Obter incidente

Espaço de nomes: microsoft.graph.security

Obtenha as propriedades e relações de um objeto de incidente .

Normalmente, os ataques são infligidos a diferentes tipos de entidades, como dispositivos, utilizadores e caixas de correio, o que resulta em vários objetos de alerta . O Microsoft 365 Defender correlaciona os alertas com as mesmas técnicas de ataque ou com o mesmo atacante num incidente.

Esta API está disponível nas seguintes implementações de cloud nacionais.

Permissões

Escolha a permissão ou permissões marcadas como menos privilegiadas para esta API. Utilize uma permissão ou permissões com privilégios mais elevados apenas se a sua aplicação o exigir. Para obter detalhes sobre as permissões delegadas e de aplicação, veja Tipos de permissão. Para saber mais sobre estas permissões, veja a referência de permissões.

Solicitação HTTP

GET /security/incidents/{incidentId}

Cabeçalhos de solicitação

Corpo da solicitação

Não forneça um corpo de solicitação para esse método.

Resposta

Se for bem-sucedido, este método devolve um 200 OK código de resposta e um objeto de incidente no corpo da resposta.

Exemplos

Solicitação

O exemplo a seguir mostra uma solicitação.

GET https://graph.microsoft.com/beta/security/incidents/2972395

// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Incidents["{incident-id}"].GetAsync();

// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
incidents, err := graphClient.Security().Incidents().ByIncidentId("incident-id").Get(context.Background(), nil)

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.security.Incident result = graphClient.security().incidents().byIncidentId("{incident-id}").get();

const options = {
	authProvider,
};

const client = Client.init(options);

let incident = await client.api('/security/incidents/2972395')
	.version('beta')
	.get();

<?php
use Microsoft\Graph\Beta\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$result = $graphServiceClient->security()->incidents()->byIncidentId('incident-id')->get()->wait();

Import-Module Microsoft.Graph.Beta.Security

Get-MgBetaSecurityIncident -IncidentId $incidentId

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.security.incidents.by_incident_id('incident-id').get()

Resposta

O exemplo a seguir mostra a resposta.

Observação: o objeto de resposta mostrado aqui pode ser encurtado para legibilidade.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.type": "#microsoft.graph.incident",
    "id": "2972395",
    "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
    "redirectIncidentId": null,
    "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
    "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
    "createdDateTime": "2021-08-13T08:43:35.5533333Z",
    "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
    "assignedTo": "KaiC@contoso.com",
    "classification": "TruePositive",
    "determination": "MultiStagedAttack",
    "status": "Active",
    "severity": "Medium",
    "customTags": [
        "Demo"
    ],
    "comments": [
        {
            "comment": "Demo incident",
            "createdBy": "DavidS@contoso.com",
            "createdTime": "2021-09-30T12:07:37.2756993Z"
        }
    ],
    "systemTags": [
        "Defender Experts"
    ],
    "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
    "recommendedActions": "Immediate Recommendations:  1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...",
    "recommendedHuntingQueries": [
        {
            "kqlText": "AlertInfo   | where Timestamp >= datetime(2022-10-20 06:00:52.9644915)   | where Title == 'Potential Raspberry Robin worm command'  | join AlertEvidence on AlertId   | distinct DeviceId"
        }
    ],
    "lastModifiedBy": "DavidS@contoso.onmicrosoft.com",
    "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}