Connectors
...
Actions
Get Alert
6 min
description retrieves detailed information for a specified alert in microsoft defender using the unique alert id endpoint url /api/alerts/{{id}} method get inputs path parameters (object) – required id (string) – required output example \[ { "status code" 200, "response headers" { "date" "thu, 04 may 2023 13 05 30 gmt", "content type" "application/json; odata metadata=minimal; odata streaming=true; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "deflate", "vary" "accept encoding", "odata version" "4 0", "strict transport security" "max age=15724800; includesubdomains" }, "reason" "ok", "json body" { "@odata context" "https //api securitycenter microsoft com/api/$metadata#alerts/$entity", "id" "ar638180599315648136 73827727", "incidentid" 400, "investigationid" 6, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "automatedinvestigation", "detectorid" "5c6b7d86 c91f 4f8c 8aec 9d2086f46527", "category" "suspiciousactivity", "threatfamilyname" null, "title" "automated investigation started manually", "description" "se pov user(pov\@swimlaneintegrations onmicrosoft com) initiated an automated investigation on se pov desktop \n the investigation automatically identifies and reviews threat artifacts for possible remediation ", "alertcreationtime" "2023 04 25t22 52 11 5648315z", "firsteventtime" "2023 04 25t22 52 11z", "lasteventtime" "2023 04 25t22 52 11z", "lastupdatetime" "2023 04 25t22 58 00 55z", "resolvedtime" "2023 04 25t22 58 00 4108067z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[ { "entitytype" "ip", "evidencecreationtime" "2023 04 25t22 52 11 7733333z", "sha1" null, "sha256" null, "filename" null, "filepath" null, "processid" null, "processcommandline" null, "processcreationtime" null, "parentprocessid" null, "parentprocesscreationtime" null, "parentprocessfilename" null, "parentprocessfilepath" null, "ipaddress" null, "url" null, "registrykey" null, "registryhive" null, "registryvaluetype" null, "registryvalue" null, "registryvaluename" null, "accountname" null, "domainname" null, "usersid" null, "aaduserid" null, "userprincipalname" null, "detectionstatus" null } ], "domains" \[] } } ] output parameters status code (number) reason (string) json body (object) @odata context (string) id (string) incidentid (number) investigationid (number) assignedto (string) severity (string) status (string) classification (object) determination (object) investigationstate (string) detectionsource (string) detectorid (string) category (string) threatfamilyname (object) title (string) description (string) alertcreationtime (string) firsteventtime (string) lasteventtime (string) lastupdatetime (string) resolvedtime (string) machineid (string) computerdnsname (string) rbacgroupname (object) aadtenantid (string) threatname (object) mitretechniques (array) file name (string) – required file (string) – required relateduser (object) loggedonusers (array) accountname (string) domainname (string) comments (array) file name (string) – required file (string) – required evidence (array) entitytype (string) evidencecreationtime (string) sha1 (object) sha256 (object) filename (object) filepath (object) processid (object) processcommandline (object) processcreationtime (object) parentprocessid (object) parentprocesscreationtime (object) parentprocessfilename (object) parentprocessfilepath (object) ipaddress (object) url (object) registrykey (object) registryhive (object) registryvaluetype (object) registryvalue (object) registryvaluename (object) accountname (object) domainname (object) usersid (object) aaduserid (object) userprincipalname (object) detectionstatus (object) domains (array) file name (string) – required file (string) – required response headers header type date string content type string transfer encoding string connection string content encoding string vary string odata version string strict transport security string