更新警示Update alert

適用於:Applies to:

想要體驗適用於端點的 Microsoft Defender 嗎?Want to experience Microsoft Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

注意

如果您是美國政府客戶,請使用 Microsoft Defender FOR Us 政府客戶的端點中所列的 URIs。If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.

提示

為了提高效能,您可以使用伺服器以接近地理位置:For better performance, you can use server closer to your geo location:

  • api-us.securitycenter.microsoft.comapi-us.securitycenter.microsoft.com
  • api-eu.securitycenter.microsoft.comapi-eu.securitycenter.microsoft.com
  • api-uk.securitycenter.microsoft.comapi-uk.securitycenter.microsoft.com

API 描述API description

更新現有 警示的屬性。Updates properties of existing Alert.
提交 批註 可用於或不更新屬性。Submission of comment is available with or without updating properties.
可更新的屬性包括: statusdeterminationclassificationassignedToUpdatable properties are: status, determination, classification and assignedTo.

限制Limitations

  1. 您可以更新可在 API 中使用的警示。You can update alerts that available in the API. 如需詳細資訊,請參閱 清單提醒See List Alerts for more information.
  2. 此 API 的速率限制為每分鐘100個通話,每小時1500個通話。Rate limitations for this API are 100 calls per minute and 1500 calls per hour.

權限Permissions

需要有下列其中一個許可權才能呼叫此 API。One of the following permissions is required to call this API. 若要深入瞭解,包括如何選擇許可權,請參閱 使用 Microsoft Defender For Endpoint APIsTo learn more, including how to choose permissions, see Use Microsoft Defender for Endpoint APIs

許可權類型Permission type 權限Permission 許可權顯示名稱Permission display name
應用程式Application 警示。 ReadWrite。Alerts.ReadWrite.All 「讀取及寫入所有警示」'Read and write all alerts'
委派 (工作或學校帳戶) Delegated (work or school account) 警示。 ReadWriteAlert.ReadWrite 「讀取及寫入警示」'Read and write alerts'

注意

使用使用者認證取得權杖時:When obtaining a token using user credentials:

  • 使用者至少必須具備下列角色許可權:「警示調查」 (請參閱 建立及管理角色 以取得詳細資訊) The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more information)
  • 使用者必須能夠存取與警示相關聯的裝置,其基礎取決於裝置群組設定 (請參閱 建立及管理裝置群組 以取得詳細資訊) The user needs to have access to the device associated with the alert, based on device group settings (See Create and manage device groups for more information)

HTTP 要求HTTP request

PATCH /api/alerts/{id}

要求標頭Request headers

名稱Name 類型Type 描述Description
授權Authorization 字串String 載荷 {token}。Bearer {token}. 必要欄位Required.
Content-TypeContent-Type 字串String application/json。application/json. 必要欄位Required.

要求正文Request body

在要求內文中,提供應該更新之相關欄位的值。In the request body, supply the values for the relevant fields that should be updated.
在要求內文中未包含的現有屬性會維持先前的值,或根據其他屬性值的變更重新計算。Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
為了達到最佳效能,您不應包含尚未變更的現有值。For best performance you shouldn't include existing values that haven't change.

屬性 Property 類型Type 描述Description
地位status 字串String 指定警示的目前狀態。Specifies the current status of the alert. 屬性值為: ' New '、' InProgress ' 和 ' 已解析」。The property values are: 'New', 'InProgress' and 'Resolved'.
分配assignedTo 字串String 警示的擁有者Owner of the alert
分類classification 字串String 指定警示的規格。Specifies the specification of the alert. 屬性值為: ' Unknown '、' FalsePositive '、' TruePositive '。The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
測定determination 字串String 指定報警的決定。Specifies the determination of the alert. 屬性值為: "NotAvailable"、"Apt"、"Malware"、"SecurityPersonnel"、"SecurityTesting"、"UnwantedSoftware"、"Other"The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
註解comment 字串String 要新增至警示的批註。Comment to be added to the alert.

回應Response

如果成功,這個方法會傳回 200 OK,以及回應內文中的 警示 實體具有更新的屬性。If successful, this method returns 200 OK, and the alert entity in the response body with the updated properties. 如果找不到具有指定識別碼的警示-找不到404。If alert with the specified id was not found - 404 Not Found.

範例Example

請求Request

以下是要求的範例。Here is an example of the request.

PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442
{
    "status": "Resolved",
    "assignedTo": "secop2@contoso.com",
    "classification": "FalsePositive",
    "determination": "Malware",
    "comment": "Resolve my alert and assign to secop2"
}