ערוך

שתף באמצעות


Alert management API reference for OT monitoring sensors

This article lists the alert management REST APIs supported for Microsoft Defender for IoT OT monitoring sensors.

alerts (Retrieve alert information)

Use this API to request a list of all the alerts that the Defender for IoT sensor has detected.

URI: /api/v1/alerts

GET

Query parameters

Name Description Example Required / Optional
state Get only handled or unhandled alerts. Supported values:
- handled
- unhandled
/api/v1/alerts?state=handled Optional
fromTime Get alerts created starting at a given time, in milliseconds from Epoch time and in UTC timezone. /api/v1/alerts?fromTime=<epoch> Optional
toTime Get alerts created only before at a given time, in milliseconds from Epoch time and in UTC timezone. /api/v1/alerts?toTime=<epoch> Optional
type Get alerts of a specific type only. Supported values:
- unexpected new devices
- disconnections
All other values are ignored.
/api/v1/alerts?type=disconnections Optional

events (Retrieve timeline events)

Use this API to request a list of events reported to the event timeline.

Note

Running the identical API within the same hour, with the exact same parameter values, returns a cached value. If you are running this API twice in an hour, we recommend that you modify the query parameters to get an updated response.

URI: /api/v1/events

GET

Query parameters

Name Description Example Required / Optional
minutesTimeFrame Filter results by a given time frame during which events were reported. Defined backwards from the current time.
Maximum = 4320 (3 days). Any larger value is treated as 4320, with no error
/api/v1/events?minutesTimeFrame=20 Optional
type Filter results for a specific type only. Any value other than supported types is ignored. For more information, see Event type and title reference. /api/v1/events?type=DEVICE_CONNECTION_CREATED

/api/v1/events?type=REMOTE_ACCESS&minutesTimeFrame
Optional

Event type and title reference

This section lists the values supported as event type and title values for the events API.

Event type Event title
DEVICE_CREATE Device Detected
DEVICE_UPDATE Device Updated
ALERT_REPORTED Alert Detected
ALERT_UPDATED Alert Updated
SCAN Scan Device Detected
PROGRAM_DEVICE PLC Programming
MMS_PROGRAM_DEVICE PLC Program Update
SCL_UPLOADED SCL Uploaded
EXCLUSION_RULE_CREATED Exclusion Rule Created
EXCLUSION_RULE_REMOVED Exclusion Rule Removed
EXCLUSION_RULE_UPDATED Exclusion Rule Updated
DEVICE_CONNECTION_CREATED Device Connection Detected
USER_LOGIN User Login Attempt
FILE_TRANSFER File Transfer Detected
CUSTOM_EVENT User Defined Event
REMOTE_ACCESS Remote Access Connection Established
BACK_TO_NORMAL Back to Normal
MMS_MEMORY_BLOCK_OPERATION MMS Memory Block Operation
MMS_PROGRAM_OPERATION MMS Program Operation
HTTP_BASIC_AUTHENTICATION HTTP Basic Authentication
SIEMENS_S_7_MEMORY_BLOCK_OPERATION Siemens S7 Memory Block Operation
SIEMENS_S_7_AUTHENTICATION Siemens S7 Authentication
REPORT_CREATED Report Created
SNMP_TRAP SNMP Trap detected
DATABASE_ACTION Database Structure Manipulation
PLC_MODULE_CHANGE PLC Module Change
FIRMWARE_UPDATE Firmware Update
PLC_START PLC Start
SRTP_PLC_RESET PLC Reset
SRTP_PLC_COPY_FIRMWARE Firmware Update
SRTP_LOGIN_PROGRAMMING PLC Programming Mode Set
SRTP_PLC_CHANGE_PASSWORD PLC Password Change
OPC_DATA_ACCESS_GROUP_MANAGEMENT_OPERATION OPC Data Access Group Management Operation
OPC_DATA_ACCESS_ITEM_MANAGEMENT_OPERATION OPC Data Access Item Management Operation
OPC_DATA_ACCESS_IO_SUBSCRIPTION_MANAGEMENT_OPERATION OPC Data Access IO Subscription Management Operation
OPC_AE_EVENT_SUBSCRIPTION OPC AE Event Subscription
OPC_AE_EVENT_CONDITION_MANAGEMENT_OPERATION OPC AE Event Condition Management Operation
OPC_AE_EVENT OPC AE Event
SRTP_CHANGE_PRIVILEGE PLC Change access level
SRTP_CHANGE_LEVEL_FAILED PLC Change access level failed
SUITELINK_INIT_CONNECTION Wonderware session initialized
USER_OPERATION User Operation
DIP_UPLOADED Data Intelligence Package Uploaded
FTP_AUTHENTICATION_FAILURE FTP Authentication Failure
PROFINET_DPC_VALUE_SET Profinet SET operation
S7PLUS_PLC_MODE_CHANGE PLC Mode Change
S7_PLC_MODE_CHANGE PLC Mode Change
DELETE_DEVICE Device Deleted
S7PLUS_PROGRAMMING PLC Programming
FIRMWARE_CHANGED PLC Firmware Changed
DELTAV_PROGRAMMING DeltaV Install Script
USER_DEFINED_RULE_CREATED User Defined Rule Created
USER_DEFINED_RULE_EDITED User Defined Rule Edited
USER_DEFINED_RULE_DELETED User Defined Rule Deleted
USER_DEFINED_RULE_OPERATION User Defined Rule Operation
REMOTE_PROCESS_EXECUTION Remote Process Execution
DEVICE_UNIFICATION Device Updated
NOTIFICATION Notification was resolved manually
ENIP_CONTROLLER_PROGRAM_DELETE Controller Program Delete
ENIP_CONTROLLER_PROGRAM_RESET Controller Program Reset
ENIP_CONTROLLER_GENERIC_RESET Controller Reset
ENIP_CONTROLLER_GENERIC_STOP Controller Stop
ENIP_CONTROLLER_GENERIC_START Controller Start
TELNET_AUTHENTICATION_FAILURE Telnet Authentication Failure
CONFIGURATION_OF_CLEARTEXT_PASSWORD Configuration Of Cleartext Password
CLEARTEXT_AUTHENTICATION Cleartext Authentication
PROGRAM_UPLOAD_DEVICE PLC Program Upload
CONFIGURATION_CHANGE PLC Configuration Write
CONFIGURATION_READ PLC Configuration Read
SYSLOG_MSG Syslog Message
INTERNET_ACCESS Internet Access
CAMP_MEMORY_WRITE_OPERATION Common ASCII Message Protocol Memory Write Operation
MUTED_ALERT Event Detected and Muted
DHCP_UPDATE Address Update
DIP_FAILURE Data Intelligence Package Installation Failure
DELETE_DEVICE_SCHEDULE Inactive Devices Scheduled for deletion
PLC_OPERATING_MODE_CHANGED PLC Operating Mode Change Detected
HARDWARE_UPDATE_BY_IDENTIFIER Address Update

Next steps

For more information, see the Defender for IoT API reference overview.