Alert resource type
Applies to:
Note
For the full available Alerts API experience across all Microsoft Defenders' products, visit: Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn.
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
Note
If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.
Tip
For better performance, you can use server closer to your geo location:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
Methods
Method | Return Type | Description |
---|---|---|
Get alert | Alert | Get a single alert object |
List alerts | Alert collection | List alert collection |
Update alert | Alert | Update specific alert |
Batch update alerts | Update a batch of alerts | |
Create alert | Alert | Create an alert based on event data obtained from Advanced Hunting |
List related domains | Domain collection | List URLs associated with the alert |
List related files | File collection | List the file entities that are associated with the alert |
List related IPs | IP collection | List IPs that are associated with the alert |
Get related machines | Machine | The machine that is associated with the alert |
Get related users | User | The user that is associated with the alert |
Properties
Property | Type | Description |
---|---|---|
ID | String | Alert ID. |
title | String | Alert title. |
description | String | Alert description. |
alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created. |
lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device. |
firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device. |
lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated. |
resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to Resolved. |
incidentId | Nullable Long | The Incident ID of the Alert. |
investigationId | Nullable Long | The Investigation ID related to the Alert. |
investigationState | Nullable Enum | The current state of the Investigation. Possible values are: Unknown, Terminated, SuccessfullyRemediated, Benign, Failed, PartiallyRemediated, Running, PendingApproval, PendingResource, PartiallyInvestigated, TerminatedByUser, TerminatedBySystem, Queued, InnerFailure, PreexistingAlert, UnsupportedOs, UnsupportedAlertType, SuppressedAlert. |
assignedTo | String | Owner of the alert. |
rbacGroupName | String | Role-based access control device group name. |
mitreTechniques | String | Mitre Enterprise technique ID. |
relatedUser | String | Details of user related to a specific alert. |
severity | Enum | Severity of the alert. Possible values are: UnSpecified, Informational, Low, Medium, and High. |
status | Enum | Specifies the current status of the alert. Possible values are: Unknown, New, InProgress and Resolved. |
classification | Nullable Enum | Specification of the alert. Possible values are: TruePositive , Informational, expected activity , and FalsePositive . |
determination | Nullable Enum | Specifies the determination of the alert. Possible determination values for each classification are: Multistage attack (MultiStagedAttack), Malicious user activity (MaliciousUserActivity), Compromised account (CompromisedUser) – consider changing the enum name in public API accordingly, Malware (Malware), Phishing (Phishing), Unwanted software (UnwantedSoftware), and Other (Other). Security test (SecurityTesting), Line-of-business application (LineOfBusinessApplication), Confirmed activity (ConfirmedUserActivity) - consider changing the enum name in public API accordingly, and Other (Other). Not malicious (Clean) - consider changing the enum name in public API accordingly, Not enough data to validate (InsufficientData), and Other (Other). |
category | String | Category of the alert. |
detectionSource | String | Detection source. |
threatFamilyName | String | Threat family. |
threatName | String | Threat name. |
machineId | String | ID of a machine entity that is associated with the alert. |
computerDnsName | String | machine fully qualified name. |
aadTenantId | String | The Microsoft Entra ID. |
detectorId | String | The ID of the detector that triggered the alert. |
comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string, and createTime date time. |
Evidence | List of Alert evidence | Evidence related to the alert. See the following example. |
Note
Around August 29, 2022, previously supported alert determination values (Apt and SecurityPersonnel) will be deprecated and no longer available via the API.
Response example for getting single alert:
GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
{
"id": "da637472900382838869_1364969609",
"incidentId": 1126093,
"investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
"investigationState": "Queued",
"detectionSource": "WindowsDefenderAtp",
"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
"category": "Execution",
"threatFamilyName": null,
"title": "Low-reputation arbitrary code executed by signed executable",
"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
"firstEventTime": "2021-01-26T20:31:32.9562661Z",
"lastEventTime": "2021-01-26T20:31:33.0577322Z",
"lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "A",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
"userName": "temp123",
"domainName": "DOMAIN"
},
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop123@contoso.com",
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [
{
"entityType": "User",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
"filePath": null,
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": "name",
"domainName": "DOMAIN",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
"userPrincipalName": "temp123@microsoft.com",
"detectionStatus": null
},
{
"entityType": "Process",
"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
"fileName": "rundll32.exe",
"filePath": "C:\\Windows\\SysWOW64",
"processId": 3276,
"processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
"processCreationTime": "2021-01-26T20:31:32.9581596Z",
"parentProcessId": 8420,
"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
"parentProcessFileName": "rundll32.exe",
"parentProcessFilePath": "C:\\Windows\\System32",
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
},
{
"entityType": "File",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
"fileName": "suspicious.dll",
"filePath": "c:\\temp",
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
}
]
}
Related articles
Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Σχόλια
https://aka.ms/ContentUserFeedback.
Σύντομα διαθέσιμα: Καθ' όλη τη διάρκεια του 2024 θα καταργήσουμε σταδιακά τα ζητήματα GitHub ως μηχανισμό ανάδρασης για το περιεχόμενο και θα το αντικαταστήσουμε με ένα νέο σύστημα ανάδρασης. Για περισσότερες πληροφορίες, ανατρέξτε στο θέμα:Υποβολή και προβολή σχολίων για