更新警报
命名空间:microsoft.graph
重要
Microsoft Graph版本下的 /beta API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
更新任何集成 解决方案 中的可编辑警报属性,使警报状态和分配在解决方案之间保持同步。 此方法更新具有引用警报 ID 记录的任何解决方案。
权限
要调用此 API,需要以下权限之一。要了解详细信息,包括如何选择权限的信息,请参阅权限。
| 权限类型 |
权限(从最低特权到最高特权) |
| 委派(工作或学校帐户) |
SecurityEvents.ReadWrite.All |
| 委派(个人 Microsoft 帐户) |
不支持。 |
| 应用程序 |
SecurityEvents.ReadWrite.All |
HTTP 请求
注意: 必须使用此方法 将警报 ID 作为参数和 vendorInformation 包含 和 provider vendor 。
PATCH /security/alerts/{alert_id}
| 名称 |
说明 |
| Authorization |
Bearer {code}。 必需。 |
| Prefer |
return=representation。 可选。 |
请求正文
在请求正文中,提供应更新的相关字段值的 JSON 表示形式。 正文 必须 包含具有 有效 和 字段的 vendorInformation provider vendor 属性。 下表列出了可以针对警报进行更新的字段。 请求正文中不包含的现有属性的值不会更改。 为了获得最佳性能,请勿加入尚未更改的现有值。
| 属性 |
类型 |
说明 |
| assignedTo |
String |
分配警报的分析员的姓名,用于会审、调查或修正。 |
| closedDateTime |
DateTimeOffset |
警报关闭的时间。 时间戳类型表示采用 ISO 8601 格式的日期和时间信息,始终采用 UTC 时区。 例如,2014 年 1 月 1 日午夜 UTC 为 2014-01-01T00:00:00Z。 |
| comments |
字符串集合 |
针对客户警报管理策略 (警报分析员) 。 此方法只能使用下列值更新 comments 字段 Closed in IPC Closed in MCAS :、。 |
| 反馈 |
alertFeedback 枚举 |
分析师对警报的反馈。 可取值为:unknown、truePositive、falsePositive、benignPositive。 |
| 状态 |
alertStatus 枚举 |
警报生命周期状态 (阶段) 。 可取值为:unknown、newAlert、inProgress、resolved。 |
| 标记 |
String 集合 |
可应用于警报并可以作为筛选器条件的用户可定义标签 (例如,"HVA"、"SAW) "。 |
| vendorInformation |
securityVendorInformation |
包含有关安全产品/服务供应商、提供程序和子提供程序的详细信息的复杂类型(例如,供应商 = Microsoft;提供程序 = Windows Defender ATP;子提供程序 = AppLocker)。 提供程序和供应商字段是必需的。 |
响应
如果成功,此方法返回 204 No Content 响应代码。
如果使用可选请求标头,则该方法在响应正文中返回 响应 200 OK 代码和更新的 alert 对象。
示例
请求
下面是一个没有 标头的请求 Prefer 示例。
PATCH https://graph.microsoft.com/beta/security/alerts/{alert_id}
Content-type: application/json
{
"assignedTo": "String",
"closedDateTime": "String (timestamp)",
"comments": ["String"],
"feedback": "@odata.type: microsoft.graph.alertFeedback",
"status": "@odata.type: microsoft.graph.alertStatus",
"tags": ["String"],
"vendorInformation":
{
"provider": "String",
"vendor": "String"
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var alert = new Alert
{
AssignedTo = "String",
ClosedDateTime = DateTimeOffset.Parse("String (timestamp)"),
Comments = new List<String>()
{
"String"
},
Feedback = AlertFeedback.Unknown,
Status = AlertStatus.Unknown,
Tags = new List<String>()
{
"String"
},
VendorInformation = new SecurityVendorInformation
{
Provider = "String",
Vendor = "String"
}
};
await graphClient.Security.Alerts["{alert-id}"]
.Request()
.UpdateAsync(alert);
const options = {
authProvider,
};
const client = Client.init(options);
const alert = {
assignedTo: 'String',
closedDateTime: 'String (timestamp)',
comments: ['String'],
feedback: '@odata.type: microsoft.graph.alertFeedback',
status: '@odata.type: microsoft.graph.alertStatus',
tags: ['String'],
vendorInformation:
{
provider: 'String',
vendor: 'String'
}
};
await client.api('/security/alerts/{alert_id}')
.version('beta')
.update(alert);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/security/alerts/{alert_id}"]]];
[urlRequest setHTTPMethod:@"PATCH"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphAlert *alert = [[MSGraphAlert alloc] init];
[alert setAssignedTo:@"String"];
[alert setClosedDateTime:@"String (timestamp)"];
NSMutableArray *commentsList = [[NSMutableArray alloc] init];
[commentsList addObject: @"String"];
[alert setComments:commentsList];
[alert setFeedback: [MSGraphAlertFeedback unknown]];
[alert setStatus: [MSGraphAlertStatus unknown]];
NSMutableArray *tagsList = [[NSMutableArray alloc] init];
[tagsList addObject: @"String"];
[alert setTags:tagsList];
MSGraphSecurityVendorInformation *vendorInformation = [[MSGraphSecurityVendorInformation alloc] init];
[vendorInformation setProvider:@"String"];
[vendorInformation setVendor:@"String"];
[alert setVendorInformation:vendorInformation];
NSError *error;
NSData *alertData = [alert getSerializedDataWithError:&error];
[urlRequest setHTTPBody:alertData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
Alert alert = new Alert();
alert.assignedTo = "String";
alert.closedDateTime = OffsetDateTimeSerializer.deserialize("String (timestamp)");
LinkedList<String> commentsList = new LinkedList<String>();
commentsList.add("String");
alert.comments = commentsList;
alert.feedback = AlertFeedback.UNKNOWN;
alert.status = AlertStatus.UNKNOWN;
LinkedList<String> tagsList = new LinkedList<String>();
tagsList.add("String");
alert.tags = tagsList;
SecurityVendorInformation vendorInformation = new SecurityVendorInformation();
vendorInformation.provider = "String";
vendorInformation.vendor = "String";
alert.vendorInformation = vendorInformation;
graphClient.security().alerts("{alert_id}")
.buildRequest()
.patch(alert);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewAlert()
assignedTo := "String"
requestBody.SetAssignedTo(&assignedTo)
closedDateTime, err := time.Parse(time.RFC3339, "String (timestamp)")
requestBody.SetClosedDateTime(&closedDateTime)
requestBody.SetComments( []String {
"String",
}
feedback := "@odata.type: microsoft.graph.alertFeedback"
requestBody.SetFeedback(&feedback)
status := "@odata.type: microsoft.graph.alertStatus"
requestBody.SetStatus(&status)
requestBody.SetTags( []String {
"String",
}
vendorInformation := msgraphsdk.NewSecurityVendorInformation()
requestBody.SetVendorInformation(vendorInformation)
provider := "String"
vendorInformation.SetProvider(&provider)
vendor := "String"
vendorInformation.SetVendor(&vendor)
alertId := "alert-id"
graphClient.Security().AlertsById(&alertId).Patch(requestBody)
Import-Module Microsoft.Graph.Security
$params = @{
AssignedTo = "String"
ClosedDateTime = [System.DateTime]::Parse("String (timestamp)")
Comments = @(
"String"
)
Feedback = "@odata.type: microsoft.graph.alertFeedback"
Status = "@odata.type: microsoft.graph.alertStatus"
Tags = @(
"String"
)
VendorInformation = @{
Provider = "String"
Vendor = "String"
}
}
Update-MgSecurityAlert -AlertId $alertId -BodyParameter $params
响应
下面是成功响应的示例。
HTTP/1.1 204 No Content
请求
以下示例显示包含请求标头 Prefer 的请求。
PATCH https://graph.microsoft.com/beta/security/alerts/{alert_id}
Content-type: application/json
Prefer: return=representation
{
"assignedTo": "String",
"closedDateTime": "String (timestamp)",
"comments": ["String"],
"feedback": "@odata.type: microsoft.graph.alertFeedback",
"status": "@odata.type: microsoft.graph.alertStatus",
"tags": ["String"],
"vendorInformation":
{
"provider": "String",
"vendor": "String"
}
}
GraphServiceClient graphClient = new GraphServiceClient( authProvider );
var alert = new Alert
{
AssignedTo = "String",
ClosedDateTime = DateTimeOffset.Parse("String (timestamp)"),
Comments = new List<String>()
{
"String"
},
Feedback = AlertFeedback.Unknown,
Status = AlertStatus.Unknown,
Tags = new List<String>()
{
"String"
},
VendorInformation = new SecurityVendorInformation
{
Provider = "String",
Vendor = "String"
}
};
await graphClient.Security.Alerts["{alert-id}"]
.Request()
.Header("Prefer","return=representation")
.UpdateAsync(alert);
const options = {
authProvider,
};
const client = Client.init(options);
const alert = {
assignedTo: 'String',
closedDateTime: 'String (timestamp)',
comments: ['String'],
feedback: '@odata.type: microsoft.graph.alertFeedback',
status: '@odata.type: microsoft.graph.alertStatus',
tags: ['String'],
vendorInformation:
{
provider: 'String',
vendor: 'String'
}
};
await client.api('/security/alerts/{alert_id}')
.version('beta')
.update(alert);
MSHTTPClient *httpClient = [MSClientFactory createHTTPClientWithAuthenticationProvider:authenticationProvider];
NSString *MSGraphBaseURL = @"https://graph.microsoft.com/beta/";
NSMutableURLRequest *urlRequest = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:[MSGraphBaseURL stringByAppendingString:@"/security/alerts/{alert_id}"]]];
[urlRequest setHTTPMethod:@"PATCH"];
[urlRequest setValue:@"return=representation" forHTTPHeaderField:@"Prefer"];
[urlRequest setValue:@"application/json" forHTTPHeaderField:@"Content-Type"];
MSGraphAlert *alert = [[MSGraphAlert alloc] init];
[alert setAssignedTo:@"String"];
[alert setClosedDateTime:@"String (timestamp)"];
NSMutableArray *commentsList = [[NSMutableArray alloc] init];
[commentsList addObject: @"String"];
[alert setComments:commentsList];
[alert setFeedback: [MSGraphAlertFeedback unknown]];
[alert setStatus: [MSGraphAlertStatus unknown]];
NSMutableArray *tagsList = [[NSMutableArray alloc] init];
[tagsList addObject: @"String"];
[alert setTags:tagsList];
MSGraphSecurityVendorInformation *vendorInformation = [[MSGraphSecurityVendorInformation alloc] init];
[vendorInformation setProvider:@"String"];
[vendorInformation setVendor:@"String"];
[alert setVendorInformation:vendorInformation];
NSError *error;
NSData *alertData = [alert getSerializedDataWithError:&error];
[urlRequest setHTTPBody:alertData];
MSURLSessionDataTask *meDataTask = [httpClient dataTaskWithRequest:urlRequest
completionHandler: ^(NSData *data, NSURLResponse *response, NSError *nserror) {
//Request Completed
}];
[meDataTask execute];
GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();
LinkedList<Option> requestOptions = new LinkedList<Option>();
requestOptions.add(new HeaderOption("Prefer", "return=representation"));
Alert alert = new Alert();
alert.assignedTo = "String";
alert.closedDateTime = OffsetDateTimeSerializer.deserialize("String (timestamp)");
LinkedList<String> commentsList = new LinkedList<String>();
commentsList.add("String");
alert.comments = commentsList;
alert.feedback = AlertFeedback.UNKNOWN;
alert.status = AlertStatus.UNKNOWN;
LinkedList<String> tagsList = new LinkedList<String>();
tagsList.add("String");
alert.tags = tagsList;
SecurityVendorInformation vendorInformation = new SecurityVendorInformation();
vendorInformation.provider = "String";
vendorInformation.vendor = "String";
alert.vendorInformation = vendorInformation;
graphClient.security().alerts("{alert_id}")
.buildRequest( requestOptions )
.patch(alert);
//THE GO SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
graphClient := msgraphsdk.NewGraphServiceClient(requestAdapter)
requestBody := msgraphsdk.NewAlert()
assignedTo := "String"
requestBody.SetAssignedTo(&assignedTo)
closedDateTime, err := time.Parse(time.RFC3339, "String (timestamp)")
requestBody.SetClosedDateTime(&closedDateTime)
requestBody.SetComments( []String {
"String",
}
feedback := "@odata.type: microsoft.graph.alertFeedback"
requestBody.SetFeedback(&feedback)
status := "@odata.type: microsoft.graph.alertStatus"
requestBody.SetStatus(&status)
requestBody.SetTags( []String {
"String",
}
vendorInformation := msgraphsdk.NewSecurityVendorInformation()
requestBody.SetVendorInformation(vendorInformation)
provider := "String"
vendorInformation.SetProvider(&provider)
vendor := "String"
vendorInformation.SetVendor(&vendor)
headers := map[string]string{
"Prefer": "return=representation"
}
options := &msgraphsdk.AlertRequestBuilderPatchRequestConfiguration{
Headers: headers,
}
alertId := "alert-id"
graphClient.Security().AlertsById(&alertId).PatchWithRequestConfigurationAndResponseHandler(requestBody, options, nil)
Import-Module Microsoft.Graph.Security
$params = @{
AssignedTo = "String"
ClosedDateTime = [System.DateTime]::Parse("String (timestamp)")
Comments = @(
"String"
)
Feedback = "@odata.type: microsoft.graph.alertFeedback"
Status = "@odata.type: microsoft.graph.alertStatus"
Tags = @(
"String"
)
VendorInformation = @{
Provider = "String"
Vendor = "String"
}
}
Update-MgSecurityAlert -AlertId $alertId -BodyParameter $params
响应
下面是使用可选请求标头 Prefer: return=representation 时的响应示例。
注意: 为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"activityGroupName": "activityGroupName-value",
"assignedTo": "assignedTo-value",
"azureSubscriptionId": "azureSubscriptionId-value",
"azureTenantId": "azureTenantId-value",
"category": "category-value",
"closedDateTime": "datetime-value"
}