警报资源类型Alert resource type

适用于:Applies to:

备注

如果你是美国政府客户,请使用 Microsoft Defender for Endpoint 中针对美国政府客户的 URI。If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

提示

为了提高性能,可以使用距离地理位置更近的服务器:For better performance, you can use server closer to your geo location:

  • api-us.securitycenter.microsoft.comapi-us.securitycenter.microsoft.com
  • api-eu.securitycenter.microsoft.comapi-eu.securitycenter.microsoft.com
  • api-uk.securitycenter.microsoft.comapi-uk.securitycenter.microsoft.com

方法Methods

方法Method 返回类型Return Type 说明Description
获取警报Get alert AlertAlert 获取单个 alert 对象。Get a single alert object.
列出警报List alerts 警报 集合Alert collection 列出 警报 集合。List alert collection.
更新警报Update alert AlertAlert 更新特定 警报Update specific alert.
批更新通知Batch update alerts 更新一批 警报Update a batch of alerts.
创建警报Create alert AlertAlert 根据从高级搜寻 获取的事件数据 创建警报Create an alert based on event data obtained from Advanced Hunting.
列出相关域List related domains 域集合Domain collection 列出与警报关联的 URL。List URLs associated with the alert.
列出相关文件List related files 文件 集合File collection 列出 警报关联的文件 实体List the file entities that are associated with the alert.
列出相关 IPList related IPs IP 集合IP collection 列出与警报关联的 IP。List IPs that are associated with the alert.
获取相关计算机Get related machines 计算机Machine 警报关联的计算机The machine that is associated with the alert.
获取相关用户Get related users 用户User 警报关联的用户The user that is associated with the alert.

属性Properties

属性Property 类型Type 说明Description
idid 字符串String 警报 ID。Alert ID.
titletitle StringString 警报标题。Alert title.
说明description StringString 警报说明。Alert description.
alertCreationTimealertCreationTime Nullable DateTimeOffsetNullable DateTimeOffset 创建警报时 (UTC) 日期和时间。The date and time (in UTC) the alert was created.
lastEventTimelastEventTime Nullable DateTimeOffsetNullable DateTimeOffset 在同一设备上触发警报的事件的最后一次发生次数。The last occurrence of the event that triggered the alert on the same device.
firstEventTimefirstEventTime Nullable DateTimeOffsetNullable DateTimeOffset 在该设备上触发警报的事件的第一次发生。The first occurrence of the event that triggered the alert on that device.
lastUpdateTimelastUpdateTime Nullable DateTimeOffsetNullable DateTimeOffset 上次更新警报 (UTC) 日期和时间。The date and time (in UTC) the alert was last updated.
resolvedTimeresolvedTime Nullable DateTimeOffsetNullable DateTimeOffset 警报状态更改为"已解决"的日期和时间。The date and time in which the status of the alert was changed to 'Resolved'.
incidentIdincidentId Nullable LongNullable Long 警报的事件 ID。The Incident ID of the Alert.
investigationIdinvestigationId Nullable LongNullable Long 警报 相关的调查 ID。The Investigation ID related to the Alert.
investigationStateinvestigationState Nullable EnumNullable Enum 调查 的当前 状态The current state of the Investigation. 可能的值包括:"Unknown"、"Terminated"、 "SuccessfullyRemediated"、"Benign"、"Failed"、"PartiallyRemediated"、"Running"、"PendingApproval"、"PendingResource"、"PartiallyInvestigated"、"TerminatedByUser"、"TerminatedBySystem"、"Queued"、"InnerFailure"、"PreexistingAlert"、"UnsupportedOs"、"UnsupportedAlertType"和"SuppressedAlert"。Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
assignedToassignedTo StringString 警报的所有者。Owner of the alert.
severityseverity 枚举Enum 警报的严重性。Severity of the alert. 可能的值包括:"UnSpecified"、"Informational"、"Low"、"Medium"和"High"。Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
状态status 枚举Enum 指定警报的当前状态。Specifies the current status of the alert. 可能的值是:"Unknown"、"New"、"InProgress"和"Resolved"。Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
classificationclassification Nullable EnumNullable Enum 警报的规范。Specification of the alert. 可能的值是:"Unknown"、"FalsePositive"、"TruePositive"。Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
确定determination Nullable EnumNullable Enum 指定警报的确定。Specifies the determination of the alert. 可能的值包括:"NotAvailable"、"Apt"、"Malware"、SecurityPersonnel、"SecurityTesting"、"UnwantedSoftware"和"Other"。Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
“类别”category 字符串String 警报的类别。Category of the alert.
detectionSourcedetectionSource 字符串String 检测源。Detection source.
threatFamilyNamethreatFamilyName 字符串String 威胁系列。Threat family.
threatNamethreatName 字符串String 威胁名称。Threat name.
machineIdmachineId 字符串String 警报关联的 计算机实体的 ID。ID of a machine entity that is associated with the alert.
computerDnsNamecomputerDnsName 字符串String 计算机 完全限定的名称。machine fully qualified name.
aadTenantIdaadTenantId 字符串String Azure Active Directory ID。The Azure Active Directory ID.
一个detectorId 字符串String 触发警报的检测器的 ID。The ID of the detector that triggered the alert.
commentscomments 警报注释列表List of Alert comments Alert Comment 对象包含:注释字符串、createdBy 字符串和 createTime 日期时间。Alert Comment object contains: comment string, createdBy string and createTime date time.
证据Evidence 警报证据列表List of Alert evidence 与警报相关的证据。Evidence related to the alert. 请参阅下面的示例。See example below.

获取单个警报的响应示例:Response example for getting single alert:

GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609
{
    "id": "da637472900382838869_1364969609",
    "incidentId": 1126093,
    "investigationId": null,
    "assignedTo": null,
    "severity": "Low",
    "status": "New",
    "classification": null,
    "determination": null,
    "investigationState": "Queued",
    "detectionSource": "WindowsDefenderAtp",
    "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
    "category": "Execution",
    "threatFamilyName": null,
    "title": "Low-reputation arbitrary code executed by signed executable",
    "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
    "alertCreationTime": "2021-01-26T20:33:57.7220239Z",
    "firstEventTime": "2021-01-26T20:31:32.9562661Z",
    "lastEventTime": "2021-01-26T20:31:33.0577322Z",
    "lastUpdateTime": "2021-01-26T20:33:59.2Z",
    "resolvedTime": null,
    "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
    "computerDnsName": "temp123.middleeast.corp.microsoft.com",
    "rbacGroupName": "A",
    "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
    "threatName": null,
    "mitreTechniques": [
        "T1064",
        "T1085",
        "T1220"
    ],
    "relatedUser": {
        "userName": "temp123",
        "domainName": "MIDDLEEAST"
    },
    "comments": [
        {
            "comment": "test comment for docs",
            "createdBy": "secop123@contoso.com",
            "createdTime": "2021-01-26T01:00:37.8404534Z"
        }
    ],
    "evidence": [
        {
            "entityType": "User",
            "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
            "sha1": null,
            "sha256": null,
            "fileName": null,
            "filePath": null,
            "processId": null,
            "processCommandLine": null,
            "processCreationTime": null,
            "parentProcessId": null,
            "parentProcessCreationTime": null,
            "parentProcessFileName": null,
            "parentProcessFilePath": null,
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": "eranb",
            "domainName": "MIDDLEEAST",
            "userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
            "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
            "userPrincipalName": "temp123@microsoft.com",
            "detectionStatus": null
        },
        {
            "entityType": "Process",
            "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
            "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
            "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
            "fileName": "rundll32.exe",
            "filePath": "C:\\Windows\\SysWOW64",
            "processId": 3276,
            "processCommandLine": "rundll32.exe  c:\\temp\\suspicious.dll,RepeatAfterMe",
            "processCreationTime": "2021-01-26T20:31:32.9581596Z",
            "parentProcessId": 8420,
            "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
            "parentProcessFileName": "rundll32.exe",
            "parentProcessFilePath": "C:\\Windows\\System32",
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": null,
            "domainName": null,
            "userSid": null,
            "aadUserId": null,
            "userPrincipalName": null,
            "detectionStatus": "Detected"
        },
        {
            "entityType": "File",
            "evidenceCreationTime": "2021-01-26T20:33:58.42Z",
            "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
            "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
            "fileName": "suspicious.dll",
            "filePath": "c:\\temp",
            "processId": null,
            "processCommandLine": null,
            "processCreationTime": null,
            "parentProcessId": null,
            "parentProcessCreationTime": null,
            "parentProcessFileName": null,
            "parentProcessFilePath": null,
            "ipAddress": null,
            "url": null,
            "registryKey": null,
            "registryHive": null,
            "registryValueType": null,
            "registryValue": null,
            "accountName": null,
            "domainName": null,
            "userSid": null,
            "aadUserId": null,
            "userPrincipalName": null,
            "detectionStatus": "Detected"
        }
    ]
}