Create Alert

6 min

description creates a new alert in microsoft defender with details such as machine id, severity, and event time to identify potential threats endpoint url /api/alerts/createalertbyreference method post inputs json body (object) – required machineid (string) – required id of the device on which the event was identified severity (string) – required severity of the alert title (string) – required title for the alert description (string) – required description of the alert recommendedaction (string) – required security officer needs to take this action when analyzing the alert eventtime (string) – required the precise time of the event as string, as obtained from advanced hunting reportid (string) – required the reportid of the event, as obtained from advanced hunting category (string) – required category of the alert output example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "date" "tue, 30 apr 2024 10 36 47 gmt" }, "reason" "ok", "json body" { "id" "da637472900382838869 1364969609", "incidentid" 1126093, "investigationid" null, "assignedto" null, "severity" "low", "status" "new", "classification" null, "determination" null, "investigationstate" "queued", "detectionsource" "windowsdefenderatp", "detectorid" "17e10bbc 3a68 474a 8aad faef14d43952", "category" "execution", "threatfamilyname" null, "title" "low reputation arbitrary code executed by signed executable", "description" "binaries signed by microsoft can be used to run low reputation arbitrary code this technique hides the execution of malicious code within a trusted process as a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command and control (c\&c) server ", "alertcreationtime" "2021 01 26t20 33 57 7220239z", "firsteventtime" "2021 01 26t20 31 32 9562661z", "lasteventtime" "2021 01 26t20 31 33 0577322z", "lastupdatetime" "2021 01 26t20 33 59 2z", "resolvedtime" null, "machineid" "111e6dd8c833c8a052ea231ec1b19adaf497b625", "computerdnsname" "temp123 middleeast corp microsoft com", "rbacgroupname" "a", "aadtenantid" "a839b112 1253 6432 9bf6 94542403f21c", "threatname" null, "mitretechniques" \[ "t1064", "t1085", "t1220" ], "relateduser" { "username" "temp123", "domainname" "domain" }, "comments" \[ { "comment" "test comment for docs", "createdby" "secop123\@contoso com", "createdtime" "2021 01 26t01 00 37 8404534z" } ], "evidence" \[ { "entitytype" "user", "evidencecreationtime" "2021 01 26t20 33 58 42z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "accountname" "name", "domainname" "domain", "usersid" "s 1 5 21 11111607 1111760036 109187956 75141", "aaduserid" "11118379 2a59 1111 ac3c a51eb4a3c627", "userprincipalname" "temp123\@microsoft com", "detectionstatus" null }, { "entitytype" "process", "evidencecreationtime" "2021 01 26t20 33 58 6133333z", "sha1" "ff836cfb1af40252bd2a2ea843032e99a5b262ed", "sha256" "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", "filename" "rundll32 exe", "filepath" "c \\\windows\\\syswow64", "processid" 3276, "processcommandline" "rundll32 exe c \\\temp\\\suspicious dll,repeatafterme", "processcreationtime" "2021 01 26t20 31 32 9581596z", "parentprocessid" 8420, "parentprocesscreationtime" "2021 01 26t20 31 32 9004163z", "parentprocessfilename" "rundll32 exe", "parentprocessfilepath" "c \\\windows\\\system32", "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" }, { "entitytype" "file", "evidencecreationtime" "2021 01 26t20 33 58 42z", "sha1" "8563f95b2f8a284fc99da44500cd51a77c1ff36c", "sha256" "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", "filename" "suspicious dll", "filepath" "c \\\temp", "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" "detected" } ] } } ] output parameters status code (number) reason (string) json body (object) id (string) incidentid (number) investigationid (object) assignedto (object) severity (string) status (string) classification (object) determination (object) investigationstate (string) detectionsource (string) detectorid (string) category (string) threatfamilyname (object) title (string) description (string) alertcreationtime (string) firsteventtime (string) lasteventtime (string) lastupdatetime (string) resolvedtime (object) machineid (string) computerdnsname (string) rbacgroupname (string) aadtenantid (string) threatname (object) mitretechniques (array) relateduser (object) username (string) domainname (string) comments (array) comment (string) createdby (string) createdtime (string) evidence (array) entitytype (string) evidencecreationtime (string) sha1 (string) sha256 (string) filename (string) filepath (string) processid (object) processcommandline (object) processcreationtime (object) parentprocessid (object) parentprocesscreationtime (object) parentprocessfilename (object) parentprocessfilepath (object) ipaddress (object) url (object) registrykey (object) registryhive (object) registryvaluetype (object) registryvalue (object) accountname (object) domainname (object) usersid (object) aaduserid (object) userprincipalname (object) detectionstatus (string) response headers header type transfer encoding string content type string content encoding string vary string strict transport security string date string