命名空间:microsoft.graph
重要
Microsoft Graph /beta 版本下的 API 可能会发生更改。 不支持在生产应用程序中使用这些 API。 若要确定 API 是否在 v1.0 中可用,请使用 版本 选择器。
更新 警报 对象的属性。
此 API 可用于以下国家级云部署。
| 全局服务 |
美国政府 L4 |
美国政府 L5 (DOD) |
由世纪互联运营的中国 |
| ✅ |
✅ |
✅ |
❌ |
权限
为此 API 选择标记为最低特权的权限。
只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
| 权限类型 |
最低特权权限 |
更高特权权限 |
| 委派(工作或学校帐户) |
SecurityAlert.ReadWrite.All |
不可用。 |
| 委派(个人 Microsoft 帐户) |
不支持。 |
不支持。 |
| 应用程序 |
SecurityAlert.ReadWrite.All |
不可用。 |
HTTP 请求
PATCH /security/alerts_v2/{alertId}
| 名称 |
说明 |
| Authorization |
持有者 {token}。 必填。 详细了解 身份验证和授权。 |
| Content-Type |
application/json. 必需。 |
请求正文
在请求正文中, 仅 提供要更新的属性的值。 请求正文中未包含的现有属性会保留其以前的值,或者根据对其他属性值的更改重新计算。
下表指定可更新的属性。
| 属性 |
类型 |
说明 |
| status |
microsoft.graph.security.alertStatus |
警报的状态。 可能的值是:new、inProgress、resolved、unknownFutureValue。 |
| classification |
microsoft.graph.security.alertClassification |
指定警报的分类。 可取值为:unknown、falsePositive、truePositive、informationalExpectedActivity、unknownFutureValue。 |
| customDetails |
microsoft.graph.security.dictionary |
用户定义的具有字符串值的自定义字段。 |
| 测定 |
microsoft.graph.security.alertDetermination |
指定警报的确定。 可取值为:unknown、apt、malware、securityPersonnel、securityTesting、unwantedSoftware、other、multiStagedAttack、compromisedUser、phishing、maliciousUserActivity、clean、insufficientData、confirmedUserActivity、lineOfBusinessApplication、unknownFutureValue。 |
| assignedTo |
String |
事件的所有者,如果未分配所有者,则为 null。 |
响应
如果成功,此方法在响应正文中返回响应 200 OK 代码和更新的 警报 对象。
示例
请求
以下示例显示了一个请求。
PATCH https://graph.microsoft.com/beta/security/alerts_v2/da637551227677560813_-961444813
Content-Type: application/json
Content-length: 2450
{
"assignedTo": "secAdmin@contoso.com",
"classification": "truePositive",
"determination": "malware",
"status": "inProgress",
"CustomDetails": {"newKey":"newValue"}
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models.Security;
var requestBody = new Alert
{
AssignedTo = "secAdmin@contoso.com",
Classification = AlertClassification.TruePositive,
Determination = AlertDetermination.Malware,
Status = AlertStatus.InProgress,
CustomDetails = new Dictionary
{
AdditionalData = new Dictionary<string, object>
{
{
"newKey" , "newValue"
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Alerts_v2["{alert-id}"].PatchAsync(requestBody);
mgc-beta security alerts-v2 patch --alert-id {alert-id} --body '{\
"assignedTo": "secAdmin@contoso.com",\
"classification": "truePositive",\
"determination": "malware",\
"status": "inProgress",\
"CustomDetails": {"newKey":"newValue"}\
}\
'
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodelssecurity "github.com/microsoftgraph/msgraph-beta-sdk-go/models/security"
//other-imports
)
requestBody := graphmodelssecurity.NewAlert()
assignedTo := "secAdmin@contoso.com"
requestBody.SetAssignedTo(&assignedTo)
classification := graphmodels.TRUEPOSITIVE_ALERTCLASSIFICATION
requestBody.SetClassification(&classification)
determination := graphmodels.MALWARE_ALERTDETERMINATION
requestBody.SetDetermination(&determination)
status := graphmodels.INPROGRESS_ALERTSTATUS
requestBody.SetStatus(&status)
customDetails := graphmodelssecurity.NewDictionary()
additionalData := map[string]interface{}{
"newKey" : "newValue",
}
customDetails.SetAdditionalData(additionalData)
requestBody.SetCustomDetails(customDetails)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
alerts_v2, err := graphClient.Security().Alerts_v2().ByAlertId("alert-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
com.microsoft.graph.beta.models.security.Alert alert = new com.microsoft.graph.beta.models.security.Alert();
alert.setAssignedTo("secAdmin@contoso.com");
alert.setClassification(com.microsoft.graph.beta.models.security.AlertClassification.TruePositive);
alert.setDetermination(com.microsoft.graph.beta.models.security.AlertDetermination.Malware);
alert.setStatus(com.microsoft.graph.beta.models.security.AlertStatus.InProgress);
com.microsoft.graph.beta.models.security.Dictionary customDetails = new com.microsoft.graph.beta.models.security.Dictionary();
HashMap<String, Object> additionalData = new HashMap<String, Object>();
additionalData.put("newKey", "newValue");
customDetails.setAdditionalData(additionalData);
alert.setCustomDetails(customDetails);
com.microsoft.graph.models.security.Alert result = graphClient.security().alertsV2().byAlertId("{alert-id}").patch(alert);
const options = {
authProvider,
};
const client = Client.init(options);
const alert = {
assignedTo: 'secAdmin@contoso.com',
classification: 'truePositive',
determination: 'malware',
status: 'inProgress',
CustomDetails: {newKey: 'newValue'}
};
await client.api('/security/alerts_v2/da637551227677560813_-961444813')
.version('beta')
.update(alert);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\Security\Alert;
use Microsoft\Graph\Beta\Generated\Models\Security\AlertClassification;
use Microsoft\Graph\Beta\Generated\Models\Security\AlertDetermination;
use Microsoft\Graph\Beta\Generated\Models\Security\AlertStatus;
use Microsoft\Graph\Beta\Generated\Models\Security\Dictionary;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new Alert();
$requestBody->setAssignedTo('secAdmin@contoso.com');
$requestBody->setClassification(new AlertClassification('truePositive'));
$requestBody->setDetermination(new AlertDetermination('malware'));
$requestBody->setStatus(new AlertStatus('inProgress'));
$customDetails = new Dictionary();
$additionalData = [
'newKey' => 'newValue',
];
$customDetails->setAdditionalData($additionalData);
$requestBody->setCustomDetails($customDetails);
$result = $graphServiceClient->security()->alerts_v2()->byAlertId('alert-id')->patch($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Security
$params = @{
assignedTo = "secAdmin@contoso.com"
classification = "truePositive"
determination = "malware"
status = "inProgress"
CustomDetails = @{
newKey = "newValue"
}
}
Update-MgBetaSecurityAlertV2 -AlertId $alertId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.security.alert import Alert
from msgraph_beta.generated.models.alert_classification import AlertClassification
from msgraph_beta.generated.models.alert_determination import AlertDetermination
from msgraph_beta.generated.models.alert_status import AlertStatus
from msgraph_beta.generated.models.security.dictionary import Dictionary
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Alert(
assigned_to = "secAdmin@contoso.com",
classification = AlertClassification.TruePositive,
determination = AlertDetermination.Malware,
status = AlertStatus.InProgress,
custom_details = Dictionary(
additional_data = {
"new_key" : "newValue",
}
),
)
result = await graph_client.security.alerts_v2.by_alert_id('alert-id').patch(request_body)
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.type": "#microsoft.graph.security.alert",
"id": "da637551227677560813_-961444813",
"providerAlertId": "da637551227677560813_-961444813",
"incidentId": "28282",
"status": "inProgress",
"severity": "low",
"classification": "truePositive",
"determination": "malware",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "antivirus",
"detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",
"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"title": "Suspicious execution of hidden file",
"description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",
"recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",
"category": "DefenseEvasion",
"assignedTo": "secAdmin@contoso.com",
"alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1564.001"
],
"createdDateTime": "2021-04-27T12:19:27.7211305Z",
"lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",
"resolvedDateTime": null,
"firstActivityDateTime": "2021-04-26T07:45:50.116Z",
"lastActivityDateTime": "2021-05-02T07:56:58.222Z",
"comments": [],
"evidence": [],
"systemTags" : [],
"customDetails": {"newKey":"newValue"}
}