mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
4.7 KiB
4.7 KiB
title, description, keywords, search.product, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
| title | description | keywords | search.product | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Get alerts API | Retrieves top recent alerts. | apis, graph api, supported apis, get, alerts, recent | eADQiWindows 10XVcnh | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article |
Alert resource type
Applies to:
Represents an alert entity in Microsoft Defender ATP.
Methods
| Method | Return Type | Description |
|---|---|---|
| Get alert | Alert | Get a single alert object. |
| List alerts | Alert collection | List alert collection. |
| Create alert | Alert | Create an alert based on event data obtained from Advanced Hunting. |
| List related domains | Domain collection | List URLs associated with the alert. |
| List related files | File collection | List the file entities that are associated with the alert. |
| List related IPs | IP collection | List IPs that are associated with the alert. |
| Get related machines | Machine | The machine that is associated with the alert. |
| Get related users | User | The user that is associated with the alert. |
Properties
| Property | Type | Description |
|---|---|---|
| id | String | Alert ID. |
| incidentId | String | The Incident ID of the Alert. |
| assignedTo | String | Owner of the alert. |
| severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. |
| status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. |
| investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . |
| classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. |
| determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. |
| category | String | Category of the alert. Possible values are: 'Collection', 'Command and control', 'Credential access', 'Defense evasion', 'Discovery', 'Execution', 'Exfiltration', 'Exploit', 'Initial access', 'Lateral movement', 'Malware', 'Persistence', 'Privilege escalation', 'Ransomware', 'Suspicious activity', 'Unwanted software'. |
| detectionSource | string | Detection source. |
| threatFamilyName | string | Threat family. |
| title | string | Alert title. |
| description | String | Description of the threat, identified by the alert. |
| alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. |
| lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine. |
| firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. |
| resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. |
| machineId | String | ID of a machine entity that is associated with the alert. |
JSON representation
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}