Obtener incidente

Espacio de nombres: microsoft.graph.security

Recupere las propiedades y relaciones de un objeto de incidente .

Los ataques suelen infligidos a diferentes tipos de entidades, como dispositivos, usuarios y buzones, lo que da lugar a varios objetos de alerta . Microsoft 365 Defender correlaciona las alertas con las mismas técnicas de ataque o con el mismo atacante en un incidente.

Esta API está disponible en las siguientes implementaciones nacionales de nube.

Permissions

Elija el permiso o los permisos marcados como con privilegios mínimos para esta API. Use un permiso o permisos con privilegios superiores solo si la aplicación lo requiere. Para obtener más información sobre los permisos delegados y de aplicación, consulte Tipos de permisos. Para obtener más información sobre estos permisos, consulte la referencia de permisos.

Solicitud HTTP

GET /security/incidents/{incidentId}

Encabezados de solicitud

Cuerpo de la solicitud

No proporcione un cuerpo de solicitud para este método.

Respuesta

Si se ejecuta correctamente, este método devuelve un 200 OK código de respuesta y un objeto de incidente en el cuerpo de la respuesta.

Ejemplos

Solicitud

En el ejemplo siguiente se muestra la solicitud.

GET https://graph.microsoft.com/beta/security/incidents/2972395

// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Incidents["{incident-id}"].GetAsync();

mgc-beta security incidents get --incident-id {incident-id}

// Code snippets are only available for the latest major version. Current major version is $v0.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
incidents, err := graphClient.Security().Incidents().ByIncidentId("incident-id").Get(context.Background(), nil)

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.security.Incident result = graphClient.security().incidents().byIncidentId("{incident-id}").get();

const options = {
	authProvider,
};

const client = Client.init(options);

let incident = await client.api('/security/incidents/2972395')
	.version('beta')
	.get();

<?php
use Microsoft\Graph\Beta\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$result = $graphServiceClient->security()->incidents()->byIncidentId('incident-id')->get()->wait();

Import-Module Microsoft.Graph.Beta.Security

Get-MgBetaSecurityIncident -IncidentId $incidentId

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.security.incidents.by_incident_id('incident-id').get()

Respuesta

En el ejemplo siguiente se muestra la respuesta.

Nota: Se puede acortar el objeto de respuesta que se muestra aquí para mejorar la legibilidad.

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.type": "#microsoft.graph.incident",
    "id": "2972395",
    "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",
    "redirectIncidentId": null,
    "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",
    "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
    "createdDateTime": "2021-08-13T08:43:35.5533333Z",
    "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",
    "assignedTo": "KaiC@contoso.com",
    "classification": "TruePositive",
    "determination": "MultiStagedAttack",
    "status": "Active",
    "severity": "Medium",
    "customTags": [
        "Demo"
    ],
    "comments": [
        {
            "comment": "Demo incident",
            "createdBy": "DavidS@contoso.com",
            "createdTime": "2021-09-30T12:07:37.2756993Z"
        }
    ],
    "systemTags": [
        "Defender Experts"
    ],
    "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...",
    "recommendedActions": "Immediate Recommendations:  1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...",
    "recommendedHuntingQueries": [
        {
            "kqlText": "AlertInfo   | where Timestamp >= datetime(2022-10-20 06:00:52.9644915)   | where Title == 'Potential Raspberry Robin worm command'  | join AlertEvidence on AlertId   | distinct DeviceId"
        }
    ],
    "lastModifiedBy": "DavidS@contoso.onmicrosoft.com",
    "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal."
}