deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

4

Browse Source
This commit is contained in:
Ben Alfasi 2020-01-05 23:20:44 +02:00
parent 4e7fa706c4
commit 4f405db396
3 changed files with 21 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Creates new MDATP [Alert](alerts.md).
Creates new [Alert](alerts.md).
<br>MDATP Event is a required parameter for the alert creation.
<br>You can use an event found in Advanced Hunting API or Portal.
<br>If there is an open alert on the same Machine with the same Title, the alerts will be merged to one.

4
windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
View File

@ -25,14 +25,14 @@ ms.topic: article
## API description
Retrieves a collection of Alerts.
<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
<br>The OData's ```$filter``` query is supported on: "alertCreationTime", "incidentId", "InvestigationId", "status", "severity" and "category".
<br>The OData's ```$filter``` query is supported on: ```alertCreationTime```, ```incidentId```, ```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
<br>See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
## Limitations
1. You can get alerts last updated in the past 30 days.
2. Maximum page size is 10,000.
3. Rate limitations of this API are 100 calls per minute and 1500 calls per hour.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions

48
windows/security/threat-protection/microsoft-defender-atp/update-alert.md
View File

@ -22,7 +22,15 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Update the properties of an alert entity.
## API description
Updates properties of existing [Alert](alerts.md).
<br>Submission of **comment** is available with or without updating properties.
<br>Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```.
## Limitations
1. You can update alerts that available in the API. See [List Alerts](get-alerts.md) for more information.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
@ -51,7 +59,9 @@ Content-Type | String | application/json. **Required**.
## Request body
In the request body, supply the values for the relevant fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change.
In the request body, supply the values for the relevant fields that should be updated.
<br>Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
<br>For best performance you shouldn't include existing values that haven't change.
Property | Type | Description
:---|:---|:---
@ -59,6 +69,7 @@ status | String | Specifies the current status of the alert. The property values
assignedTo | String | Owner of the alert
classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
comment | String | Comment to be added to the alert.
[!include[Improve request performance](../../includes/improve-request-performance.md)]
@ -75,35 +86,12 @@ Here is an example of the request.
```
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "secop2@contoso.com"
}
```
**Response**
Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"status": "Resolved",
"assignedTo": "secop2@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description",
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
"classification": "FalsePositive",
"determination": "Malware",
"comment": "Resolve my alert and assign to secop2"
}
```