Optional]string $orderby, [advanced][Optional]integer $top, [advanced][Optional]integer $skip, [advanced][Optional]boolean $count)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$expand |
string (Expands entities) |
Expands related entities inline. |
False |
|
|
$filter |
string (Filters results) |
Filters the results, using OData syntax. |
False |
|
|
$select |
string (Selects properties) |
Selects which properties to include in the response, defaults to all. |
False |
|
|
$orderby |
string (Sorts results) |
Sorts the results. |
False |
|
|
$top |
integer(int32) (Returns first results) |
Returns only the first n results. |
False |
|
|
$skip |
integer(int32) (Skips first results) |
Skips the first n results. |
False |
|
|
$count |
boolean (Includes count) |
Includes a count of the matching results in the response. |
False |
Returns:
Type:GetAlertsResponse
Summary: Alerts - Get single alert
Description: Retrieve from Windows Defender ATP a specific alert
Syntax:
MicrosoftDefenderATP.GetSingleAlert (string Alert ID)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Alert ID |
string (ID of the alert) |
The identifier of the alert to retrieve |
True |
Returns:
Type:AlertAlert
Title: Alert
Description: A single alert entity
Summary: Alerts - Update alert
Description: Update a Windows Defender ATP alert
Syntax:
MicrosoftDefenderATP.PatchAlert (string Alert ID, PatchAlertParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Alert ID |
string (ID of the alert) |
The identifier of the alert to update |
True |
|
|
body |
|
|
True |
Returns:
Type:AlertAlert
Title: Alert
Description: A single alert entity
Summary: Actions - Initiate investigation on a machine (to be deprecated)
Description: Initiate investigation on a machine
Syntax:
MicrosoftDefenderATP.InitiateInvestigation (string Machine ID, InitiateInvestigationParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to investigate |
True |
|
|
body |
InitiateInvestigationParameterBody
|
|
True |
Returns:
Type:InitiateInvestigationResponse
Summary: Actions - Start automated investigation on a machine
Description: Start automated investigation on a machine
Syntax:
MicrosoftDefenderATP.StartInvestigation (string Machine ID, StartInvestigationParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to investigate |
True |
|
|
body |
StartInvestigationParameterBody
|
|
True |
Returns:
Type:InvestigationInvestigation
Title: Investigation
Description: A single investigation entity
Summary: Actions - Get single machine action
Description: Retrieve from Windows Defender ATP a specific machine action
Syntax:
MicrosoftDefenderATP.GetSingleMachineAction (string Machine Action ID)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine Action ID |
string (ID of the machine action) |
The identifier of the machine action to retrieve |
True |
Returns:
Type:MachineActionMachine Action
Title: Machine Action
Description: A single machine action entity
Summary: Actions - Get list of machine actions
Description: Retrieve from Windows Defender ATP the most recent machine actions
Syntax:
MicrosoftDefenderATP.GetMachineActions ([Optional]string $filter, [advanced][Optional]string $select, [advanced][Optional]string $orderby, [advanced][Optional]integer $top, [advanced][Optional]integer $skip, [advanced][Optional]boolean $count)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$filter |
string (Filters results) |
Filters the results, using OData syntax. |
False |
|
|
$select |
string (Selects properties) |
Selects which properties to include in the response, defaults to all. |
False |
|
|
$orderby |
string (Sorts results) |
Sorts the results. |
False |
|
|
$top |
integer(int32) (Returns first results) |
Returns only the first n results. |
False |
|
|
$skip |
integer(int32) (Skips first results) |
Skips the first n results. |
False |
|
|
$count |
boolean (Includes count) |
Includes a count of the matching results in the response. |
False |
Returns:
Type:GetMachineActionsResponse
Summary: Files - Get the statistics for the given file
Description: Retrieve from Windows Defender ATP statistics for the given file to a given file by identifier Sha1, or Sha256
Syntax:
MicrosoftDefenderATP.GetFileStats (string File ID, [advanced][Optional]integer lookBackHours)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
File ID |
string (The file identifier - Sha1, or Sha256) |
The file identifier - Sha1, or Sha256 |
True |
|
|
lookBackHours |
integer(int32) (The look back period in hours to look by, the default is 24 hours.) |
The look back period in hours to look by, the default is 24 hours. |
False |
Returns:
Type:FileStatsFile Statistics
Title: File Statistics
Description: A single file statistics entity
Summary: Domains - Get the statistics for the given domain name
Description: Retrieve from Windows Defender ATP statistics related to a given domain name
Syntax:
MicrosoftDefenderATP.GetDomainStats (string Domain Name, [advanced][Optional]integer lookBackHours)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Domain Name |
string (The domain name) |
The domain name |
True |
|
|
lookBackHours |
integer(int32) (The look back period in hours to look by, the default is 24 hours.) |
The look back period in hours to look by, the default is 24 hours. |
False |
Returns:
Type:DomainStatsDomain Statistics
Title: Domain Statistics
Description: A single ip address statistics entity
Summary: Ips - Get the statistics for the given ip address
Description: Retrieve from Windows Defender ATP statistics related to a given ip address - given in ipv4 or ipv6 format.
Syntax:
MicrosoftDefenderATP.GetIpStats (string Ip Address, [advanced][Optional]integer lookBackHours)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Ip Address |
string (The ip address) |
The ip address |
True |
|
|
lookBackHours |
integer(int32) (The look back period in hours to look by, the default is 24 hours.) |
The look back period in hours to look by, the default is 24 hours. |
False |
Returns:
Type:IpStatsIp Statistics
Title: Ip Statistics
Description: A single ip address statistics entity
Summary: Actions - Get single investigation
Description: Retrieve from Microsoft Defender ATP a specific investigation
Syntax:
MicrosoftDefenderATP.GetSingleInvestigation (string Investigation ID)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Investigation ID |
string (ID of the investigation) |
The identifier of the investigation to retrieve |
True |
Returns:
Type:InvestigationInvestigation
Title: Investigation
Description: A single investigation entity
Summary: Actions - Get list of investigation
Description: Retrieve from Microsoft Defender ATP the most recent investigations
Syntax:
MicrosoftDefenderATP.GetInvestigations ([Optional]string $filter, [advanced][Optional]string $select, [advanced][Optional]string $orderby, [advanced][Optional]integer $top, [advanced][Optional]integer $skip, [advanced][Optional]boolean $count)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$filter |
string (Filters results) |
Filters the results, using OData syntax. |
False |
|
|
$select |
string (Selects properties) |
Selects which properties to include in the response, defaults to all. |
False |
|
|
$orderby |
string (Sorts results) |
Sorts the results. |
False |
|
|
$top |
integer(int32) (Returns first results) |
Returns only the first n results. |
False |
|
|
$skip |
integer(int32) (Skips first results) |
Skips the first n results. |
False |
|
|
$count |
boolean (Includes count) |
Includes a count of the matching results in the response. |
False |
Returns:
Type:GetInvestigationsResponse
Summary: Actions - Collect investigation package
Description: Collect investigation package from a machine
Syntax:
MicrosoftDefenderATP.CollectInvestigationPackage (string Machine ID, CollectInvestigationPackageParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to collect the investigation from |
True |
|
|
body |
CollectInvestigationPackageParameterBody
|
|
True |
Returns:
Type:MachineActionMachine Action
Title: Machine Action
Description: A single machine action entity
Summary: Actions - Get investigation package download URI
Description: Get a URI that allows downloading of an investigation package
Syntax:
MicrosoftDefenderATP.GetInvestigationPackageUri (string Machine action ID)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine action ID |
string (Action ID) |
The ID of the investigation package collection |
True |
Returns:
Type:GetInvestigationPackageUriResponse
Summary: Actions - Isolate machine
Description: Isolate a machine from network
Syntax:
MicrosoftDefenderATP.IsolateMachine (string Machine ID, IsolateMachineParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to isolate |
True |
|
|
body |
|
|
True |
Returns:
Type:MachineActionMachine Action
Title: Machine Action
Description: A single machine action entity
Summary: Actions - Unisolate machine
Description: Unisolate a machine from network
Syntax:
MicrosoftDefenderATP.UnisolateMachine (string Machine ID, UnisolateMachineParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to unisolate |
True |
|
|
body |
|
|
True |
Returns:
Type:MachineActionMachine Action
Title: Machine Action
Description: A single machine action entity
Summary: Actions - Restrict app execution
Description: Restrict execution of all applications on the machine except a predefined set
Syntax:
MicrosoftDefenderATP.RestrictAppExecution (string Machine ID, RestrictAppExecutionParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to restrict |
True |
|
|
body |
RestrictAppExecutionParameterBody
|
|
True |
Returns:
Type:MachineActionMachine Action
Title: Machine Action
Description: A single machine action entity
Summary: Actions - Remove app execution restriction
Description: Enable execution of any application on the machine
Syntax:
MicrosoftDefenderATP.UnrestrictAppExecution (string Machine ID, UnrestrictAppExecutionParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to unrestrict |
True |
|
|
body |
UnrestrictAppExecutionParameterBody
|
|
True |
Returns:
Type:MachineActionMachine Action
Title: Machine Action
Description: A single machine action entity
Summary: Actions - Run antivirus scan
Description: Initiate Windows Defender Antivirus scan on a machine
Syntax:
MicrosoftDefenderATP.RunAntivirusScan (string Machine ID, RunAntivirusScanParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (Machine ID) |
The ID of the machine to scan |
True |
|
|
body |
|
|
True |
Returns:
Type:MachineActionMachine Action
Title: Machine Action
Description: A single machine action entity
Summary: Machines - Get list of machines
Description: Retrieve from Windows Defender ATP the most recent machines
Syntax:
MicrosoftDefenderATP.GetMachines ([Optional]string $filter, [advanced][Optional]string $select, [advanced][Optional]string $orderby, [advanced][Optional]integer $top, [advanced][Optional]integer $skip, [advanced][Optional]boolean $count)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
$filter |
string (Filters results) |
Filters the results, using OData syntax. |
False |
|
|
$select |
string (Selects properties) |
Selects which properties to include in the response, defaults to all. |
False |
|
|
$orderby |
string (Sorts results) |
Sorts the results. |
False |
|
|
$top |
integer(int32) (Returns first results) |
Returns only the first n results. |
False |
|
|
$skip |
integer(int32) (Skips first results) |
Skips the first n results. |
False |
|
|
$count |
boolean (Includes count) |
Includes a count of the matching results in the response. |
False |
Returns:
Type:GetMachinesResponse
Summary: Machines - Get single machine
Description: Retrieve from Windows Defender ATP a specific machine
Syntax:
MicrosoftDefenderATP.GetSingleMachine (string Machine ID)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (ID of the machine) |
The identifier of the machine to retrieve |
True |
Returns:
Type:MachineMachine
Title: Machine
Description: A single machine entity
Summary: Machines - Tag machine
Description: Add or remove a tag to/from a machine
Syntax:
MicrosoftDefenderATP.MachineTag (string Machine ID, MachineTagParameterBody body)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
Machine ID |
string (ID of the machine) |
The ID of the machine to which the tag should be added or removed |
True |
|
|
body |
|
|
True |
Returns:
Type:MachineMachine
Title: Machine
Description: A single machine entity
Summary: Get a registered alert web hook subscription
Description: Get Windows Defender ATP registered alert web hook subscription
Syntax:
MicrosoftDefenderATP.WebHooks_GetWebHook (string hookId)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
hookId |
string
|
|
True |
Returns:
Type:WebHookSubscriptionTableEntity
Summary: Deletes a registered alert hook
Description: Deletes Windows Defender ATP registered alert hook
Syntax:
MicrosoftDefenderATP.WebHooks_DeleteWebHook (string hookId)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
hookId |
string
|
|
True |
Returns:
Summary: Triggers - Trigger when new WDATP alert occurs
Description: Subscribe for Windows Defender ATP alerts
Syntax:
MicrosoftDefenderATP.WebHooks_CreateWebHook (WebHookSubscriptionRequest request)
Parameters:
|
Name |
Type |
Summary |
Required |
Related Action |
|
request |
|
|
True |
Returns:
Type:WebHookSubscriptionTableEntity
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Query |
string
|
The query to run |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Stats |
|
Stats |
|
Results |
array of (ResultsItem)
|
|
Summary:
Description: Stats
Properties:
|
Name |
Type |
Summary |
|
dataset_statistics |
array of (Dataset_statisticsItem)
|
dataset_statistics |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
table_row_count |
integer(int32)
|
The number of results that were returned from the query |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Query |
string
|
The query to run |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
Summary:
Description: A single alert entity
Properties:
|
Name |
Type |
Summary |
|
id |
string
|
Alert identifier |
|
incidentId |
integer(int32)
|
The ID of the incident |
|
investigationId |
integer(int32)
|
The Id of the investigation |
|
severity |
string
|
Alert severity Values: [Informational, Low, Medium, High] |
|
status |
string
|
Status of the alert Values: [Unspecified, New, InProgress, Resolved, Hidden] |
|
description |
string
|
Alert description |
|
alertCreationTime |
string(date-time)
|
The time at which the alert was created |
|
category |
string
|
Alert category |
|
title |
string
|
Alert title |
|
threatFamilyName |
string
|
Threat family name |
|
detectionSource |
string
|
Detection source |
|
classification |
string
|
Alert classification Values: [Unknown, FalsePositive, TruePositive] |
|
determination |
string
|
Alert determination Values: [NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other] |
|
assignedTo |
string
|
Person to whom the alert was assigned |
|
resolvedTime |
string
|
The time at which the alert was resolved |
|
lastEventTime |
string(date-time)
|
The time of the last event related to the alert |
|
firstEventTime |
string(date-time)
|
The time of the first event related to the alert |
|
machineId |
string
|
The identifier of the machine related to the alert |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the collection |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
machineId |
string
|
ID of the machine on which the event was identified |
|
reportId |
string(int32)
|
Report Id of the event |
|
eventTime |
string
|
Time of the event as string, e.g. 2018-08-03T16:45:21.7115183Z |
|
severity |
string
|
Severity of the alert. Values: [Low, Medium, High] |
|
category |
string
|
Category of the alert Values: [General, CommandAndControl, Collection, CredentialAccess, DefenseEvasion, Discovery, Exfiltration, Exploit, Execution, InitialAccess, LateralMovement, Malware, Persistence, PrivilegeEscalation, Ransomware, SuspiciousActivity] |
|
title |
string
|
Title of the Alert |
|
description |
string
|
Description of the Alert |
|
recommendedAction |
string
|
Recommended action for the Alert |
Summary:
Description: A single ip address statistics entity
Properties:
|
Name |
Type |
Summary |
|
host |
string
|
The domain host. |
|
orgPrevalence |
integer(int64)
|
The domain prevalence across organization |
|
orgFirstSeen |
string(date-time)
|
The first time the domain was observed in the organization. |
|
orgLastSeen |
string(date-time)
|
The last time the domain was observed in the organization. |
Summary:
Description: A single file statistics entity
Properties:
|
Name |
Type |
Summary |
|
sha1 |
string
|
The sha1 of the file |
|
globalPrevalence |
integer(int64)
|
The file prevalence across organization |
|
globalFirstObserved |
string(date-time)
|
The first time the file was observed. |
|
globalLastObserved |
string(date-time)
|
The Last time the file was observed. |
|
orgPrevalence |
integer(int64)
|
The file prevalence across organization |
|
orgFirstSeen |
string(date-time)
|
The first time the file was observed in the organization. |
|
orgLastSeen |
string(date-time)
|
The last time the file was observed in the organization. |
|
topFileNames |
array of (string)
|
The file names that this file has been presented. |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of available alerts by this query |
|
value |
array of (Alert)
|
The alerts returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
string
|
The investigation package SAS URI |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of available investigations by this query |
|
value |
array of (Investigation)
|
The investigations returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of available machine actions by this query |
|
value |
array of (MachineAction)
|
The machine actions returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
@odata.count |
integer(int32)
|
The number of available machines by this query |
|
value |
array of (Machine)
|
The machines returned |
|
@odata.nextLink |
string
|
A link to get the next results in case there are more results than requested |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the investigation |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
value |
string
|
The ID of the investigation |
Summary:
Description: A single investigation entity
Properties:
|
Name |
Type |
Summary |
|
id |
string
|
The ID of the investigation |
|
type |
string
|
The state of the investigation (e.g. 'Benign', 'Running', etc..) Values: [Unknown, Terminated, TerminatedByUser, TerminatedBySystem, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, Disabled, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert] |
|
statusDetails |
string
|
Details on the status |
|
computerDnsName |
string
|
The computer name |
|
machineId |
string
|
The machine ID |
|
startTime |
string(date-time)
|
The UTC time at which investigation was started |
|
dndTime |
string(date-time)
|
The UTC time at which investigation was completed |
Summary:
Description: A single ip address statistics entity
Properties:
|
Name |
Type |
Summary |
|
ipAddress |
string
|
The ip adress |
|
orgPrevalence |
integer(int64)
|
The ip address prevalence across organization |
|
orgFirstSeen |
string(date-time)
|
The first time the ip address was observed in the organization. |
|
orgLastSeen |
string(date-time)
|
The last time the ip address was observed in the organization. |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the isolation |
|
IsolationType |
string
|
Type of the isolation. Allowed values are 'Full' (for full isolation) or 'Selective' (to restrict only limited set of applications from accessing the network) Values: [Full, Selective] |
Summary:
Description: A single machine entity
Properties:
|
Name |
Type |
Summary |
|
id |
string
|
The machine identifier |
|
computerDnsName |
string
|
The computer name |
|
firstSeen |
string(date-time)
|
The time of the first event received by the machine |
|
lastSeen |
string(date-time)
|
The time of the last event received by the machine |
|
osPlatform |
string
|
The OS platform of the machine |
|
osVersion |
string
|
The OS version of the machine |
|
systemProductName |
string(date-time)
|
systemProductName |
|
lastIpAddress |
string
|
The last IP address of the machine |
|
lastExternalIpAddress |
string
|
The last external IP address of the machine |
|
agentVersion |
string
|
The agent version |
|
osBuild |
integer(int32)
|
The OS build of the machine |
|
healthStatus |
string
|
The health status of the machine Values: [Active, Inactive, ImpairedCommunication, NoSensorData, NoSensorDataImpairedCommunication, Unknown] |
|
isAadJoined |
boolean
|
A flag indicating whether the machine is joined to AAD |
|
machineTags |
array of (string)
|
The tags associated to the machine |
|
rbacGroupId |
integer(int32)
|
The ID of the RBAC group to which the machine belongs |
|
rbacGroupName |
string
|
The name of the RBAC group to which the machine belongs |
|
riskScore |
string
|
A score indicating how much the machine is at risk Values: [None, Low, Medium, High] |
|
aadDeviceId |
string
|
aadDeviceId |
Summary:
Description: A single machine action entity
Properties:
|
Name |
Type |
Summary |
|
id |
string
|
The ID of the machine action |
|
type |
string
|
The type of the action (e.g. 'Isolate', 'CollectInvestigationPackage', ...) Values: [Unknown, RequestSample, RunAntiVirusScan, Offboard, CollectInvestigationPackage, Isolate, Unisolate, StopAndQuarantineFile, RestrictCodeExecution, UnrestrictCodeExecution] |
|
requestor |
string
|
The person that requested the machine action |
|
requestorComment |
string
|
The comment associated to the machine action |
|
status |
string
|
The status of the machine action (e.g., 'InProgress') Values: [Pending, Cancelled, TimeOut, Failed, InProgress, Succeeded] |
|
machineId |
string
|
The ID of the machine on which the action has been performed |
|
creationDateTimeUtc |
string(date-time)
|
The UTC time at which the action has been requested |
|
lastUpdateDateTimeUtc |
string(date-time)
|
The last UTC time at which the action has been updated |
|
relatedFileInfo |
|
relatedFileInfo |
Summary:
Description: relatedFileInfo
Properties:
|
Name |
Type |
Summary |
|
fileIdentifier |
string
|
The hash of the file associated to this action |
|
fileIdentifierType |
string
|
The type of the hash of the file associated to this action Values: [Sha1, Sha256, Md5] |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Value |
string
|
The tag to add or remove |
|
Action |
string
|
The action to perform. Value should be one of 'Add' (to add a tag) or 'Remove' (to remove a tag) Values: [Add, Remove] |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
status |
string
|
Status of the alert. One of 'New', 'InProgress' and 'Resolved' Values: [New, InProgress, Resolved] |
|
assignedTo |
string
|
Person to assign the alert to |
|
classification |
string
|
Classification of the alert. One of 'Unknown', 'FalsePositive', 'TruePositive' Values: [Unknown, FalsePositive, TruePositive] |
|
determination |
string
|
The determination of the alert. One of 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' Values: [NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other] |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the restriction |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the scan request |
|
ScanType |
string
|
Type of scan to perform. Allowed values are 'Quick' or 'Full' Values: [Quick, Full] |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the investigation |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the unisolation |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
Comment |
string
|
A comment to associate to the restriction removal |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
clientState |
string
|
Gets or sets the client state. |
|
changeType |
string
|
Indicates the type of change in the subscribed resource that will raise a notification. |
|
resource |
string
|
Specifies the resource that will be monitored for changes. |
|
expirationDateTime |
string(date-time)
|
Specifies the date and time when the webhook subscription expires. |
|
notificationUrl |
string
|
Gets or sets the web hook callback URL. |
Summary:
Description:
Properties:
|
Name |
Type |
Summary |
|
id |
string
|
|
|
notificationUrl |
string
|
Gets or sets the web hook subscription notification URL. |
|
clientState |
string
|
|