列出alerts_v2
命名空间:microsoft.graph.security
重要
Microsoft Graph /beta 版本下的 API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
获取为跟踪组织中的可疑活动而创建的 警报 资源列表。
此操作允许对警报进行筛选和排序,以创建明智的网络安全响应。 它会在环境保留策略中指定的时间范围内公开在网络中标记的警报集合。 最新的警报显示在列表顶部。
此 API 可用于以下国家级云部署。
| 全局服务 | 美国政府 L4 | 美国政府 L5 (DOD) | 由世纪互联运营的中国 |
|---|---|---|---|
| ✅ | ✅ | ✅ | ❌ |
权限
为此 API 选择标记为最低特权的权限。 只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
| 权限类型 | 最低特权权限 | 更高特权权限 |
|---|---|---|
| 委派(工作或学校帐户) | SecurityAlert.Read.All | SecurityAlert.ReadWrite.All |
| 委派(个人 Microsoft 帐户) | 不支持。 | 不支持。 |
| 应用程序 | SecurityAlert.Read.All | SecurityAlert.ReadWrite.All |
HTTP 请求
GET /security/alerts_v2
可选的查询参数
此方法支持以下 OData 查询参数来帮助自定义响应:$count、$filter、、$skip$top。
以下属性支持 $filter : assignedTo、 classification、 determination、 createdDateTime、 lastUpdateDateTime、 severity、 serviceSource 和 status。
用于 @odata.nextLink 分页。
下面是它们的用法示例:
GET /security/alerts_v2?$filter={property}+eq+'{property-value}'
GET /security/alerts_V2?$top=100&$skip=200
若要了解一般信息,请参阅 OData 查询参数。
请求标头
| 名称 | 说明 |
|---|---|
| Authorization | 持有者 {token}。 必填。 详细了解 身份验证和授权。 |
请求正文
请勿提供此方法的请求正文。
响应
如果成功,此方法在 200 OK 响应正文中返回响应代码和 警报 对象集合。
示例
请求
以下示例显示了一个请求。
GET https://graph.microsoft.com/beta/security/alerts_v2
响应
以下示例显示了响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"value": [
{
"@odata.type": "#microsoft.graph.security.alert",
"id": "da637551227677560813_-961444813",
"providerAlertId": "da637551227677560813_-961444813",
"incidentId": "28282",
"status": "new",
"severity": "low",
"classification": "unknown",
"determination": "unknown",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "antivirus",
"detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",
"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"title": "Suspicious execution of hidden file",
"description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",
"recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",
"category": "DefenseEvasion",
"assignedTo": null,
"alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1564.001"
],
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",
"resolvedDateTime": null,
"firstActivityDateTime": "2021-04-26T07:45:50.116Z",
"lastActivityDateTime": "2021-05-02T07:56:58.222Z",
"comments": [],
"evidence": [
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",
"mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",
"azureAdDeviceId": null,
"deviceDnsName": "yonif-lap3.middleeast.corp.microsoft.com",
"hostName": "yonif-lap3",
"ntDomain": null,
"dnsDomain": "middleeast.corp.microsoft.com",
"osPlatform": "Windows10",
"osBuild": 22424,
"version": "Other",
"healthStatus": "active",
"riskScore": "medium",
"rbacGroupId": 75,
"rbacGroupName": "UnassignedGroup",
"onboardingStatus": "onboarded",
"defenderAvStatus": "unknown",
"ipInterfaces": [
"1.1.1.1"
],
"loggedOnUsers": [],
"roles": [
"compromised"
],
"detailedRoles": [
"Main device"
],
"tags": [
"Test Machine"
],
"vmMetadata": {
"vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",
"cloudProvider": "azure",
"resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",
"subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"
}
},
{
"@odata.type": "#microsoft.graph.security.fileEvidence",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"detectionStatus": "detected",
"mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",
"roles": [],
"detailedRoles": [
"Referred in command line"
],
"tags": [],
"fileDetails": {
"sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",
"sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",
"fileName": "MsSense.exe",
"filePath": "C:\\Program Files\\temp",
"fileSize": 6136392,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
}
},
{
"@odata.type": "#microsoft.graph.security.processEvidence",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"processId": 4780,
"parentProcessId": 668,
"processCommandLine": "\"MsSense.exe\"",
"processCreationDateTime": "2021-08-12T12:43:19.0772577Z",
"parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",
"detectionStatus": "detected",
"mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",
"roles": [],
"detailedRoles": [],
"tags": [],
"imageFile": {
"sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",
"sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",
"fileName": "MsSense.exe",
"filePath": "C:\\Program Files\\temp",
"fileSize": 6136392,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"parentProcessImageFile": {
"sha1": null,
"sha256": null,
"fileName": "services.exe",
"filePath": "C:\\Windows\\System32",
"fileSize": 731744,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"userAccount": {
"accountName": "SYSTEM",
"domainName": "NT AUTHORITY",
"userSid": "S-1-5-18",
"azureAdUserId": null,
"userPrincipalName": null,
"displayName": "System"
}
},
{
"@odata.type": "#microsoft.graph.security.registryKeyEvidence",
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",
"registryHive": "HKEY_LOCAL_MACHINE",
"roles": [],
"detailedRoles": [],
"tags": []
}
],
"systemTags" : [
"Defender Experts"
]
}
]
}