我目前正在开发 Azure Logic App,想知道文件/附件在 graph api“获取事件”调用的 JSON 输出中是如何显示的。到目前为止,我的所有测试输出都没有在电子邮件中包含任何附件,我需要知道它们在 JSON 中的实际显示方式,以便正确处理它们。这是我得到的输出之一(信息已删除)
{
"body": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/incidents(alerts())/$entity",
"id": "REDACTED_INCIDENT_ID",
"tenantId": "REDACTED_TENANT_ID",
"status": "active",
"incidentWebUrl": "https://security.microsoft.com/incidents/REDACTED_INCIDENT_ID?tid=REDACTED_TENANT_ID",
"redirectIncidentId": null,
"displayName": "Email reported by user as malware or phish involving one user",
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"lastUpdateDateTime": "2023-07-XXTXX:XX:XX.Z",
"assignedTo": "REDACTED_TEAM",
"classification": "unknown",
"determination": "unknown",
"severity": "low",
"customTags": [],
"comments": [],
"alerts": [
{
"id": "REDACTED_ALERT_ID",
"providerAlertId": "REDACTED_PROVIDER_ALERT_ID",
"incidentId": "REDACTED_INCIDENT_ID",
"status": "resolved",
"severity": "low",
"classification": "falsePositive",
"determination": null,
"serviceSource": "microsoftDefenderForOffice365",
"detectionSource": "microsoftDefenderForOffice365",
"detectorId": "REDACTED_DETECTOR_ID",
"tenantId": "REDACTED_TENANT_ID",
"title": "Email reported by user as malware or phish",
"description": "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3",
"recommendedActions": "",
"category": "InitialAccess",
"assignedTo": "C3 Automated Triage Engine",
"alertWebUrl": "https://security.microsoft.com/alerts/REDACTED_ALERT_ID?tid=REDACTED_TENANT_ID",
"incidentWebUrl": "https://security.microsoft.com/incidents/REDACTED_INCIDENT_ID?tid=REDACTED_TENANT_ID",
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"TECHNIQUE"
],
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"lastUpdateDateTime": "2023-07-XXTXX:XX:XX.Z",
"resolvedDateTime": "2023-07-XXTXX:XX:XX.Z",
"firstActivityDateTime": "2023-07-XXTXX:XX:XX.Z",
"lastActivityDateTime": "2023-07-XXTXX:XX:XX.Z",
"comments": [],
"evidence": [
{
"@odata.type": "#microsoft.graph.security.mailboxEvidence",
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"primaryAddress": "[email protected]",
"displayName": "REDACTED_NAME",
"userAccount": {
"accountName": "REDACTED_USERNAME",
"domainName": null,
"userSid": "REDACTED_USER_SID",
"azureAdUserId": "REDACTED_AZURE_AD_USER_ID",
"userPrincipalName": "[email protected]",
"displayName": null
}
},
{
"@odata.type": "#microsoft.graph.security.analyzedMessageEvidence",
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"networkMessageId": "REDACTED_NETWORK_MESSAGE_ID",
"internetMessageId": "REDACTED_INTERNET_MESSAGE_ID",
"subject": "REDACTED_EMAIL_SUBJECT",
"language": "en",
"senderIp": null,
"recipientEmailAddress": "[email protected]",
"antiSpamDirection": null,
"deliveryAction": "delivered",
"deliveryLocation": "inbox",
"urn": "urn:MailEntity:REDACTED_URN",
"threats": [
"Phish",
"HighConfPhish"
],
"threatDetectionMethods": [
"MLModel"
],
"urls": [
"REDACTED_URL_1",
"REDACTED_URL_2",
"REDACTED_URL_3",
"REDACTED_URL_4",
"REDACTED_URL_5"
],
"urlCount": 5,
"attachmentsCount": 0,
"receivedDateTime": "2023-06-XXTXX:XX:XX.Z",
"p1Sender": {
"emailAddress": "[email protected]",
"displayName": null,
"domainName": "REDACTED_DOMAIN"
},
"p2Sender": {
"emailAddress": "[email protected]",
"displayName": "REDACTED_SENDER_NAME",
"domainName": "REDACTED_DOMAIN"
}
}
]
}
]
}
}
如您所见,这个没有附件(attachmentsCount:0),但正如我所说,我需要知道它们实际上是如何出现的。我最初的假设是它们出现在与 URL 类似的数组中,但我必须确定(特别是因为我不知道它们是以哈希值还是其他形式出现的)。
我尝试在网上查找有关带附件的 HTTP 调用输出的任何信息,但无济于事。Microsoft 文档中没有提到这一点,而且我也没有可以测试的带附件的电子邮件/事件。
任何帮助将不胜感激!