更新警报Update alert

适用于:Applies to:

想要体验 Microsoft Defender for Endpoint?Want to experience Microsoft Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

备注

如果你是美国政府客户,请使用 Microsoft Defender for Endpoint 中针对美国政府客户的 URI。If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

提示

为了提高性能,可以使用距离地理位置更近的服务器:For better performance, you can use server closer to your geo location:

  • api-us.securitycenter.microsoft.comapi-us.securitycenter.microsoft.com
  • api-eu.securitycenter.microsoft.comapi-eu.securitycenter.microsoft.com
  • api-uk.securitycenter.microsoft.comapi-uk.securitycenter.microsoft.com

API 说明API description

更新现有警报 的属性Updates properties of existing Alert.
提供 或不 更新属性的注释提交。Submission of comment is available with or without updating properties.
可更新的属性包括 status :、 determinationclassification assignedToUpdatable properties are: status, determination, classification and assignedTo.

限制Limitations

  1. 你可以更新 API 中可用的警报。You can update alerts that available in the API. 有关详细信息 ,请参阅列出 警报。See List Alerts for more information.
  2. 此 API 的速率限制是每分钟 100 个调用和每小时 1500 个调用。Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

权限Permissions

若要调用此 API,需要以下权限之一。One of the following permissions is required to call this API. 若要了解更多信息(包括如何选择权限),请参阅使用 Microsoft Defender for Endpoint APITo learn more, including how to choose permissions, see Use Microsoft Defender for Endpoint APIs

权限类型Permission type 权限Permission 权限显示名称Permission display name
应用程序Application Alerts.ReadWrite.AllAlerts.ReadWrite.All "读取和写入所有警报"'Read and write all alerts'
委派(工作或学校帐户)Delegated (work or school account) Alert.ReadWriteAlert.ReadWrite "读取和写入警报"'Read and write alerts'

备注

使用用户凭据获取令牌时:When obtaining a token using user credentials:

  • 用户至少需要具有以下角色权限:"警报调查" (有关详细信息,请参阅创建和管理) The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more information)
  • 用户需要具有与警报关联的设备的访问权限,根据设备组设置 (请参阅创建和管理 设备 组,了解) The user needs to have access to the device associated with the alert, based on device group settings (See Create and manage device groups for more information)

HTTP 请求HTTP request

PATCH /api/alerts/{id}

请求标头Request headers

名称Name 类型Type 说明Description
AuthorizationAuthorization StringString Bearer {token}。Bearer {token}. 必需Required.
Content-TypeContent-Type StringString application/json.application/json. 必需Required.

请求正文Request body

在请求正文中,提供应更新的相关字段的值。In the request body, supply the values for the relevant fields that should be updated.
请求正文中不包括的现有属性将保留其以前的值,或根据对其他属性值的更改重新计算。Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
为获得最佳性能,不应包含尚未更改的现有值。For best performance you shouldn't include existing values that haven't change.

属性Property 类型Type 说明Description
状态status StringString 指定警报的当前状态。Specifies the current status of the alert. 属性值为:"New"、InProgress 和"Resolved"。The property values are: 'New', 'InProgress' and 'Resolved'.
assignedToassignedTo StringString 警报的所有者Owner of the alert
classificationclassification 字符串String 指定警报的规范。Specifies the specification of the alert. 属性值为:"Unknown"、"FalsePositive"和"TruePositive"。The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
确定determination StringString 指定警报的确定。Specifies the determination of the alert. 属性值包括:"NotAvailable"、"Apt"、"Malware"、SecurityPersonnel、"SecurityTesting"、"UnwantedSoftware"和"Other"The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
注释comment StringString 要添加到警报的注释。Comment to be added to the alert.

响应Response

如果成功,此方法在响应正文中返回 200 OK 和 alert 实体以及更新的属性。If successful, this method returns 200 OK, and the alert entity in the response body with the updated properties. 如果未找到具有指定 ID 的警报 - 404 未找到。If alert with the specified id was not found - 404 Not Found.

示例Example

请求Request

下面是一个请求示例。Here is an example of the request.

PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442
{
    "status": "Resolved",
    "assignedTo": "secop2@contoso.com",
    "classification": "FalsePositive",
    "determination": "Malware",
    "comment": "Resolve my alert and assign to secop2"
}