4.3 KiB
title, description, keywords, search.product, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
| title | description | keywords | search.product | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Create alert from event API | Creates an alert using event details | apis, graph api, supported apis, get, alert, information, id | eADQiWindows 10XVcnh | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article |
Create alert API
Applies to: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)
- Want to experience Microsoft Defender ATP? Sign up for a free trial.
API description
Creates new Alert on top of Event.
Microsoft Defender ATP Event is required for the alert creation.
You will need to supply 3 parameters from the Event in the request: Event Time, Machine ID and Report ID. See example below.
You can use an event found in Advanced Hunting API or Portal.
If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
An automatic investigation starts automatically on alerts created via the API.
Limitations
- Rate limitations for this API are 15 calls per minute.
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft Defender ATP APIs
| Permission type | Permission | Permission display name |
|---|---|---|
| Application | Alerts.ReadWrite.All | 'Read and write all alerts' |
| Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' |
Note
When obtaining a token using user credentials:
- The user needs to have at least the following role permission: 'Alerts investigation' (See Create and manage roles for more information)
- The user needs to have access to the device associated with the alert, based on device group settings (See Create and manage device groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Request headers
| Name | Type | Description |
|---|---|---|
| Authorization | String | Bearer {token}. Required. |
| Content-Type | String | application/json. Required. |
Request body
In the request body, supply the following values (all are required):
| Property | Type | Description |
|---|---|---|
| eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. 2018-08-03T16:45:21.7115183Z Required. |
| reportId | String | The reportId of the event, as obtained from advanced hunting. Required. |
| machineId | String | Id of the device on which the event was identified. Required. |
| severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. Required. |
| title | String | Title for the alert. Required. |
| description | String | Description of the alert. Required. |
| recommendedAction | String | Action that is recommended to be taken by security officer when analyzing the alert. Required. |
| category | String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" Required. |
Response
If successful, this method returns 200 OK, and a new alert object in the response body. If event with the specified properties (reportId, eventTime and machineId) was not found - 404 Not Found.
Example
Request
Here is an example of the request.
[!includeImprove request performance]
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"severity": "Low",
"title": "example",
"description": "example alert",
"recommendedAction": "nothing",
"eventTime": "2018-08-03T16:45:21.7115183Z",
"reportId": "20776",
"category": "Exploit"
}