Windows Defender Advanced Threat Protection (ATP) (Preview)

Windows Defender Advanced Threat Protection (ATP) (Preview)

Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Read more about it here: http://aka.ms/wdatp

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
Flow Premium All Flow regions except the following:
     -   US Government (GCC)
PowerApps Premium All PowerApps regions except the following:
     -   US Government (GCC)

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Actions - Collect investigation package

Collect investigation package from a machine

Required Parameters

Machine ID
string
The ID of the machine to collect the investigation from
Comment
string
A comment to associate to the collection

Returns

Machine Action
MachineAction

A single machine action entity

Actions - Get investigation package download URI

Get a URI that allows downloading of an investigation package

Required Parameters

Action ID
string
The ID of the investigation package collection

Returns

Package SAS URI
string
The investigation package SAS URI

Actions - Get list of machine actions

Retrieve from Windows Defender ATP the most recent machine actions

Optional Parameters

Filters results
string
Filters the results, using OData syntax.
Selects properties
string
Selects which properties to include in the response, defaults to all.
Sorts results
string
Sorts the results.
Returns first results
integer
Returns only the first n results.
Skips first results
integer
Skips the first n results.
Includes count
boolean
Includes a count of the matching results in the response.

Returns

Machine Actions count
integer
The number of available machine actions by this query
Machine Actions
array of MachineAction
The machine actions returned
Next link
string
A link to get the next results in case there are more results than requested

Actions - Get single machine action

Retrieve from Windows Defender ATP a specific machine action

Required Parameters

ID of the machine action
string
The identifier of the machine action to retrieve

Returns

Machine Action
MachineAction

A single machine action entity

Actions - Initiate investigation on a machine

Initiate investigation on a machine

Required Parameters

Machine ID
string
The ID of the machine to investigate
Comment
string
A comment to associate to the investigation

Returns

Investigation ID
string
The ID of the investigation

Actions - Isolate machine

Isolate a machine from network

Required Parameters

Machine ID
string
The ID of the machine to isolate
Comment
string
A comment to associate to the isolation
Isolation Type
string
Type of the isolation. Allowed values are 'Full' (for full isolation) or 'Selective' (to restrict only limited set of applications from accessing the network)

Returns

Machine Action
MachineAction

A single machine action entity

Actions - Remove app execution restriction

Enable execution of any application on the machine

Required Parameters

Machine ID
string
The ID of the machine to unrestrict
Comment
string
A comment to associate to the restriction removal

Returns

Machine Action
MachineAction

A single machine action entity

Actions - Restrict app execution

Restrict execution of all applications on the machine except a predefined set

Required Parameters

Machine ID
string
The ID of the machine to restrict
Comment
string
A comment to associate to the restriction

Returns

Machine Action
MachineAction

A single machine action entity

Actions - Run antivirus scan

Initiate Windows Defender Antivirus scan on a machine

Required Parameters

Machine ID
string
The ID of the machine to scan
Comment
string
A comment to associate to the scan request
Scan Type
string
Type of scan to perform. Allowed values are 'Quick' or 'Full'

Returns

Machine Action
MachineAction

A single machine action entity

Actions - Unisolate machine

Unisolate a machine from network

Required Parameters

Machine ID
string
The ID of the machine to unisolate
Comment
string
A comment to associate to the unisolation

Returns

Machine Action
MachineAction

A single machine action entity

Advanced Hunting

Run a custom query in Windows Defender ATP

Required Parameters

Query
string
The query to run

Returns

The outputs of this operation are dynamic.

Alerts - Create alert

Create Alert based on specific Event

Required Parameters

Machine ID
string
ID of the machine on which the event was identified
Report ID
integer
Report Id of the event
Event Time
date-time
Time of the event as string, e.g. 2018-08-03T16:45:21.7115183Z
Severity
string
Severity of the alert.
Category
string
Category of the alert
Title
string
Title of the Alert
Description
string
Description of the Alert
Recommended Action
string
Recommended action for the Alert

Returns

Alert
Alert

A single alert entity

Alerts - Get list of alerts

Retrieve from Windows Defender ATP the most recent alerts

Optional Parameters

Expands entities
string
Expands related entities inline.
Filters results
string
Filters the results, using OData syntax.
Selects properties
string
Selects which properties to include in the response, defaults to all.
Sorts results
string
Sorts the results.
Returns first results
integer
Returns only the first n results.
Skips first results
integer
Skips the first n results.
Includes count
boolean
Includes a count of the matching results in the response.

Returns

Alerts count
integer
The number of available alerts by this query
Alerts
array of Alert
The alerts returned
Next link
string
A link to get the next results in case there are more results than requested

Alerts - Get single alert

Retrieve from Windows Defender ATP a specific alert

Required Parameters

ID of the alert
string
The identifier of the alert to retrieve

Returns

Alert
Alert

A single alert entity

Alerts - Update alert

Update a Windows Defender ATP alert

Required Parameters

ID of the alert
string
The identifier of the alert to update

Optional Parameters

Status
string
Status of the alert. One of 'New', 'InProgress' and 'Resolved'
Assigned to
string
Person to assign the alert to
Classification
string
Classification of the alert. One of 'Unknown', 'FalsePositive', 'TruePositive'
Determination
string
The determination of the alert. One of 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'

Returns

Alert
Alert

A single alert entity

Machines - Get list of machines

Retrieve from Windows Defender ATP the most recent machines

Optional Parameters

Filters results
string
Filters the results, using OData syntax.
Selects properties
string
Selects which properties to include in the response, defaults to all.
Sorts results
string
Sorts the results.
Returns first results
integer
Returns only the first n results.
Skips first results
integer
Skips the first n results.
Includes count
boolean
Includes a count of the matching results in the response.

Returns

Machines count
integer
The number of available machines by this query
Machines
array of Machine
The machines returned
Next link
string
A link to get the next results in case there are more results than requested

Machines - Get single machine

Retrieve from Windows Defender ATP a specific machine

Required Parameters

ID of the machine
string
The identifier of the machine to retrieve

Returns

Machine
Machine

A single machine entity

Machines - Tag machine

Add or remove a tag to/from a machine

Required Parameters

ID of the machine
string
The ID of the machine to which the tag should be added or removed
Value
string
The tag to add or remove
Action
string
The action to perform. Value should be one of 'Add' (to add a tag) or 'Remove' (to remove a tag)

Returns

Machine
Machine

A single machine entity

Triggers

Triggers - Trigger when new WDATP alert occurs

Subscribe for Windows Defender ATP alerts

Returns

Definitions

Alert

A single alert entity

Alert ID
string
Alert identifier
Alert creation time
date-time
The time at which the alert was created
Alert severity
string
Alert severity
Assigned to
string
Person to whom the alert was assigned
Category
string
Alert category
Classification
string
Alert classification
Description
string
Alert description
Detection source
string
Detection source
Determination
string
Alert determination
First event time
date-time
The time of the first event related to the alert
Incident ID
integer
The ID of the incident
Investigation ID
integer
The Id of the investigation
Last event time
date-time
The time of the last event related to the alert
Machine ID
string
The identifier of the machine related to the alert
Resolved time
string
The time at which the alert was resolved
Status
string
Status of the alert
Threat family name
string
Threat family name
Title
string
Alert title

Machine

A single machine entity

AAD device ID
string
aadDeviceId
Agent version
string
The agent version
Computer name
string
The computer name
First seen
date-time
The time of the first event received by the machine
Health status
string
The health status of the machine
Is AAD joined
boolean
A flag indicating whether the machine is joined to AAD
Last IP address
string
The last IP address of the machine
Last external IP address
string
The last external IP address of the machine
Last seen
date-time
The time of the last event received by the machine
Machine ID
string
The machine identifier
Machine tags
array of string
The tags associated to the machine
OS build
integer
The OS build of the machine
OS platform
string
The OS platform of the machine
OS version
string
The OS version of the machine
RBAC group ID
integer
The ID of the RBAC group to which the machine belongs
RBAC group name
string
The name of the RBAC group to which the machine belongs
Risk score
string
A score indicating how much the machine is at risk
System product name
date-time
systemProductName

MachineAction

A single machine action entity

Action ID
string
The ID of the machine action
Action type
string
The type of the action (e.g. 'Isolate', 'CollectInvestigationPackage', ...)
Comment
string
The comment associated to the machine action
Creation time
date-time
The UTC time at which the action has been requested
ID
string
The ID of the machine on which the action has been performed
Last update time
date-time
The last UTC time at which the action has been updated
Requestor
string
The person that requested the machine action
Status
string
The status of the machine action (e.g., 'InProgress')

WebHookNotification

Alert Id
string
Machine Id
string