Tipo de recurso de alertaAlert resource type

Aplica-se a:Applies to:

Observação

Se você for um cliente do Governo dos EUA, use os URIs listados no Microsoft Defender for Endpoint para clientes do Governo dos EUA.If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

Dica

Para melhorar o desempenho, você pode usar o servidor mais próximo de sua localização geográfica:For better performance, you can use server closer to your geo location:

  • api-us.securitycenter.microsoft.comapi-us.securitycenter.microsoft.com
  • api-eu.securitycenter.microsoft.comapi-eu.securitycenter.microsoft.com
  • api-uk.securitycenter.microsoft.comapi-uk.securitycenter.microsoft.com

MétodosMethods

MétodoMethod Tipo de retornoReturn Type DescriçãoDescription
Obter alertaGet alert AlertaAlert Obter um único objeto de alerta.Get a single alert object.
Listar alertasList alerts Coleção AlertAlert collection Listar coleção de alertas.List alert collection.
Atualizar alertasUpdate alert AlertaAlert Atualizar alerta específico.Update specific alert.
Alertas de atualização em lotesBatch update alerts Atualizar um lote de alertas.Update a batch of alerts.
Criar alertaCreate alert AlertaAlert Criar um alerta com base nos dados de evento obtidos da Busca Avançada.Create an alert based on event data obtained from Advanced Hunting.
Listar domínios relacionadosList related domains Coleção DomainDomain collection Listar URLs associadas ao alerta.List URLs associated with the alert.
Listar arquivos relacionadosList related files Coleção FileFile collection Listar as entidades de arquivo associadas ao alerta.List the file entities that are associated with the alert.
Listar IPs relacionadosList related IPs Coleção IPIP collection Listar IPs associados ao alerta.List IPs that are associated with the alert.
Obter máquinas relacionadasGet related machines ComputadorMachine O computador associado ao alerta.The machine that is associated with the alert.
Obter usuários relacionadosGet related users UsuárioUser O usuário associado ao alerta.The user that is associated with the alert.

PropriedadesProperties

PropriedadeProperty TipoType DescriçãoDescription
idid Cadeia de caracteresString ID do alerta.Alert ID.
titletitle StringString Título do alerta.Alert title.
descriçãodescription StringString Descrição de alerta.Alert description.
alertCreationTimealertCreationTime Nullable DateTimeOffsetNullable DateTimeOffset A data e a hora (em UTC) em que o alerta foi criado.The date and time (in UTC) the alert was created.
lastEventTimelastEventTime Nullable DateTimeOffsetNullable DateTimeOffset A última ocorrência do evento que disparou o alerta no mesmo dispositivo.The last occurrence of the event that triggered the alert on the same device.
firstEventTimefirstEventTime Nullable DateTimeOffsetNullable DateTimeOffset A primeira ocorrência do evento que disparou o alerta nesse dispositivo.The first occurrence of the event that triggered the alert on that device.
lastUpdateTimelastUpdateTime Nullable DateTimeOffsetNullable DateTimeOffset A data e a hora (em UTC) em que o alerta foi atualizado pela última vez.The date and time (in UTC) the alert was last updated.
resolvedTimeresolvedTime Nullable DateTimeOffsetNullable DateTimeOffset A data e a hora em que o status do alerta foi alterado para 'Resolvido'.The date and time in which the status of the alert was changed to 'Resolved'.
incidentIdincidentId Long anuladoNullable Long A ID do Incidente do Alerta.The Incident ID of the Alert.
investigationIdinvestigationId Long anuladoNullable Long A ID da Investigação relacionada ao Alerta.The Investigation ID related to the Alert.
investigationStateinvestigationState Núm anuladoNullable Enum O estado atual da Investigação.The current state of the Investigation. Os valores possíveis são: 'Unknown', 'Terminado', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
assignedToassignedTo Cadeia de caracteresString Proprietário do alerta.Owner of the alert.
severityseverity EnumEnum Gravidade do alerta.Severity of the alert. Os valores possíveis são: 'UnSpecified', 'Informational', 'Low', 'Medium' e 'High'.Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
statusstatus EnumEnum Especifica o status atual do alerta.Specifies the current status of the alert. Os valores possíveis são: 'Unknown', 'New', 'InProgress' e 'Resolved'.Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
classificaçãoclassification Núm anuladoNullable Enum Especificação do alerta.Specification of the alert. Os valores possíveis são: 'Unknown', 'FalsePositive', 'TruePositive'.Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determinaçãodetermination Núm anuladoNullable Enum Especifica a determinação do alerta.Specifies the determination of the alert. Os valores possíveis são: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
categorycategory Cadeia de caracteresString Categoria do alerta.Category of the alert.
detectionSourcedetectionSource Cadeia de caracteresString Fonte de detecção.Detection source.
threatFamilyNamethreatFamilyName Cadeia de caracteresString Família de ameaças.Threat family.
threatNamethreatName Cadeia de caracteresString Nome da ameaça.Threat name.
machineIdmachineId Cadeia de caracteresString ID de uma entidade de máquina associada ao alerta.ID of a machine entity that is associated with the alert.
computerDnsNamecomputerDnsName Cadeia de caracteresString nome totalmente qualificado da máquina.machine fully qualified name.
aadTenantIdaadTenantId Cadeia de caracteresString A Azure Active Directory ID.The Azure Active Directory ID.
detectorIddetectorId Cadeia de caracteresString A ID do detector que disparou o alerta.The ID of the detector that triggered the alert.
comentárioscomments Lista de comentários de alertaList of Alert comments O objeto Comentário de Alerta contém: cadeia de caracteres de comentários, createdBy string e createTime date time.Alert Comment object contains: comment string, createdBy string and createTime date time.
EvidênciasEvidence Lista de evidências de alertaList of Alert evidence Evidências relacionadas ao alerta.Evidence related to the alert. Veja o exemplo a seguir.See example below.

Exemplo de resposta para obter um único alerta:Response example for getting single alert:

GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
{
    "id": "da637472900382838869_1364969609",
    "incidentId": 1126093,
    "investigationId": null,
    "assignedTo": null,
    "severity": "Low",
    "status": "New",
    "classification": null,
    "determination": null,
    "investigationState": "Queued",
    "detectionSource": "WindowsDefenderAtp",
    "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
    "category": "Execution",
    "threatFamilyName": null,
    "title": "Low-reputation arbitrary code executed by signed executable",
    "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
    "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
    "firstEventTime": "2021-01-26T20:31:32.9562661Z",
    "lastEventTime": "2021-01-26T20:31:33.0577322Z",
    "lastUpdateTime": "2021-01-26T20:33:59.2Z",
    "resolvedTime": null,
    "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
    "computerDnsName": "temp123.middleeast.corp.microsoft.com",
    "rbacGroupName": "A",
    "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
    "threatName": null,
    "mitreTechniques": [
        "T1064",
        "T1085",
        "T1220"
    ],
    "relatedUser": {
        "userName": "temp123",
        "domainName": "MIDDLEEAST"
    },
    "comments": [
        {
            "comment": "test comment for docs",
            "createdBy": "secop123@contoso.com",
            "createdTime": "2021-01-26T01:00:37.8404534Z"
        }
    ],
    "evidence": [
        {
            "entityType": "User",
            "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
            "sha1": null,
            "sha256": null,
            "fileName": null,
            "filePath": null,
            "processId": null,
            "processCommandLine": null,
            "processCreationTime": null,
            "parentProcessId": null,
            "parentProcessCreationTime": null,
            "parentProcessFileName": null,
            "parentProcessFilePath": null,
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": "eranb",
            "domainName": "MIDDLEEAST",
            "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
            "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
            "userPrincipalName": "temp123@microsoft.com",
            "detectionStatus": null
        },
        {
            "entityType": "Process",
            "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
            "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
            "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
            "fileName": "rundll32.exe",
            "filePath": "C:\\Windows\\SysWOW64",
            "processId": 3276,
            "processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
            "processCreationTime": "2021-01-26T20:31:32.9581596Z",
            "parentProcessId": 8420,
            "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
            "parentProcessFileName": "rundll32.exe",
            "parentProcessFilePath": "C:\\Windows\\System32",
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": null,
            "domainName": null,
            "userSid": null,
            "aadUserId": null,
            "userPrincipalName": null,
            "detectionStatus": "Detected"
        },
        {
            "entityType": "File",
            "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
            "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
            "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
            "fileName": "suspicious.dll",
            "filePath": "c:\\temp",
            "processId": null,
            "processCommandLine": null,
            "processCreationTime": null,
            "parentProcessId": null,
            "parentProcessCreationTime": null,
            "parentProcessFileName": null,
            "parentProcessFilePath": null,
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": null,
            "domainName": null,
            "userSid": null,
            "aadUserId": null,
            "userPrincipalName": null,
            "detectionStatus": "Detected"
        }
    ]
}