列出警示 API
適用於:
想要體驗適用於端點的 Microsoft Defender 嗎? 注册免費試用版。
注意事項
如果您是美國政府客戶,請使用 適用於美國政府客戶的 Microsoft Defender 中所列的 URI。
提示
為了獲得更好的效能,您可以使用更接近您地理位置的伺服器:
- us.api.security.microsoft.com
- eu.api.security.microsoft.com
- uk.api.security.microsoft.com
- au.api.security.microsoft.com
- swa.api.security.microsoft.com
- ina.api.security.microsoft.com
API 描述
擷取警示的集合。
支援 OData V4 查詢。
OData 支援的運算子:
-
$filteron:alertCreationTime、lastUpdateTime、、incidentId、InvestigationId、asssignedToid、detectionSource、lastEventTime、statusseverity和category屬性。 -
$top最大值為 10,000 $skip-
$expand之evidence - 請參閱 適用於端點的 Microsoft Defender 的 OData 查詢範例。
限制
您可以根據設定的保留期間,取得上次更新的警示。
頁面大小上限為 10,000。
此 API 的速率限制為每分鐘 100 次呼叫,每小時 1,500 次呼叫。
權限
呼叫此 API 需要下列其中一個許可權。 若要深入瞭解,包括如何選擇許可權,請 參閱使用適用於端點Microsoft Defender API。
| 許可權類型 | 權限 | 許可權顯示名稱 |
|---|---|---|
| 應用程式 | Alert.Read.All | Read all alerts |
| 應用程式 | Alert.ReadWrite.All | Read and write all alerts |
| 委派 (公司或學校帳戶) | Alert.Read | Read alerts |
| 委派 (公司或學校帳戶) | Alert.ReadWrite | Read and write alerts |
注意事項
使用使用者認證取得權杖時:
- 用戶必須至少有下列角色許可權:
View Data(如需詳細資訊,請參閱 建立和管理角色) - 回應僅包含與使用者可以存取之裝置相關聯的警示,根據裝置群組設定 (如需詳細資訊,請參閱 建立和管理裝置群組)
適用於端點的Defender方案1和方案2支援裝置群組建立。
HTTP 要求
GET /api/alerts
要求標頭
| 名稱 | 類型 | 描述 |
|---|---|---|
| 授權 | 字串 | 持有人 {token}。 必要。 |
要求內文
Empty
回應
如果成功,此方法會傳回 200 OK,以及回應本文中的 警示 物件清單。
範例 1 - 預設值
請求
以下是要求的範例。
GET https://api.securitycenter.microsoft.com/api/alerts
回應
以下是回應的範例。
注意事項
為了簡潔起見,此處顯示的回應清單可能會被截斷。 所有警示都會從實際呼叫傳回。
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
"id": "da637308392288907382_-880718168",
"incidentId": 7587,
"investigationId": 723156,
"assignedTo": "secop123@contoso.com",
"severity": "Low",
"status": "New",
"classification": "TruePositive",
"determination": null,
"investigationState": "Queued",
"detectionSource": "WindowsDefenderAv",
"category": "SuspiciousActivity",
"threatFamilyName": "Meterpreter",
"title": "Suspicious 'Meterpreter' behavior was detected",
"description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
"alertCreationTime": "2020-07-20T10:53:48.7657932Z",
"firstEventTime": "2020-07-20T10:52:17.6654369Z",
"lastEventTime": "2020-07-20T10:52:18.1362905Z",
"lastUpdateTime": "2020-07-20T10:53:50.19Z",
"resolvedTime": null,
"machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "MiddleEast",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
"userName": "temp123",
"domainName": "DOMAIN"
},
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop123@contoso.com",
"createdTime": "2020-07-21T01:00:37.8404534Z"
}
],
"evidence": []
}
...
]
}
範例 2 - 取得 10 個具有相關辨識項的最新警示
請求
以下是要求的範例。
GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
回應
以下是回應的範例。
注意事項
為了簡潔起見,此處顯示的回應清單可能會被截斷。 所有警示都會從實際呼叫傳回。
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
"value": [
{
"id": "da637472900382838869_1364969609",
"incidentId": 1126093,
"investigationId": null,
"assignedTo": null,
"severity": "Low",
"status": "New",
"classification": null,
"determination": null,
"investigationState": "Queued",
"detectionSource": "WindowsDefenderAtp",
"detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952",
"category": "Execution",
"threatFamilyName": null,
"title": "Low-reputation arbitrary code executed by signed executable",
"description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.",
"alertCreationTime": "2021-01-26T20:33:57.7220239Z",
"firstEventTime": "2021-01-26T20:31:32.9562661Z",
"lastEventTime": "2021-01-26T20:31:33.0577322Z",
"lastUpdateTime": "2021-01-26T20:33:59.2Z",
"resolvedTime": null,
"machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625",
"computerDnsName": "temp123.middleeast.corp.microsoft.com",
"rbacGroupName": "A",
"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
"threatName": null,
"mitreTechniques": [
"T1064",
"T1085",
"T1220"
],
"relatedUser": {
"userName": "temp123",
"domainName": "DOMAIN"
},
"comments": [
{
"comment": "test comment for docs",
"createdBy": "secop123@contoso.com",
"createdTime": "2021-01-26T01:00:37.8404534Z"
}
],
"evidence": [
{
"entityType": "User",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": null,
"sha256": null,
"fileName": null,
"filePath": null,
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": "name",
"domainName": "DOMAIN",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141",
"aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627",
"userPrincipalName": "temp123@microsoft.com",
"detectionStatus": null
},
{
"entityType": "Process",
"evidenceCreationTime": "2021-01-26T20:33:58.6133333Z",
"sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed",
"sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6",
"fileName": "rundll32.exe",
"filePath": "C:\\Windows\\SysWOW64",
"processId": 3276,
"processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe",
"processCreationTime": "2021-01-26T20:31:32.9581596Z",
"parentProcessId": 8420,
"parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z",
"parentProcessFileName": "rundll32.exe",
"parentProcessFilePath": "C:\\Windows\\System32",
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
},
{
"entityType": "File",
"evidenceCreationTime": "2021-01-26T20:33:58.42Z",
"sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c",
"sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608",
"fileName": "suspicious.dll",
"filePath": "c:\\temp",
"processId": null,
"processCommandLine": null,
"processCreationTime": null,
"parentProcessId": null,
"parentProcessCreationTime": null,
"parentProcessFileName": null,
"parentProcessFilePath": null,
"ipAddress": null,
"url": null,
"registryKey": null,
"registryHive": null,
"registryValueType": null,
"registryValue": null,
"accountName": null,
"domainName": null,
"userSid": null,
"aadUserId": null,
"userPrincipalName": null,
"detectionStatus": "Detected"
}
]
},
...
]
}
另請參閱
使用適用於端點的 Microsoft Defender 進行 OData 查詢
提示
想要深入了解? 在我們的技術社群中與Microsoft安全性社群互動:Microsoft適用於端點的Defender技術社群。