命名空间:microsoft.graph
根据指定的 警报ID 属性更新组织中警报对象的属性。
此 API 可用于以下国家级云部署。
| 全局服务 |
美国政府 L4 |
美国政府 L5 (DOD) |
由世纪互联运营的中国 |
| ✅ |
✅ |
✅ |
❌ |
权限
为此 API 选择标记为最低特权的权限。
只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
| 权限类型 |
最低特权权限 |
更高特权权限 |
| 委派(工作或学校帐户) |
SecurityAlert.ReadWrite.All |
不可用。 |
| 委派(个人 Microsoft 帐户) |
不支持。 |
不支持。 |
| 应用程序 |
SecurityAlert.ReadWrite.All |
不可用。 |
HTTP 请求
PATCH /security/alerts_v2/{alertId}
| 名称 |
说明 |
| Authorization |
持有者 {token}。 必填。 详细了解 身份验证和授权。 |
| Content-Type |
application/json. 必需。 |
请求正文
在请求正文中, 仅 提供要更新的属性的值。 请求正文中未包含的现有属性会保留其以前的值,或者根据对其他属性值的更改重新计算。
下表指定可更新的属性。
| 属性 |
类型 |
说明 |
| status |
microsoft.graph.security.alertStatus |
警报的状态。 可能的值是:new、inProgress、resolved、unknownFutureValue。 |
| classification |
microsoft.graph.security.alertClassification |
指定警报的分类。 可取值为:unknown、falsePositive、truePositive、informationalExpectedActivity、unknownFutureValue。 |
| customDetails |
microsoft.graph.security.dictionary |
用户定义的具有字符串值的自定义字段。 |
| 测定 |
microsoft.graph.security.alertDetermination |
指定警报的确定。 可取值为:unknown、apt、malware、securityPersonnel、securityTesting、unwantedSoftware、other、multiStagedAttack、compromisedUser、phishing、maliciousUserActivity、clean、insufficientData、confirmedUserActivity、lineOfBusinessApplication、unknownFutureValue。 |
| assignedTo |
String |
事件的所有者,如果没有 null 分配所有者,则为 。 |
响应
如果成功,此方法在响应正文中返回响应 200 OK 代码和更新的 警报 对象。
示例
请求
以下示例显示了一个请求。
PATCH https://graph.microsoft.com/v1.0/security/alerts_v2/da637551227677560813_-961444813
Content-Type: application/json
Content-length: 2450
{
"assignedTo": "secAdmin@contoso.com",
"classification": "truePositive",
"determination": "malware",
"status": "inProgress"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models.Security;
var requestBody = new Alert
{
AssignedTo = "secAdmin@contoso.com",
Classification = AlertClassification.TruePositive,
Determination = AlertDetermination.Malware,
Status = AlertStatus.InProgress,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Alerts_v2["{alert-id}"].PatchAsync(requestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
mgc security alerts-v2 patch --alert-id {alert-id} --body '{\
"assignedTo": "secAdmin@contoso.com",\
"classification": "truePositive",\
"determination": "malware",\
"status": "inProgress"\
}\
'
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodelssecurity "github.com/microsoftgraph/msgraph-sdk-go/models/security"
//other-imports
)
requestBody := graphmodelssecurity.NewAlert()
assignedTo := "secAdmin@contoso.com"
requestBody.SetAssignedTo(&assignedTo)
classification := graphmodels.TRUEPOSITIVE_ALERTCLASSIFICATION
requestBody.SetClassification(&classification)
determination := graphmodels.MALWARE_ALERTDETERMINATION
requestBody.SetDetermination(&determination)
status := graphmodels.INPROGRESS_ALERTSTATUS
requestBody.SetStatus(&status)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
alerts_v2, err := graphClient.Security().Alerts_v2().ByAlertId("alert-id").Patch(context.Background(), requestBody, nil)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.models.security.Alert alert = new com.microsoft.graph.models.security.Alert();
alert.setAssignedTo("secAdmin@contoso.com");
alert.setClassification(com.microsoft.graph.models.security.AlertClassification.TruePositive);
alert.setDetermination(com.microsoft.graph.models.security.AlertDetermination.Malware);
alert.setStatus(com.microsoft.graph.models.security.AlertStatus.InProgress);
com.microsoft.graph.models.security.Alert result = graphClient.security().alertsV2().byAlertId("{alert-id}").patch(alert);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const alert = {
assignedTo: 'secAdmin@contoso.com',
classification: 'truePositive',
determination: 'malware',
status: 'inProgress'
};
await client.api('/security/alerts_v2/da637551227677560813_-961444813')
.update(alert);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Security\Alert;
use Microsoft\Graph\Generated\Models\Security\AlertClassification;
use Microsoft\Graph\Generated\Models\Security\AlertDetermination;
use Microsoft\Graph\Generated\Models\Security\AlertStatus;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Alert();
$requestBody->setAssignedTo('secAdmin@contoso.com');
$requestBody->setClassification(new AlertClassification('truePositive'));
$requestBody->setDetermination(new AlertDetermination('malware'));
$requestBody->setStatus(new AlertStatus('inProgress'));
$result = $graphServiceClient->security()->alerts_v2()->byAlertId('alert-id')->patch($requestBody)->wait();
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
Import-Module Microsoft.Graph.Security
$params = @{
assignedTo = "secAdmin@contoso.com"
classification = "truePositive"
determination = "malware"
status = "inProgress"
}
Update-MgSecurityAlertV2 -AlertId $alertId -BodyParameter $params
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.security.alert import Alert
from msgraph.generated.models.alert_classification import AlertClassification
from msgraph.generated.models.alert_determination import AlertDetermination
from msgraph.generated.models.alert_status import AlertStatus
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Alert(
assigned_to = "secAdmin@contoso.com",
classification = AlertClassification.TruePositive,
determination = AlertDetermination.Malware,
status = AlertStatus.InProgress,
)
result = await graph_client.security.alerts_v2.by_alert_id('alert-id').patch(request_body)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.type": "#microsoft.graph.security.alert",
"id": "da637551227677560813_-961444813",
"providerAlertId": "da637551227677560813_-961444813",
"incidentId": "28282",
"status": "inProgress",
"severity": "low",
"classification": "truePositive",
"determination": "malware",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "antivirus",
"detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",
"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"title": "Suspicious execution of hidden file",
"description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",
"recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",
"category": "DefenseEvasion",
"assignedTo": "secAdmin@contoso.com",
"alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1564.001"
],
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",
"resolvedDateTime": null,
"firstActivityDateTime": "2021-04-26T07:45:50.116Z",
"lastActivityDateTime": "2021-05-02T07:56:58.222Z",
"comments": [],
"evidence": [],
"systemTags" : []
}