Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph.security
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents a custom detection rule written in Advanced hunting to automatically recognize security events when they occur, and to trigger alerts and response actions.
Custom detection rules let you proactively monitor various events and system states by using advanced hunting queries, including suspected breach activity and misconfigured endpoints. A custom detection rule automatically recognizes security events when they occur, and triggers alerts and response actions. You can set the rules to run at regular intervals, generating alerts and taking response actions whenever matches occur.
Inherits from entity.
Methods
| Method | Return type | Description |
|---|---|---|
| List | microsoft.graph.security.detectionRule collection | Get a list of the detectionRule objects and their properties. |
| Create | microsoft.graph.security.detectionRule | Create a new detectionRule object. |
| Get | microsoft.graph.security.detectionRule | Read the properties and relationships of a detectionRule object. |
| Update | microsoft.graph.security.detectionRule | Update the properties of a detectionRule object. |
| Delete | None | Delete a detectionRule object. |
Properties
| Property | Type | Description |
|---|---|---|
| createdBy | String | Name of the user or application that created the rule. Read-only. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains). |
| createdDateTime | DateTimeOffset | Timestamp of rule creation. Read-only. Supports $filter (eq, ne, not, le, ge, lt, gt) and $orderby. |
| description | String | A user-supplied description of the detection rule. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains). |
| displayName | String | The display name of the rule. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains) and $orderby. |
| id | String | Unique identifier of the rule. Inherited from entity. Supports $filter (eq, ne, not, in) and $orderby. |
| lastModifiedBy | String | Name of the user or application that last updated the rule. Read-only. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains). |
| lastModifiedDateTime | DateTimeOffset | Timestamp of when the rule was last updated. Read-only. Supports $filter (eq, ne, not, le, ge, lt, gt) and $orderby. |
| queryCondition | microsoft.graph.security.queryCondition | The advanced hunting query that defines the detection logic of this rule. Supports $filter on queryCondition/queryText (String) with eq, ne, not, in, startsWith, endsWith, contains. |
| schedule | microsoft.graph.security.ruleSchedule | The triggering schedule of this rule. Supports $filter on schedule/frequency (Duration) with eq, ne, not, le, ge, lt, gt. Supports $orderby on schedule/frequency and schedule/nextRunDateTime. |
| status | microsoft.graph.security.detectionRuleStatus | The current run status of the rule. The possible values are: enabled, disabled, autoDisabled, unknownFutureValue. Supports $filter (eq, ne, not, in) and $orderby. |
| detectorId (deprecated) | String | Internal detector identifier. Deprecated. This property will be removed from this resource on 2026-10-01. |
| isEnabled (deprecated) | Boolean | Indicates whether the rule is turned on for the tenant. Supports $filter (eq, ne, not). Deprecated. Use status instead. This property will be removed from this resource on 2026-10-01. |
| detectionAction | microsoft.graph.security.detectionAction | The actions taken when a detection is made by this rule, including the alert that is created and any automated response actions. Supports $filter on the following nested alertTemplate properties:eq, ne, not, in, startsWith, endsWith, contains.eq, ne, not, in. |
| lastRunDetails (deprecated) | microsoft.graph.security.runDetails | Runtime execution details for the most recent rule run. Supports $filter on the following nested properties:eq, ne, not, in, startsWith, endsWith, contains.eq, ne, not, le, ge, lt, gt.eq, ne, not, in. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "String (identifier)",
"displayName": "String",
"description": "String",
"status": "String",
"createdBy": "String",
"createdDateTime": "String (timestamp)",
"lastModifiedBy": "String",
"lastModifiedDateTime": "String (timestamp)",
"queryCondition": {
"@odata.type": "microsoft.graph.security.queryCondition"
},
"schedule": {
"@odata.type": "microsoft.graph.security.ruleSchedule"
},
"detectionAction": {
"@odata.type": "microsoft.graph.security.detectionAction"
},
"detectorId": "String",
"isEnabled": "Boolean",
"lastRunDetails": {
"@odata.type": "microsoft.graph.security.runDetails"
}
}