Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: https://security.microsoft.com. Microsoft 365 Defender correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities. It improves your operational efficiency with better prioritization and shorter response times which protect your organization more effectively. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
The Alerts API provides you with information about immediate risks identified by Defender for Cloud Apps that require attention. Alerts can result from suspicious usage patterns or from files containing content that violates company policy.
The following lists the supported requests:
- List alerts
- Close benign
- Close false positive
- Close true positive
- Fetch alert
- Mark alert as read
- Mark alert as unread
The following table lists the requests deprecated as obsolete, and the requests that replace them.
|Bulk dismiss||Close false positive|
|Bulk resolve||Close true positive|
|Dismiss alert||Close false positive|
The deprecated requests have been mapped to their alternatives to avoid disruption. However, if you are using obsolete requests in your environment, we recommend updating them to their alternatives.
The response object defines the following properties.
|_id||int||Alert type identifier|
|timestamp||long||Timestamp of when the alert was raised|
|entities||list||A list of entities related to the alert|
|title||string||The title of the alert|
|description||string||The alert's description|
|isMarkdown||bool||Flag to indicate if the alert's description is already in HTML|
|statusValue||int||The alert's state. Possible values include:
|severityValue||int||The alert's severity. Possible values include:
|resolutionStatusValue||int||Alert's status. Possible values include:
|stories||list||Risk category. Possible values include:
|evidence||list||List of short descriptions of main parts of the alert|
|intent||list||A field that specifies the kill chain related intent behind the alert. Multiple values can be reported in this field. The intent enumeration values follow the MITRE att@ck enterprise matrix model. Further guidance on the different techniques that make up each intent can be found in MITRE's documentation.
Possible values include:
|isPreview||bool||Alerts that have been recently released as GA|
|audits (optional)||list||List of event ids that are related to the alert|
|threatScore||int||User investigation priority|
For information about how filters work, see Filters.
The following table describes the supported filters:
|entity.entity||entity pk||eq,neq||Filter alerts related to specified entities. Example:
|entity.ip||string||eq, neq||Filter alerts related to specified IP addresses|
|entity.service||integer||eq, neq||Filter alerts related to the specified service appId, e.g: 11770|
|entity.instance||integer||eq, neq||Filter alerts related to the specified instances, e.g: 11770, 1059065|
|entity.policy||string||eq, neq||Filter alerts related to the specified policies|
|entity.file||string||eq, neq||Filter alerts related to specified file|
|alertOpen||boolean||eq||If set to "true", returns only open alerts, if set to "false", returns only closed alerts|
|severity||integer||eq, neq||Filter by severity. Possible values include:
|resolutionStatus||integer||eq, neq||Filter by alert resolution status, possible values include:
1: Dismissed (legacy status)
2: Resolved (legacy status)
3: Closed as false positive
4: Closed as benign
5: Closed as true positive
|read||boolean||eq||If set to "true", returns only read alerts, if set to "false", returns unread alerts|
|date||timestamp||lte, gte, range, lte_ndays, gte_ndays||Filter by the time when an alert was triggered|
|resolutionDate||timestamp||lte, gte, range||Filter by the time when an alert was resolved|
|risk||integer||eq, neq||Filter by risk|
|alertType||integer||eq, neq||Filter by alert type|
|ID||string||eq, neq||Filter by alert IDs|
|source||string||eq||The alert's origin, either built-in or policy|
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.
Submit and view feedback for