命名空间:microsoft.graph.security
更新 事件 对象的属性。
此 API 可用于以下国家级云部署。
全局服务 |
美国政府 L4 |
美国政府 L5 (DOD) |
由世纪互联运营的中国 |
✅ |
✅ |
✅ |
❌ |
权限
为此 API 选择标记为最低特权的权限。
只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
权限类型 |
最低特权权限 |
更高特权权限 |
委派(工作或学校帐户) |
SecurityIncident.ReadWrite.All |
不可用。 |
委派(个人 Microsoft 帐户) |
不支持。 |
不支持。 |
应用程序 |
SecurityIncident.ReadWrite.All |
不可用。 |
HTTP 请求
PATCH /security/incidents/{incidentId}
名称 |
说明 |
Authorization |
持有者 {token}。 必填。 详细了解 身份验证和授权。 |
Content-Type |
application/json. 必需。 |
请求正文
在请求正文中, 仅 提供要更新的属性的值。 请求正文中未包含的现有属性会保留其以前的值,或者根据对其他属性值的更改重新计算。
下表指定可更新的属性。
属性 |
类型 |
说明 |
assignedTo |
String |
事件的所有者,如果没有 null 分配所有者,则为 。 免费的可编辑文本。 |
classification |
microsoft.graph.security.alertClassification |
事件的规范。 可取值为:unknown 、falsePositive 、truePositive 、informationalExpectedActivity 、unknownFutureValue 。 |
customTags |
字符串集合 |
与事件关联的自定义标记数组。 |
description |
String |
事件的说明。 |
测定 |
microsoft.graph.security.alertDetermination |
指定事件的确定。 可取值为:unknown 、apt 、malware 、securityPersonnel 、securityTesting 、unwantedSoftware 、other 、multiStagedAttack 、compromisedAccount 、phishing 、maliciousUserActivity 、notMalicious 、notEnoughDataToValidate 、confirmedUserActivity 、lineOfBusinessApplication 、unknownFutureValue 。 |
displayName |
String |
事件名称。 |
severity |
microsoft.graph.security.alertSeverity |
指示对资产可能产生的影响。 严重性越高,影响越大。 通常,严重性较高的项目需要最直接的关注。 可取值为:unknown 、informational 、low 、medium 、high 、unknownFutureValue 。 |
resolvingComment |
string |
说明事件解决方法和分类选择的用户输入。 它包含免费的可编辑文本。 |
status |
microsoft.graph.security.incidentStatus |
事件的状态。 可能的值是:active 、resolved 、redirected 、unknownFutureValue 。 |
摘要 |
String |
攻击概述。 如果适用,摘要包含所发生事件、受影响的资产和攻击类型的详细信息。 |
响应
如果成功,此方法在 200 OK
响应正文中返回响应代码和更新的 microsoft.graph.security.incident 对象。
示例
请求
以下示例显示了一个请求。
PATCH https://graph.microsoft.com/v1.0/security/incidents/2972395
Content-Type: application/json
{
"classification": "TruePositive",
"determination": "MultiStagedAttack",
"customTags": [
"Demo"
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models.Security;
var requestBody = new Incident
{
Classification = AlertClassification.TruePositive,
Determination = AlertDetermination.MultiStagedAttack,
CustomTags = new List<string>
{
"Demo",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Incidents["{incident-id}"].PatchAsync(requestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
mgc security incidents patch --incident-id {incident-id} --body '{\
"classification": "TruePositive",\
"determination": "MultiStagedAttack",\
"customTags": [\
"Demo"\
]\
}\
'
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodelssecurity "github.com/microsoftgraph/msgraph-sdk-go/models/security"
//other-imports
)
requestBody := graphmodelssecurity.NewIncident()
classification := graphmodels.TRUEPOSITIVE_ALERTCLASSIFICATION
requestBody.SetClassification(&classification)
determination := graphmodels.MULTISTAGEDATTACK_ALERTDETERMINATION
requestBody.SetDetermination(&determination)
customTags := []string {
"Demo",
}
requestBody.SetCustomTags(customTags)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
incidents, err := graphClient.Security().Incidents().ByIncidentId("incident-id").Patch(context.Background(), requestBody, nil)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.models.security.Incident incident = new com.microsoft.graph.models.security.Incident();
incident.setClassification(com.microsoft.graph.models.security.AlertClassification.TruePositive);
incident.setDetermination(com.microsoft.graph.models.security.AlertDetermination.MultiStagedAttack);
LinkedList<String> customTags = new LinkedList<String>();
customTags.add("Demo");
incident.setCustomTags(customTags);
com.microsoft.graph.models.security.Incident result = graphClient.security().incidents().byIncidentId("{incident-id}").patch(incident);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const incident = {
classification: 'TruePositive',
determination: 'MultiStagedAttack',
customTags: [
'Demo'
]
};
await client.api('/security/incidents/2972395')
.update(incident);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Security\Incident;
use Microsoft\Graph\Generated\Models\Security\AlertClassification;
use Microsoft\Graph\Generated\Models\Security\AlertDetermination;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Incident();
$requestBody->setClassification(new AlertClassification('truePositive'));
$requestBody->setDetermination(new AlertDetermination('multiStagedAttack'));
$requestBody->setCustomTags(['Demo', ]);
$result = $graphServiceClient->security()->incidents()->byIncidentId('incident-id')->patch($requestBody)->wait();
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
Import-Module Microsoft.Graph.Security
$params = @{
classification = "TruePositive"
determination = "MultiStagedAttack"
customTags = @(
"Demo"
)
}
Update-MgSecurityIncident -IncidentId $incidentId -BodyParameter $params
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.security.incident import Incident
from msgraph.generated.models.alert_classification import AlertClassification
from msgraph.generated.models.alert_determination import AlertDetermination
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Incident(
classification = AlertClassification.TruePositive,
determination = AlertDetermination.MultiStagedAttack,
custom_tags = [
"Demo",
],
)
result = await graph_client.security.incidents.by_incident_id('incident-id').patch(request_body)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.incident",
"id": "2972395",
"incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
"redirectIncidentId": null,
"displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"createdDateTime": "2021-08-13T08:43:35.5533333Z",
"lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
"assignedTo": "KaiC@contoso.com",
"classification": "TruePositive",
"determination": "MultiStagedAttack",
"status": "Active",
"severity": "Medium",
"customTags": [
"Demo"
],
"comments": [
{
"comment": "Demo incident",
"createdBy": "DavidS@contoso.com",
"createdTime": "2021-09-30T12:07:37.2756993Z"
}
],
"systemTags": [
"Defender Experts"
],
"description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
"summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}