Microsoft 365Defender 事件 API 和事件資源類型Microsoft 365 Defender incidents API and the incidents resource type

重要

改良的 Microsoft 365 安全性中心現在可用。The improved Microsoft 365 security center is now available. 這個新的體驗會將適用於端點的 Defender、適用於 Office 365 的 Defender、Microsoft 365 Defender 和更多功能帶到 Microsoft 365 安全性中心。This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. 了解新功能Learn what's new.

適用於:Applies to:

重要

部分資訊與發行前版本產品有關,在正式發行之前可能會實質上進行修改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft 對此處提供的資訊,不提供任何明確或隱含的瑕疵擔保。Microsoft makes no warranties, express or implied, with respect to the information provided here.

事件是協助描述攻擊的相關警示集合。An incident is a collection of related alerts that help describe an attack. 您組織中不同實體的事件會透過 Microsoft 365 Defender 自動匯總。Events from different entities in your organization are automatically aggregated by Microsoft 365 Defender. 您可以使用事件 API,以程式設計方式存取您組織的事件及相關警示。You can use the incidents API to programatically access your organization's incidents and related alerts.

配額和資源配置Quotas and resource allocation

您最多可以每分鐘要求50個通話或每小時1500通話。You can request up to 50 calls per minute or 1500 calls per hour. 每個方法也有它自己的配額。Each method also has its own quotas. 如需方法特定配額的詳細資訊,請參閱對應于您要使用之方法的各篇文章。For more information on method-specific quotas, see the respective article for the method you want to use.

429HTTP 回應碼表示您已到達配額(按傳送的要求數目,或已分派的執行時間)。A 429 HTTP response code indicates that you've reached a quota, either by number of requests sent, or by allotted running time. 回應內文會包含時間,直到您到達的配額會重設。The response body will include the time until the quota you reached will be reset.

權限Permissions

事件 API 需要不同類型的許可權才能提供其所有方法。The incidents API requires different kinds of permissions for each of its methods. 如需有關所需許可權的詳細資訊,請參閱各自的方法的文章。For more information about required permissions, see the respective method's article.

方法Methods

方法 Method 傳回類型Return Type 描述Description
列出事件List incidents 事件 清單Incident list 取得事件清單。Get a list of incidents.
更新事件Update incident 事件Incident 更新特定的事件。Update a specific incident.
取得事件Get incident 事件Incident 取得單一事件。Get a single incident.

要求的主體、回應和範例Request body, response, and examples

如需如何建立要求或剖析回應的詳細資訊,以及實際範例,請參閱各自的方法文章。Refer to the respective method articles for more details on how to construct a request or parse a response, and for practical examples.

一般屬性Common properties

屬性 Property 類型Type 描述Description
incidentIdincidentId longlong 事件唯一識別碼。Incident unique ID.
redirectIncidentIdredirectIncidentId 可為 null 的長nullable long 目前的事件彙總至的事件識別碼。The Incident ID the current Incident was merged to.
incidentNameincidentName stringstring 事件的名稱。The name of the Incident.
createdTimecreatedTime DateTimeOffsetDateTimeOffset 在 UTC) 建立事件的日期和時間 (。The date and time (in UTC) the Incident was created.
lastUpdateTimelastUpdateTime DateTimeOffsetDateTimeOffset 上次更新事件) 的日期和時間 (。The date and time (in UTC) the Incident was last updated.
分配assignedTo stringstring 事件的擁有者。Owner of the Incident.
嚴重性severity EnumEnum 事件的嚴重性。Severity of the Incident. 可能的值為:、、、 UnSpecified Informational Low Medium 、和 HighPossible values are: UnSpecified, Informational, Low, Medium, and High.
地位status EnumEnum 指定事件目前的狀態。Specifies the current status of the incident. 可能的值為: ActiveResolved 、和 RedirectedPossible values are: Active, Resolved, and Redirected.
分類classification EnumEnum 事件的規格。Specification of the incident. 可能的值為: UnknownFalsePositiveTruePositivePossible values are: Unknown, FalsePositive, TruePositive.
測定determination EnumEnum 指定事件的確定。Specifies the determination of the incident. 可能的值為:、、、、、、 NotAvailable Apt Malware SecurityPersonnel SecurityTesting UnwantedSoftware OtherPossible values are: NotAvailable, Apt, Malware, SecurityPersonnel, SecurityTesting, UnwantedSoftware, Other.
標籤tags 字串清單string List 事件標記清單。List of Incident tags.
註解comments 事件批註清單List of incident comments 事件 Comment 物件包含:批註字串、createdBy 字串及 createTime date time。Incident Comment object contains: comment string, createdBy string, and createTime date time.
警報alerts 警示清單Alert List 相關警示的清單。List of related alerts. 請參閱 List 事件 API 檔中的範例。See examples at List incidents API documentation.