detectionRule resource type

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents a custom detection rule written in Advanced hunting to automatically recognize security events when they occur, and to trigger alerts and response actions.

Custom detection rules are types of protection rules that you can design and tweak by using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. A custom detection rule automatically recognizes security events when they occur, and triggers alerts and response actions. You can set them to run at regular intervals, generating alerts and taking response actions whenever matches occur.

Inherits from microsoft.graph.security.protectionRule.

Methods

Method Return type Description
List microsoft.graph.security.detectionRule collection Get a list of the microsoft.graph.security.detectionRule objects and their properties.
Get microsoft.graph.security.detectionRule Read the properties and relationships of a microsoft.graph.security.detectionRule object.
Create microsoft.graph.security.detectionRule Create a microsoft.graph.security.detectionRule.
Update microsoft.graph.security.detectionRule Update the properties of a microsoft.graph.security.detectionRule object.
Delete None Delete a microsoft.graph.security.detectionRule object.

Properties

Property Type Description
createdBy String Name of the user or application that created the rule. Inherited from microsoft.graph.security.protectionRule.
createdDateTime DateTimeOffset Timestamp of rule creation. Inherited from microsoft.graph.security.protectionRule.
detectionAction microsoft.graph.security.detectionAction Complex type representing the actions taken when a detection is made by this rule.
displayName String Name of the rule. Inherited from microsoft.graph.security.protectionRule.
id String Unique identifier to represent the rule. Inherited from microsoft.graph.entity.
isEnabled Boolean Indicates whether rule is turned on for the tenant. Inherited from microsoft.graph.security.protectionRule.
lastModifiedBy String Name of user or application who last updated the rule. Inherited from microsoft.graph.security.protectionRule.
lastModifiedDateTime DateTimeOffset Timestamp of when the rule was last updated. Inherited from microsoft.graph.security.protectionRule.
detectorId String The ID of the detector that triggered the alert. Also see the 'detectorId' field in microsoft.graph.security.alert.
lastRunDetails microsoft.graph.security.runDetails Complex type holding details about the last run of this rule.
queryCondition microsoft.graph.security.queryCondition Complex type holding data about the advanced hunting query of this rule.
schedule microsoft.graph.security.ruleSchedule Complex type holding data about the triggering schedule of this rule.

Relationships

None.

JSON representation

The following JSON representation shows the resource type.

{
  "@odata.type": "#microsoft.graph.security.detectionRule",
  "id": "String (identifier)",
  "displayName": "String",
  "isEnabled": "Boolean",
  "detectorId": "String",
  "createdBy": "String",
  "createdDateTime": "String (timestamp)",
  "lastModifiedDateTime": "String (timestamp)",
  "lastModifiedBy": "String",
  "queryCondition": {
    "@odata.type": "microsoft.graph.security.queryCondition"
  },
  "schedule": {
    "@odata.type": "microsoft.graph.security.ruleSchedule"
  },
  "lastRunDetails": {
    "@odata.type": "microsoft.graph.security.runDetails"
  },
  "detectionAction": {
    "@odata.type": "microsoft.graph.security.detectionAction"
  }
}