Windows-itpro-docs: Defender ATP API Field Documentation is missing many fields

Created on 20 Nov 2019  Â·  4Comments  Â·  Source: MicrosoftDocs/windows-itpro-docs

Microsoft Defender ATP detections API fields document is missing definitions for properties returned by ATP API.

I've attached a table of comparing fields returned by the API, and the corresponding field in documentation, if it exists (blank = missing in documentation)

In API | In Documentation
-- | --
Actor | Actor
AlertId | AlertId
AlertPart |  
AlertTime | AlertTime
AlertTitle | AlertTitle
Category | Category
CloudCreatedMachineTags |  
CommandLine |  
ComputerDnsName | ComputerDnsName
CreatorIocName |  
CreatorIocValue |  
Description |  
DeviceCreatedMachineTags |  
DeviceID |  
ExternalId |  
FileHash |  
FileName | FileName
FilePath | FilePath
FullId |  
IncidentLinkToWDATP |  
InternalIPv4List | InternalIPv4List
InternalIPv6List | InternalIPv6List
IoaDefinitionId |  
IocName |  
IocUniqueId |  
IocValue |  
IpAddress | IpAddress
LastProcessedTimeUtc | LastProcessedTimeUtc
LinkToWDATP | LinkToWDATP
LogOnUsers | LogOnUsers
MachineDomain | MachineDomain
MachineGroup |  
MachineName | MachineName
Md5 | Md5
RemediationAction |  
RemediationIsSuccess | RemediationIsSuccess
ReportID |  
Severity | Severity
Sha1 | Sha1
Sha256 | Sha256
Source |  
ThreatCategory |  
ThreatFamily |  
ThreatName | ThreatName
Url | Url
UserDomain | UserDomain
UserName | UserName
WasExecutingWhileDetected | WasExecutingWhileDetected

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

assigned-to-author defender for endpoint
Source
picture GeneCupstid

Most helpful comment

I have reached out to the dev team and some updates to the document are in the pipeline.

picture mjcaparas on 18 Dec 2019
👍3

All 4 comments

As soon as the required information becomes available (somewhere else?), it should be an easy task to add it to this documentation page.

For now, I can only mention that the following cells on the same row as the missing fields need accompanying information:

| Portal label | SIEM field name | ArcSight field | Example value | Description |
| :------------: | ------------------------- | :------------: | ------------- | :---------- |
| (if available) | (from the API list above) | (required) | (recommended) | (required) |

illfated picture illfated on 21 Nov 2019

Also fields like status and classification should be available in order to retrieve those that are active alerts
e.g unresolved + true alerts

Else the rest api collects even the resolved alerts

Is it possible ?

akefallonitis picture akefallonitis on 16 Dec 2019

@e0i ; I had forgotten about this ticket, do you think we should ask the document author if the table needs updating with more information?

illfated picture illfated on 16 Dec 2019

I have reached out to the dev team and some updates to the document are in the pipeline.

mjcaparas picture mjcaparas on 18 Dec 2019
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

illfated picture illfated  Â·  3Comments
helloitsliam picture helloitsliam  Â·  3Comments
sundhaug92 picture sundhaug92  Â·  3Comments
zjalexander picture zjalexander  Â·  3Comments
ang216 picture ang216  Â·  3Comments