Microsoft 365 Defender 事件 API 和事件资源类型Microsoft 365 Defender incidents API and the incident resource type

重要

改进的 Microsoft 365 安全中心现已提供公共预览版。The improved Microsoft 365 security center is now available in public preview. 此新体验将 Defender for Endpoint、Defender for Office 365、Microsoft 365 Defender 等引入 Microsoft 365 安全中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 安全团队现可管理所有终结点、电子邮件和跨产品调查、配置和修正,而无需导航到单独的产品门户。Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. 了解有关更改的详细信息Learn more about what's changed.

适用于:Applies to:

  • Microsoft 365 DefenderMicrosoft 365 Defender

重要

某些信息与预发布的产品有关,在商业发布之前可能有重大修改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft 对此处所提供的信息不作任何明示或默示的保证。Microsoft makes no warranties, express or implied, with respect to the information provided here.

事件是帮助描述攻击的相关警报的集合。An incident is a collection of related alerts that help describe an attack. 来自组织中不同实体的事件由 Microsoft 365 Defender 自动聚合。Events from different entities in your organization are automatically aggregated by Microsoft 365 Defender. 可以使用事件 API 以编程方式访问组织的事件和相关警报。You can use the incidents API to programatically access your organization's incidents and related alerts.

配额和资源分配Quotas and resource allocation

每分钟最多可以请求 50 个呼叫或每小时 1500 个呼叫。You can request up to 50 calls per minute or 1500 calls per hour. 每个方法也有其自己的配额。Each method also has its own quotas. 有关特定于方法的配额的信息,请参阅想要使用的方法各自的文章。For more information on method-specific quotas, see the respective article for the method you want to use.

HTTP 响应代码指示你已按发送的请求数或按分配的运行时间 429 达到配额。A 429 HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. 响应正文将包括重置达到的配额之前的时间。The response body will include the time until the quota you reached will be reset.

权限Permissions

事件 API 需要针对其每个方法的不同类型的权限。The incidents API requires different kinds of permissions for each of its methods. 有关所需权限详细信息,请参阅相应方法的文章。For more information about required permissions, see the respective method's article.

方法Methods

方法Method 返回类型Return Type 说明Description
列出事件List incidents 事件 列表Incident list 获取事件列表。Get a list of incidents.
更新事件Update incident 事件Incident 更新特定事件。Update a specific incident.

请求正文、响应和示例Request body, response, and examples

请参阅各自的方法文章,了解有关如何构造请求或分析响应的更多详细信息,以及实际示例。Refer to the respective method articles for more details on how to construct a request or parse a response, and for practical examples.

通用属性Common properties

属性Property 类型Type 说明Description
incidentIdincidentId longlong 事件唯一 ID。Incident unique ID.
redirectIncidentIdredirectIncidentId nullable longnullable long 当前事件合并到的事件 ID。The Incident ID the current Incident was merged to.
incidentNameincidentName stringstring 事件的名称。The name of the Incident.
createdTimecreatedTime DateTimeOffsetDateTimeOffset 创建事件时 (UTC) 日期和时间。The date and time (in UTC) the Incident was created.
lastUpdateTimelastUpdateTime DateTimeOffsetDateTimeOffset 上次更新事件 (UTC) 日期和时间。The date and time (in UTC) the Incident was last updated.
assignedToassignedTo stringstring 事件的所有者。Owner of the Incident.
severityseverity 枚举Enum 事件的严重性。Severity of the Incident. 可能的值是 UnSpecified Informational Low :、、、 MediumHighPossible values are: UnSpecified, Informational, Low, Medium, and High.
状态status 枚举Enum 指定事件的当前状态。Specifies the current status of the incident. 可能的值是 Active :、 ResolvedRedirectedPossible values are: Active, Resolved, and Redirected.
classificationclassification 枚举Enum 事件的规范。Specification of the incident. 可取值为:UnknownFalsePositiveTruePositivePossible values are: Unknown, FalsePositive, TruePositive.
确定determination 枚举Enum 指定事件的确定。Specifies the determination of the incident. 可取值为:NotAvailableAptMalwareSecurityPersonnelSecurityTestingUnwantedSoftwareOtherPossible values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other.
tagstags 字符串列表string List 事件标记列表。List of Incident tags.
警报alerts 警报列表Alert List 相关警报列表。List of related alerts. 请参阅列表事件 API 文档 的示例。See examples at List incidents API documentation.