Tipo de recurso AlertAlert resource type

Se aplica a:Applies to:

Nota

Si es un cliente del Gobierno de Estados Unidos, use los URI que aparecen en Microsoft Defender para endpoints para clientes de US Government.If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

Sugerencia

Para un mejor rendimiento, puede usar el servidor más cerca de la ubicación geográfica:For better performance, you can use server closer to your geo location:

  • api-us.securitycenter.microsoft.comapi-us.securitycenter.microsoft.com
  • api-eu.securitycenter.microsoft.comapi-eu.securitycenter.microsoft.com
  • api-uk.securitycenter.microsoft.comapi-uk.securitycenter.microsoft.com

MétodosMethods

MétodoMethod Tipo de valor devueltoReturn Type DescripciónDescription
Obtener alertaGet alert AlertaAlert Obtener un único objeto de alerta.Get a single alert object.
Listar alertasList alerts Colección AlertAlert collection Enumerar la colección de alertas.List alert collection.
Update alertUpdate alert AlertaAlert Actualizar alerta específica.Update specific alert.
Alertas de actualización por lotesBatch update alerts Actualizar un lote de alertas.Update a batch of alerts.
Crear alertaCreate alert AlertaAlert Crear una alerta basada en los datos de eventos obtenidos de la búsqueda avanzada.Create an alert based on event data obtained from Advanced Hunting.
Enumerar dominios relacionadosList related domains Colección domainDomain collection Enumerar las direcciones URL asociadas con la alerta.List URLs associated with the alert.
Enumerar archivos relacionadosList related files Colección de archivosFile collection Enumerar las entidades de archivo asociadas a la alerta.List the file entities that are associated with the alert.
Enumerar direcciones IP relacionadasList related IPs Colección IPIP collection Enumerar direcciones IP asociadas a la alerta.List IPs that are associated with the alert.
Obtener máquinas relacionadasGet related machines MáquinaMachine El equipo asociado a la alerta.The machine that is associated with the alert.
Obtener usuarios relacionadosGet related users UsuarioUser El usuario asociado a la alerta.The user that is associated with the alert.

PropiedadesProperties

PropiedadProperty TipoType DescripciónDescription
idid CadenaString Id. de alerta.Alert ID.
titletitle StringString Título de la alerta.Alert title.
descriptiondescription StringString Descripción de la alerta.Alert description.
alertCreationTimealertCreationTime DateTimeOffset que admite valores NULLNullable DateTimeOffset La fecha y hora (en UTC) se creó la alerta.The date and time (in UTC) the alert was created.
lastEventTimelastEventTime DateTimeOffset que admite valores NULLNullable DateTimeOffset La última aparición del evento que desencadenó la alerta en el mismo dispositivo.The last occurrence of the event that triggered the alert on the same device.
firstEventTimefirstEventTime DateTimeOffset que admite valores NULLNullable DateTimeOffset La primera aparición del evento que desencadenó la alerta en ese dispositivo.The first occurrence of the event that triggered the alert on that device.
lastUpdateTimelastUpdateTime DateTimeOffset que admite valores NULLNullable DateTimeOffset La fecha y hora (en UTC) la alerta se actualizó por última vez.The date and time (in UTC) the alert was last updated.
resolvedTimeresolvedTime DateTimeOffset que admite valores NULLNullable DateTimeOffset La fecha y hora en que se cambió el estado de la alerta a "Resuelto".The date and time in which the status of the alert was changed to 'Resolved'.
incidentIdincidentId Long que admite valores NULLNullable Long El identificador de incidente de la alerta.The Incident ID of the Alert.
investigationIdinvestigationId Long que admite valores NULLNullable Long El identificador de investigación relacionado con la alerta.The Investigation ID related to the Alert.
investigationStateinvestigationState Enumeración que admite valores nullNullable Enum El estado actual de la investigación.The current state of the Investigation. Los valores posibles son: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
assignedToassignedTo CadenaString Propietario de la alerta.Owner of the alert.
severityseverity EnumEnum Gravedad de la alerta.Severity of the alert. Los valores posibles son: 'UnSpecified', 'Informational', 'Low', 'Medium' y 'High'.Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
statusstatus EnumEnum Especifica el estado actual de la alerta.Specifies the current status of the alert. Los valores posibles son: "Desconocido", "Nuevo", "InProgress" y "Resuelto".Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
classificationclassification Enumeración que admite valores nullNullable Enum Especificación de la alerta.Specification of the alert. Los valores posibles son: 'Unknown', 'FalsePositive', 'TruePositive'.Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determinacióndetermination Enumeración que admite valores nullNullable Enum Especifica la determinación de la alerta.Specifies the determination of the alert. Los valores posibles son: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
categoríacategory CadenaString Categoría de la alerta.Category of the alert.
detectionSourcedetectionSource CadenaString Origen de detección.Detection source.
threatFamilyNamethreatFamilyName CadenaString Familia de amenazas.Threat family.
threatNamethreatName CadenaString Nombre de la amenaza.Threat name.
machineIdmachineId CadenaString Id. de una entidad de máquina asociada a la alerta.ID of a machine entity that is associated with the alert.
computerDnsNamecomputerDnsName CadenaString nombre completo de la máquina.machine fully qualified name.
aadTenantIdaadTenantId CadenaString El Azure Active Directory de usuario.The Azure Active Directory ID.
detectorIddetectorId CadenaString El identificador del detector que desencadenó la alerta.The ID of the detector that triggered the alert.
commentscomments Lista de comentarios de alertaList of Alert comments El objeto Alert Comment contiene: cadena de comentario, createdBy string y createTime date time.Alert Comment object contains: comment string, createdBy string and createTime date time.
EvidenciaEvidence Lista de pruebas de alertaList of Alert evidence Evidencia relacionada con la alerta.Evidence related to the alert. Vea el ejemplo abajo.See example below.

Ejemplo de respuesta para obtener una sola alerta:Response example for getting single alert:

GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
{
    "id": "da637472900382838869_1364969609",
    "incidentId": 1126093,
    "investigationId": null,
    "assignedTo": null,
    "severity": "Low",
    "status": "New",
    "classification": null,
    "determination": null,
    "investigationState": "Queued",
    "detectionSource": "WindowsDefenderAtp",
    "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
    "category": "Execution",
    "threatFamilyName": null,
    "title": "Low-reputation arbitrary code executed by signed executable",
    "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
    "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
    "firstEventTime": "2021-01-26T20:31:32.9562661Z",
    "lastEventTime": "2021-01-26T20:31:33.0577322Z",
    "lastUpdateTime": "2021-01-26T20:33:59.2Z",
    "resolvedTime": null,
    "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
    "computerDnsName": "temp123.middleeast.corp.microsoft.com",
    "rbacGroupName": "A",
    "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
    "threatName": null,
    "mitreTechniques": [
        "T1064",
        "T1085",
        "T1220"
    ],
    "relatedUser": {
        "userName": "temp123",
        "domainName": "MIDDLEEAST"
    },
    "comments": [
        {
            "comment": "test comment for docs",
            "createdBy": "secop123@contoso.com",
            "createdTime": "2021-01-26T01:00:37.8404534Z"
        }
    ],
    "evidence": [
        {
            "entityType": "User",
            "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
            "sha1": null,
            "sha256": null,
            "fileName": null,
            "filePath": null,
            "processId": null,
            "processCommandLine": null,
            "processCreationTime": null,
            "parentProcessId": null,
            "parentProcessCreationTime": null,
            "parentProcessFileName": null,
            "parentProcessFilePath": null,
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": "eranb",
            "domainName": "MIDDLEEAST",
            "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
            "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
            "userPrincipalName": "temp123@microsoft.com",
            "detectionStatus": null
        },
        {
            "entityType": "Process",
            "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
            "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
            "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
            "fileName": "rundll32.exe",
            "filePath": "C:\\Windows\\SysWOW64",
            "processId": 3276,
            "processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
            "processCreationTime": "2021-01-26T20:31:32.9581596Z",
            "parentProcessId": 8420,
            "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
            "parentProcessFileName": "rundll32.exe",
            "parentProcessFilePath": "C:\\Windows\\System32",
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": null,
            "domainName": null,
            "userSid": null,
            "aadUserId": null,
            "userPrincipalName": null,
            "detectionStatus": "Detected"
        },
        {
            "entityType": "File",
            "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
            "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
            "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
            "fileName": "suspicious.dll",
            "filePath": "c:\\temp",
            "processId": null,
            "processCommandLine": null,
            "processCreationTime": null,
            "parentProcessId": null,
            "parentProcessCreationTime": null,
            "parentProcessFileName": null,
            "parentProcessFilePath": null,
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": null,
            "domainName": null,
            "userSid": null,
            "aadUserId": null,
            "userPrincipalName": null,
            "detectionStatus": "Detected"
        }
    ]
}