Alert resource type

Applies to:

Represents an alert entity in Microsoft Defender ATP.

Methods

Method Return Type Description
Get alert Alert Get a single alert object.
List alerts Alert collection List alert collection.
Create alert Alert Create an alert based on event data obtained from Advanced Hunting.
List related domains Domain collection List URLs associated with the alert.
List related files File collection List the file entities that are associated with the alert.
List related IPs IP collection List IPs that are associated with the alert.
Get related machines Machine The machine that is associated with the alert.
Get related users User The user that is associated with the alert.

Properties

Property Type Description
id String Alert ID.
incidentId String The Incident ID of the Alert.
assignedTo String Owner of the alert.
severity Enum Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status Enum Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
investigationState Nullable Enum The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification Nullable Enum Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination Nullable Enum Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
category String Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
detectionSource string Detection source.
threatFamilyName string Threat family.
title string Alert title.
description String Description of the threat, identified by the alert.
alertCreationTime DateTimeOffset The date and time (in UTC) the alert was created.
lastEventTime DateTimeOffset The last occurance of the event that triggered the alert on the same machine.
firstEventTime DateTimeOffset The first occurance of the event that triggered the alert on that machine.
resolvedTime DateTimeOffset The date and time in which the status of the alert was changed to 'Resolved'.
machineId String ID of a machine entity that is associated with the alert.

JSON representation

{
    "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
    "id": "121688558380765161_2136280442",
    "incidentId": 7696,
    "assignedTo": "secop@contoso.com",
    "severity": "High",
    "status": "New",
    "classification": "TruePositive",
    "determination": "Malware",
    "investigationState": "Running",
    "category": "MalwareDownload",
    "detectionSource": "WindowsDefenderAv",
    "threatFamilyName": "Mikatz",
    "title": "Windows Defender AV detected 'Mikatz', high-severity malware",
    "description": "Some description"
    "alertCreationTime": "2018-11-26T16:19:21.8409809Z",
    "firstEventTime": "2018-11-26T16:17:50.0948658Z",
    "lastEventTime": "2018-11-26T16:18:01.809871Z",
    "resolvedTime": null,
    "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}