列出Microsoft Defender XDR中的事件 API

适用于:

注意

使用 MS Graph 安全 API 试用我们的新 API。 有关详细信息,请查看: 使用 Microsoft Graph 安全 API - Microsoft Graph |Microsoft Learn

重要

某些信息与预发布的产品有关,在商业发布之前可能有重大修改。 Microsoft 对此处所提供的信息不作任何明示或默示的保证。

API 说明

列表事件 API 允许对事件进行排序,以创建明智的网络安全响应。 它将公开在环境保留策略中指定的时间范围内网络中标记的事件集合。 最新的事件显示在列表顶部。 每个事件都包含相关警报及其相关实体的数组。

API 支持以下 OData 运算符:

  • $filterlastUpdateTimecreatedTimestatusassignedTo 属性
  • $top,最大值为 100
  • $skip

限制

  1. 最大页面大小为 100 个事件
  2. 最大请求速率是 每分钟 50 个调用每小时 1500 个调用

权限

要调用此 API,需要以下权限之一。 若要了解详细信息(包括如何选择权限),请参阅访问Microsoft Defender XDR API

权限类型 权限 权限显示名称
应用程序 Incident.Read.All 读取所有事件
应用程序 Incident.ReadWrite.All 读取和写入所有事件
委派(工作或学校帐户) Incident.Read 读取事件
委派(工作或学校帐户) Incident.ReadWrite 读取和写入事件

注意

使用用户凭据获取令牌时:

  • 用户需要具有门户中事件的查看权限。
  • 响应将仅包括用户公开的事件。

HTTP 请求

GET /api/incidents

请求标头

名称 类型 说明
Authorization String 持有者 {token}。 必需

请求正文

无。

响应

如果成功,此方法在 200 OK响应正文中返回 和 事件 列表。

架构映射

事件元数据

字段名 说明 示例值
incidentId 用于表示事件的唯一标识符 924565
redirectIncidentId 仅当事件与另一个事件组合在一起时填充,作为事件处理逻辑的一部分。 924569
incidentName 可用于每个事件的字符串值。 勒索软件活动
createdTime 首次创建事件的时间。 2020-09-06T14:46:57.0733333Z
lastUpdateTime 上次在后端更新事件的时间。

在为检索事件的时间范围设置请求参数时,可以使用此字段。

2020-09-06T14:46:57.29Z
assignedTo 事件的所有者,如果未分配所有者,则为 null secop2@contoso.com
classification 事件的规范。 属性值为: UnknownFalsePositiveTruePositive 未知
测定 指定事件的确定。 属性值为: NotAvailableAptMalwareSecurityPersonnelSecurityTestingUnwantedSoftwareOther NotAvailable
detectionSource 指定检测源。 Defender for Cloud Apps
status 将 (事件分类为 “活动”“已解决) ”。 它可以帮助你组织和管理对事件的响应。 活动
severity 指示对资产可能产生的影响。 严重性越高,影响越大。 通常,严重性较高的项目需要最立即的关注。

以下值之一: InformationalLow、*Medium 和 High

tags 与事件关联的自定义标记数组,例如,用于标记具有共同特征的一组事件。 []
comments 管理事件时由 secops 创建的注释数组,例如有关分类选择的其他信息。 []
警报 包含与事件相关的所有警报以及其他信息(例如严重性、警报中涉及的实体和警报源)的数组。 [] (请参阅) 下方警报字段的详细信息

警报元数据

字段名 说明 示例值
alertId 表示警报的唯一标识符 caD70CFEE2-1F54-32DB-9988-3A868A1EBFAC
incidentId 表示与此警报关联的事件的唯一标识符 924565
serviceSource 警报源自的服务,例如Microsoft Defender for Endpoint、Microsoft Defender for Cloud Apps、Microsoft Defender for Identity或Microsoft Defender for Office 365。 MicrosoftCloudAppSecurity
creationTime 首次创建警报的时间。 2020-09-06T14:46:55.7182276Z
lastUpdatedTime 上次在后端更新警报的时间。 2020-09-06T14:46:57.2433333Z
resolvedTime 解决警报的时间。 2020-09-10T05:22:59Z
firstActivity 警报首次报告活动在后端已更新的时间。 2020-09-04T05:22:59Z
title 可用于每个警报的简短标识字符串值。 勒索软件活动
说明 描述每个警报的字符串值。 用户 Test User2 (testUser2@contoso.com) 操作了 99 个文件,其中多个扩展名以不常见的扩展名 herunterladen 结尾。 这是异常数量的文件操作,表明存在潜在的勒索软件攻击。
“类别” 攻击沿杀伤链进展的视觉和数字视图。 与 MITRE ATT&CK™ 框架对齐。 影响
status 将 (警报分类为 “新建”、“ 活动”“已解决) ”。 它可以帮助你组织和管理对警报的响应。 新增
severity 指示对资产可能产生的影响。 严重性越高,影响越大。 通常,严重性较高的项目需要最立即的关注。
以下值之一: InformationalLowMediumHigh
investigationId 此警报触发的自动调查 ID。 1234
investigationState 有关调查当前状态的信息。 以下值之一: UnknownTerminatedSuccessfullyRemediated良性FailedPartiallyRemediatedRunningPendingApprovalPendingResourcePartiallyInvestigatedTerminatedByUserTerminatedBySystemQueuedInnerFailurePreexistingAlertUnsupportedOsUnsupportedAlertTypeSuppressedAlert UnsupportedAlertType
classification 事件的规范。 属性值为: UnknownFalsePositiveTruePositivenull 未知
测定 指定事件的确定。 属性值为: NotAvailableAptMalwareSecurityPersonnelSecurityTestingUnwantedSoftwareOthernull 容易
assignedTo 事件的所有者,如果未分配所有者,则为 null secop2@contoso.com
actorName 与此警报关联的活动组(如果有)。
threatFamilyName 与此警报关联的威胁系列。
mitreTechniques 攻击技术,与 MITRE ATT&CK™ 框架一致。 []
设备 已发送与事件相关的警报的所有设备。 [] () 下方的实体字段的详细信息

设备格式

字段名 说明 示例值
DeviceId Microsoft Defender for Endpoint中指定的设备 ID。 24c222b0b60fe148eeece49ac83910cc6a7ef491
aadDeviceId Microsoft Entra ID中指定的设备 ID。 仅适用于已加入域的设备。
deviceDnsName 设备的完全限定域名。 user5cx.middleeast.corp.contoso.com
osPlatform 设备运行的 OS 平台。 WindowsServer2016
osBuild 设备运行的 OS 的内部版本。 14393
rbacGroupName 基于角色的访问控制 (与设备关联的 RBAC) 组。 WDATP-Ring0
firstSeen 首次看到设备的时间。 2020-02-06T14:16:01.9330135Z
healthStatus 设备的运行状况状态。 活动
riskScore 设备的风险评分。
实体 已确定为给定警报的一部分或与给定警报相关的所有实体。 [] () 下方的实体字段的详细信息

实体格式

字段名 说明 示例值
entityType 已确定为给定警报的一部分或与给定警报相关的实体。
属性值为: UserIpUrlFileProcessMailBoxMailMessageMailClusterRegistry
用户
sha1 如果 entityType 为 File,则可用。
与文件或进程关联的警报的文件哈希。
5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd
sha256 如果 entityType 为 File,则可用。
与文件或进程关联的警报的文件哈希。
28cb017dfc99073aa1b47c1b30f413e3ce774c4991eb4158de50f9dbb36d8043
fileName 如果 entityType 为 File,则可用。
与文件或进程关联的警报的文件名
Detector.UnitTests.dll
filePath 如果 entityType 为 File,则可用。
与文件或进程关联的警报的文件路径
C:\\agent_work_temp\Deploy\SYSTEM\2020-09-06 12_14_54\out
processId 如果 entityType 为 Process,则可用。 24348
processCommandLine 如果 entityType 为 Process,则可用。 “文件已准备好 Download_1911150169.exe”
processCreationTime 如果 entityType 为 Process,则可用。 2020-07-18T03:25:38.5269993Z
parentProcessId 如果 entityType 为 Process,则可用。 16840
parentProcessCreationTime 如果 entityType 为 Process,则可用。 2020-07-18T02:12:32.8616797Z
ipAddress 如果 entityType 为 Ip,则可用。
与网络事件(例如 与恶意网络目标通信)关联的警报的 IP 地址。
62.216.203.204
url 如果 entityType 为 Url,则可用。
与网络事件关联的警报的 URL,例如, 与恶意网络目标通信
down.esales360.cn
accountName 如果 entityType 为 User,则可用。 testUser2
domainName 如果 entityType 为 User,则可用。 europe.corp.contoso
userSid 如果 entityType 为 User,则可用。 S-1-5-21-1721254763-462695806-1538882281-4156657
aadUserId 如果 entityType 为 User,则可用。 fc8f7484-f813-4db2-afab-bc1507913fb6
userPrincipalName 如果 entityType 为 User/MailBox/MailMessage,则可用。 testUser2@contoso.com
mailboxDisplayName 如果 entityType 为 MailBox,则可用。 test User2
mailboxAddress 如果 entityType 为 User/MailBox/MailMessage,则可用。 testUser2@contoso.com
clusterBy 如果 entityType 为 MailCluster,则可用。 主题;P2SenderDomain;ContentType
sender 如果 entityType 为 User/MailBox/MailMessage,则可用。 user.abc@mail.contoso.co.in
recipient 如果 entityType 为 MailMessage,则可用。 testUser2@contoso.com
subject 如果 entityType 为 MailMessage,则可用。 [EXTERNAL]注意
deliveryAction 如果 entityType 为 MailMessage,则可用。 已送达
securityGroupId 如果 entityType 为 SecurityGroup,则可用。 301c47c8-e15f-4059-ab09-e2ba9ffd372b
securityGroupName 如果 entityType 为 SecurityGroup,则可用。 网络配置操作员
registryHive 如果 entityType 为 Registry,则可用。 HKEY_LOCAL_MACHINE
registryKey 如果 entityType 为 Registry,则可用。 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
registryValueType 如果 entityType 为 Registry,则可用。 String
registryValue 如果 entityType 为 Registry,则可用。 31-00-00-00
deviceId 与实体相关的设备的 ID(如果有)。 986e5df8b73dacd43c8917d17e523e76b13c75cd

示例

请求示例

GET https://api.security.microsoft.com/api/incidents

响应示例

{
    "@odata.context": "https://api.security.microsoft.com/api/$metadata#Incidents",
    "value": [
            {
            "incidentId": 924565,
            "redirectIncidentId": null,
            "incidentName": "Ransomware activity",
            "createdTime": "2020-09-06T14:46:57.0733333Z",
            "lastUpdateTime": "2020-09-06T14:46:57.29Z",
            "assignedTo": null,
            "classification": "Unknown",
            "determination": "NotAvailable",
            "status": "Active",
            "severity": "Medium",
            "tags": [],
            "comments": [
                {
                    "comment": "test comment for docs",
                    "createdBy": "secop123@contoso.com",
                    "createdTime": "2021-01-26T01:00:37.8404534Z"
                }
            ],
            "alerts": [
                {
                    "alertId": "caD70CFEE2-1F54-32DB-9988-3A868A1EBFAC",
                    "incidentId": 924565,
                    "serviceSource": "MicrosoftCloudAppSecurity",
                    "creationTime": "2020-09-06T14:46:55.7182276Z",
                    "lastUpdatedTime": "2020-09-06T14:46:57.2433333Z",
                    "resolvedTime": null,
                    "firstActivity": "2020-09-04T05:22:59Z",
                    "lastActivity": "2020-09-04T05:22:59Z",
                    "title": "Ransomware activity",
                    "description": "The user Test User2 (testUser2@contoso.com) manipulated 99 files with multiple extensions ending with the uncommon extension herunterladen. This is an unusual number of file manipulations and is indicative of a potential ransomware attack.",
                    "category": "Impact",
                    "status": "New",
                    "severity": "Medium",
                    "investigationId": null,
                    "investigationState": "UnsupportedAlertType",
                    "classification": null,
                    "determination": null,
                    "detectionSource": "MCAS",
                    "assignedTo": null,
                    "actorName": null,
                    "threatFamilyName": null,
                    "mitreTechniques": [],
                    "devices": [],
                    "entities": [
                        {
                            "entityType": "User",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": "testUser2",
                            "domainName": "europe.corp.contoso",
                            "userSid": "S-1-5-21-1721254763-462695806-1538882281-4156657",
                            "aadUserId": "fc8f7484-f813-4db2-afab-bc1507913fb6",
                            "userPrincipalName": "testUser2@contoso.com",
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": null,
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "Ip",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": "62.216.203.204",
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": null,
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": null,
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        }
                    ]
                }
            ]
        },
        {
            "incidentId": 924521,
            "redirectIncidentId": null,
            "incidentName": "'Mimikatz' hacktool was detected on one endpoint",
            "createdTime": "2020-09-06T12:18:03.6266667Z",
            "lastUpdateTime": "2020-09-06T12:18:03.81Z",
            "assignedTo": null,
            "classification": "Unknown",
            "determination": "NotAvailable",
            "status": "Active",
            "severity": "Low",
            "tags": [],
            "comments": [],
            "alerts": [
                {
                    "alertId": "da637349914833441527_393341063",
                    "incidentId": 924521,
                    "serviceSource": "MicrosoftDefenderATP",
                    "creationTime": "2020-09-06T12:18:03.3285366Z",
                    "lastUpdatedTime": "2020-09-06T12:18:04.2566667Z",
                    "resolvedTime": null,
                    "firstActivity": "2020-09-06T12:15:07.7272048Z",
                    "lastActivity": "2020-09-06T12:15:07.7272048Z",
                    "title": "'Mimikatz' hacktool was detected",
                    "description": "Readily available tools, such as hacking programs, can be used by unauthorized individuals to spy on users. When used by attackers, these tools are often installed without authorization and used to compromise targeted machines.\n\nThese tools are often used to collect personal information from browser records, record key presses, access email and instant messages, record voice and video conversations, and take screenshots.\n\nThis detection might indicate that Microsoft Defender Antivirus has stopped the tool from being installed and used effectively. However, it is prudent to check the machine for the files and processes associated with the detected tool.",
                    "category": "Malware",
                    "status": "New",
                    "severity": "Low",
                    "investigationId": null,
                    "investigationState": "UnsupportedOs",
                    "classification": null,
                    "determination": null,
                    "detectionSource": "WindowsDefenderAv",
                    "assignedTo": null,
                    "actorName": null,
                    "threatFamilyName": "Mimikatz",
                    "mitreTechniques": [],
                    "devices": [
                        {
                            "mdatpDeviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491",
                            "aadDeviceId": null,
                            "deviceDnsName": "user5cx.middleeast.corp.contoso.com",
                            "osPlatform": "WindowsServer2016",
                            "version": "1607",
                            "osProcessor": "x64",
                            "osBuild": 14393,
                            "healthStatus": "Active",
                            "riskScore": "High",
                            "rbacGroupName": "WDATP-Ring0",
                            "rbacGroupId": 9,
                            "firstSeen": "2020-02-06T14:16:01.9330135Z"
                        }
                    ],
                    "entities": [
                        {
                            "entityType": "File",
                            "sha1": "5de839186691aa96ee2ca6d74f0a38fb8d1bd6dd",
                            "sha256": null,
                            "fileName": "Detector.UnitTests.dll",
                            "filePath": "C:\\Agent\\_work\\_temp\\Deploy_SYSTEM 2020-09-06 12_14_54\\Out",
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": null,
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": null,
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": "24c222b0b60fe148eeece49ac83910cc6a7ef491"
                        }
                    ]
                }
            ]
        },
        {
            "incidentId": 924518,
            "redirectIncidentId": null,
            "incidentName": "Email reported by user as malware or phish",
            "createdTime": "2020-09-06T12:07:55.1366667Z",
            "lastUpdateTime": "2020-09-06T12:07:55.32Z",
            "assignedTo": null,
            "classification": "Unknown",
            "determination": "NotAvailable",
            "status": "Active",
            "severity": "Informational",
            "tags": [],
            "comments": [],
            "alerts": [
                {
                    "alertId": "faf8edc936-85f8-a603-b800-08d8525cf099",
                    "incidentId": 924518,
                    "serviceSource": "OfficeATP",
                    "creationTime": "2020-09-06T12:07:54.3716642Z",
                    "lastUpdatedTime": "2020-09-06T12:37:40.88Z",
                    "resolvedTime": null,
                    "firstActivity": "2020-09-06T12:04:00Z",
                    "lastActivity": "2020-09-06T12:04:00Z",
                    "title": "Email reported by user as malware or phish",
                    "description": "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.2",
                    "category": "InitialAccess",
                    "status": "InProgress",
                    "severity": "Informational",
                    "investigationId": null,
                    "investigationState": "Queued",
                    "classification": null,
                    "determination": null,
                    "detectionSource": "OfficeATP",
                    "assignedTo": "Automation",
                    "actorName": null,
                    "threatFamilyName": null,
                    "mitreTechniques": [],
                    "devices": [],
                    "entities": [
                        {
                            "entityType": "MailBox",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": "testUser3@contoso.com",
                            "mailboxDisplayName": "test User3",
                            "mailboxAddress": "testUser3@contoso.com",
                            "clusterBy": null,
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "MailBox",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": "testUser4@contoso.com",
                            "mailboxDisplayName": "test User4",
                            "mailboxAddress": "test.User4@contoso.com",
                            "clusterBy": null,
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "MailMessage",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": "test.User4@contoso.com",
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": null,
                            "sender": "user.abc@mail.contoso.co.in",
                            "recipient": "test.User4@contoso.com",
                            "subject": "[EXTERNAL] Attention",
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "MailCluster",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": null,
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": "Subject;P2SenderDomain;ContentType",
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "MailCluster",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": null,
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": "Subject;SenderIp;ContentType",
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "MailCluster",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": null,
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": "BodyFingerprintBin1;P2SenderDomain;ContentType",
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "MailCluster",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": null,
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": null,
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": "BodyFingerprintBin1;SenderIp;ContentType",
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        },
                        {
                            "entityType": "Ip",
                            "sha1": null,
                            "sha256": null,
                            "fileName": null,
                            "filePath": null,
                            "processId": null,
                            "processCommandLine": null,
                            "processCreationTime": null,
                            "parentProcessId": null,
                            "parentProcessCreationTime": null,
                            "ipAddress": "49.50.81.121",
                            "url": null,
                            "accountName": null,
                            "domainName": null,
                            "userSid": null,
                            "aadUserId": null,
                            "userPrincipalName": null,
                            "mailboxDisplayName": null,
                            "mailboxAddress": null,
                            "clusterBy": null,
                            "sender": null,
                            "recipient": null,
                            "subject": null,
                            "deliveryAction": null,
                            "securityGroupId": null,
                            "securityGroupName": null,
                            "registryHive": null,
                            "registryKey": null,
                            "registryValueType": null,
                            "registryValue": null,
                            "deviceId": null
                        }
                    ]
                }
            ]
        },
        ...
    ]
}

提示

想要了解更多信息? Engage技术社区中的 Microsoft 安全社区:Microsoft Defender XDR技术社区