Get Alerts

description retrieve a comprehensive list of alerts from microsoft defender to identify potential security threats endpoint url /api/alerts method get inputs parameters (object) $filter (string) $select (string) $orderby (string) $top (number) $skip (number) $count (boolean) $expand (string) output example \[ { "status code" 200, "response headers" { "date" "thu, 04 may 2023 12 52 40 gmt", "content type" "application/json; odata metadata=minimal; odata streaming=true; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "content encoding" "deflate", "vary" "accept encoding", "odata version" "4 0", "strict transport security" "max age=15724800; includesubdomains" }, "reason" "ok", "json body" { "@odata context" "https //api securitycenter microsoft com/api/$metadata#alerts", "value" \[ { "id" "ar638180599315648136 73827727", "incidentid" 400, "investigationid" 6, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "automatedinvestigation", "detectorid" "5c6b7d86 c91f 4f8c 8aec 9d2086f46527", "category" "suspiciousactivity", "threatfamilyname" null, "title" "automated investigation started manually", "description" "se pov user(pov\@swimlaneintegrations onmicrosoft com) initiated an automated investigation on se pov desktop \n the investigation automatically identifies and reviews threat artifacts for possible remediation ", "alertcreationtime" "2023 04 25t22 52 11 5648315z", "firsteventtime" "2023 04 25t22 52 11z", "lasteventtime" "2023 04 25t22 52 11z", "lastupdatetime" "2023 04 25t22 58 00 55z", "resolvedtime" "2023 04 25t22 58 00 4108067z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da0c7e089d 5ff6 4e04 8000 17f4e35fa783 1", "incidentid" 392, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "category" "malware", "threatfamilyname" "eicar test file", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "alertcreationtime" "2023 04 19t13 42 13 1851332z", "firsteventtime" "2023 04 19t13 30 57 9123134z", "lasteventtime" "2023 04 19t13 30 57 9123134z", "lastupdatetime" "2023 04 19t13 42 14 3133333z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da14ac5136 324c 4dd7 8e22 a880f7266da7 1", "incidentid" 392, "investigationid" 4, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "eicar test file", "title" "'eicar test file' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t13 43 49 3882906z", "firsteventtime" "2023 04 19t13 30 57 913646z", "lasteventtime" "2023 04 19t13 30 57 913646z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da163c9003 bc7d 4649 89e3 dfdf927da744 1", "incidentid" 407, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "windowsdefenderav", "detectorid" "12cfe475 4973 4a03 ad53 60dca8bf9d3d", "category" "malware", "threatfamilyname" "eicar test file", "title" "malware was detected in a zip archive file", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected devices\u200b some of these undesirable applications can replicate and spread from one device to another other devices receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection indicates that malware was found in an archive file the malware has not been launched if real time protection is turned on and the threat is not excluded, any attempt to detonate the malware from this archive will be blocked ", "alertcreationtime" "2023 04 26t15 25 00 2604342z", "firsteventtime" "2023 04 26t15 05 59 1225425z", "lasteventtime" "2023 04 26t15 09 18 9067858z", "lastupdatetime" "2023 04 26t15 27 59 8566667z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da17fbbe7a a8fc 497d 8f87 7de15a27c2df 1", "incidentid" 396, "investigationid" 5, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2015 0318", "title" "'cve 2015 0318' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t22 03 07 7939898z", "firsteventtime" "2023 04 19t22 01 16 2819441z", "lasteventtime" "2023 04 19t22 01 16 2819441z", "lastupdatetime" "2023 04 19t22 17 02 9966667z", "resolvedtime" "2023 04 19t22 17 02 7376611z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2015 0318!mtb", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da1c42fa48 be2d 4820 9fb0 d39bde338a59 1", "incidentid" 393, "investigationid" 4, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "skeeyah", "title" "'skeeyah' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t17 48 49 1062764z", "firsteventtime" "2023 04 19t17 46 46 4770357z", "lasteventtime" "2023 04 19t17 46 46 4770357z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "trojan\ win32/skeeyah a!bit", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da36aabc3a 0496 4590 b652 a3b8dda1c7ef 1", "incidentid" 393, "investigationid" 4, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2014 0515", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t17 48 49 0574812z", "firsteventtime" "2023 04 19t17 46 46 4770008z", "lasteventtime" "2023 04 19t17 46 46 4770008z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2014 0515", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da3e76d950 79f2 4050 b425 82fb969bc92a 1", "incidentid" 407, "investigationid" 12, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "eicar test file", "title" "'eicar test file' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t15 20 10 6946z", "firsteventtime" "2023 04 26t15 05 59 1225823z", "lasteventtime" "2023 04 26t15 09 18 9337128z", "lastupdatetime" "2023 04 26t15 35 48 86z", "resolvedtime" "2023 04 26t15 35 48 6958753z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virus\ dos/eicar test file", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da45985c2a 5b72 44af acf2 28f061e72059 1", "incidentid" 393, "investigationid" 4, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "d60f5b90 ecd8 4d77 8186 a801597ec762", "category" "malware", "threatfamilyname" "genmaldwn", "title" "'genmaldwn' malware was detected", "description" "malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines some of these undesirable applications can replicate and spread from one machine to another others are able to receive commands from remote attackers and perform activities associated with cyber attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t17 48 49 1682795z", "firsteventtime" "2023 04 19t17 46 46 4770691z", "lasteventtime" "2023 04 19t17 46 46 4770691z", "lastupdatetime" "2023 04 19t18 28 28 84z", "resolvedtime" "2023 04 19t18 28 28 5479406z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "trojandownloader\ bat/genmaldwn k!bit", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da59278d48 685b 44bf 912c 7040e009cd03 1", "incidentid" 404, "investigationid" 10, "assignedto" "api action", "severity" "medium", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "51d03c45 b142 4de4 95df 01b0c259d8f6", "category" "ransomware", "threatfamilyname" "cve", "title" "'cve' ransomware was detected", "description" "ransomware use common methods to encrypt files using keys that are known only to attackers as a result, victims are unable to access the contents of the encrypted files most ransomware display or drop a ransom note\u2014an image or an html file that contains information about how to obtain the attacker supplied decryption tool for a fee \u00a0\u00a0 \n\nto target documents or other files that contain user data, some ransomware look for files in certain locations and files with certain extension names it is also common for ransomware to rename encrypted files so that they all use the same extension name \u00a0 \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t00 47 55 268943z", "firsteventtime" "2023 04 26t00 44 40 7717353z", "lasteventtime" "2023 04 26t00 44 40 7717353z", "lastupdatetime" "2023 04 26t01 17 24 7233333z", "resolvedtime" "2023 04 26t01 17 24 3340349z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "ransom\ win32/cve", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da5a9d6588 c19d 4830 890b dc56ee38c0c7 1", "incidentid" 409, "investigationid" null, "assignedto" null, "severity" "medium", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "windowsdefenderav", "detectorid" "f37b8bc2 cfd2 4a8e ac62 24a7df1e698c", "category" "suspiciousactivity", "threatfamilyname" "meterpreter", "title" "meterpreter post exploitation tool", "description" "meterpreter, a post exploitation tool was detected on this device meterpreter is deployed using dll injection meterpreter was used in a wide range of documented attacks, including attacks involving state sponsored groups and groups associated with ransomware campaigns an attacker might be attempting to establish persistence, discover and steal credentials, or install and launch a payload in the device that might lead to further system compromise detections of meterpreter tools and activity should be thoroughly investigated ", "alertcreationtime" "2023 04 26t19 07 43 6797826z", "firsteventtime" "2023 04 26t18 56 29 42738z", "lasteventtime" "2023 04 26t19 01 01 5335947z", "lastupdatetime" "2023 04 26t19 09 51 96z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "virtool\ java/meterpreter a", "mitretechniques" \[ "t1055 001" ], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da638181185158896141 667602127", "incidentid" 406, "investigationid" 12, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "category" "suspiciousactivity", "threatfamilyname" null, "title" "test2", "description" "test2", "alertcreationtime" "2023 04 26t15 08 35 8896313z", "firsteventtime" "2023 04 26t15 05 50 4145357z", "lasteventtime" "2023 04 26t15 08 15 3151687z", "lastupdatetime" "2023 04 26t15 35 48 86z", "resolvedtime" "2023 04 26t15 35 48 6958753z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" null, "loggedonusers" \[], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da638181185158896391 633475706", "incidentid" 406, "investigationid" 12, "assignedto" "api action", "severity" "informational", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "customerti", "detectorid" "360fdb3b 18a9 471b 9ad0 ad80a4cbcb00", "category" "suspiciousactivity", "threatfamilyname" null, "title" "test", "description" "test", "alertcreationtime" "2023 04 26t15 08 35 8761679z", "firsteventtime" "2023 04 26t15 05 47 8062393z", "lasteventtime" "2023 04 26t15 09 18 9337128z", "lastupdatetime" "2023 04 26t15 35 48 4666667z", "resolvedtime" "2023 04 26t15 33 39 8027026z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" null, "loggedonusers" \[], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da7a7c9c2f 7d77 41d9 9d39 1b63b177b9dd 1", "incidentid" 402, "investigationid" 7, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "aicat", "title" "'aicat' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 25t23 28 56 6170228z", "firsteventtime" "2023 04 25t23 15 22 1010382z", "lasteventtime" "2023 04 25t23 15 22 1010382z", "lastupdatetime" "2023 04 25t23 36 18 13z", "resolvedtime" "2023 04 25t23 36 18 1157462z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ win32/aicat a!ml", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da86171505 000f 409f 8e29 86bbc2bf423e 1", "incidentid" 402, "investigationid" 8, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2014 0515", "title" "'cve 2014 0515' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 25t23 28 56 741128z", "firsteventtime" "2023 04 25t23 15 22 1010382z", "lasteventtime" "2023 04 25t23 15 22 1010382z", "lastupdatetime" "2023 04 25t23 36 08 7933333z", "resolvedtime" "2023 04 25t23 36 08 6865211z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2014 0515", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "da8b8b92a2 15ba 4e8f aa9d cd511e631542 1", "incidentid" 403, "investigationid" 9, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2015 5122", "title" "'cve 2015 5122' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 25t23 50 54 7027655z", "firsteventtime" "2023 04 25t23 47 13 7141705z", "lasteventtime" "2023 04 25t23 47 13 7141705z", "lastupdatetime" "2023 04 25t23 58 53 4233333z", "resolvedtime" "2023 04 25t23 58 53 254072z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2015 5122", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "daaee6e92d 64aa 478b aa9b 851c8890ef01 1", "incidentid" 411, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "customerti", "detectorid" "08dfd06f d2e2 4049 899f 67b406311d84", "category" "commandandcontrol", "threatfamilyname" null, "title" "connection to a custom network indicator", "description" "an endpoint has connected to a url or domain in your list of custom indicators ", "alertcreationtime" "2023 04 28t15 26 21 1558311z", "firsteventtime" "2023 04 28t15 22 12 6050889z", "lasteventtime" "2023 05 01t13 17 16 729907z", "lastupdatetime" "2023 05 01t13 23 23 1066667z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "dac34692e9 5835 421c 8358 0393b3723ee8 1", "incidentid" 409, "investigationid" 13, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "shellcode", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t19 07 43 6314655z", "firsteventtime" "2023 04 26t18 56 29 4275403z", "lasteventtime" "2023 04 26t19 01 01 5342168z", "lastupdatetime" "2023 04 26t19 19 19 87z", "resolvedtime" "2023 04 26t19 19 19 6865725z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ html/shellcode g!msr", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "dae2edae68 dac2 41da a066 46a2bfbd2187 1", "incidentid" 396, "investigationid" 5, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "successfullyremediated", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "cve 2015 5122", "title" "'cve 2015 5122' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 19t22 03 07 8698409z", "firsteventtime" "2023 04 19t22 01 16 2819781z", "lasteventtime" "2023 04 19t22 01 16 2819781z", "lastupdatetime" "2023 04 19t22 17 02 9966667z", "resolvedtime" "2023 04 19t22 17 02 7376611z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ swf/cve 2015 5122", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "dae7ea088f df7c 4fd3 bc22 ace8b97ca26f 1", "incidentid" 404, "investigationid" 10, "assignedto" "api action", "severity" "low", "status" "resolved", "classification" null, "determination" null, "investigationstate" "benign", "detectionsource" "windowsdefenderav", "detectorid" "3d73c9cf d227 4f4f bc32 a9f0a0e842dd", "category" "exploit", "threatfamilyname" "shellcode", "title" "'shellcode' exploit malware was detected", "description" "exploits take advantage of unsecure code in operating system components and applications exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine exploits are found in both commodity malware and malware used in targeted attacks \n\nthis detection might indicate that the malware was stopped from delivering its payload however, it is prudent to check the machine for signs of infection ", "alertcreationtime" "2023 04 26t00 47 55 3387677z", "firsteventtime" "2023 04 26t00 44 40 7715629z", "lasteventtime" "2023 04 26t00 44 40 7717086z", "lastupdatetime" "2023 04 26t01 17 24 7233333z", "resolvedtime" "2023 04 26t01 17 24 3340349z", "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" "exploit\ html/shellcode g!msr", "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] }, { "id" "dafc3894c7 9ed6 4d21 b990 7b858617fd8a 1", "incidentid" 412, "investigationid" null, "assignedto" null, "severity" "informational", "status" "new", "classification" null, "determination" null, "investigationstate" "unsupportedalerttype", "detectionsource" "customerti", "detectorid" "08dfd06f d2e2 4049 899f 67b406311d84", "category" "commandandcontrol", "threatfamilyname" null, "title" "connection to a custom network indicator", "description" "an endpoint has connected to a url or domain in your list of custom indicators ", "alertcreationtime" "2023 05 01t19 18 27 6846556z", "firsteventtime" "2023 05 01t19 15 14 1182628z", "lasteventtime" "2023 05 01t19 15 14 1182628z", "lastupdatetime" "2023 05 01t19 18 30 2733333z", "resolvedtime" null, "machineid" "556b3952acb0bff29816d267822305781cc183ec", "computerdnsname" "se pov desktop", "rbacgroupname" null, "aadtenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "threatname" null, "mitretechniques" \[], "relateduser" null, "loggedonusers" \[ { "accountname" "chris phillips", "domainname" "se pov desktop" } ], "comments" \[], "evidence" \[], "domains" \[] } ] } } ] output parameters status code (number) reason (string) json body (object) @odata context (string) value (array) id (string) incidentid (number) investigationid (object) assignedto (object) severity (string) status (string) classification (object) determination (object) investigationstate (string) detectionsource (string) detectorid (string) category (string) threatfamilyname (object) title (string) description (string) alertcreationtime (string) firsteventtime (string) lasteventtime (string) lastupdatetime (string) resolvedtime (object) machineid (string) computerdnsname (string) rbacgroupname (object) aadtenantid (string) threatname (object) mitretechniques (array) file name (string) – required file (string) – required relateduser (object) loggedonusers (array) accountname (string) domainname (string) comments (array) file name (string) – required file (string) – required evidence (array) file name (string) – required file (string) – required domains (array) file name (string) – required file (string) – required response headers header type date string content type string transfer encoding string connection string content encoding string vary string odata version string strict transport security string