Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph.security
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents a manually created security alert in Microsoft 365 Defender. Enables security analysts to create custom alerts based on their investigations and findings. When a manual alert is created, the backend automatically creates a new incident to contain the alert, or links the alert to an existing incident if specified.
Inherits from microsoft.graph.security.alert.
Methods
| Method | Return type | Description |
|---|---|---|
| Create | microsoft.graph.security.alert | Create a manual security alert with specified entities and metadata. |
Properties
| Property | Type | Description |
|---|---|---|
| actorDisplayName | String | The adversary or activity group associated with this alert. Inherited from microsoft.graph.security.alert. |
| additionalData | microsoft.graph.security.dictionary | A collection of other alert properties, including user-defined properties. Inherited from microsoft.graph.security.alert. |
| alertPolicyId | String | The ID of the policy that generated the alert. Inherited from microsoft.graph.security.alert. |
| alertWebUrl | String | URL for the alert page in the Microsoft 365 Defender portal. Inherited from microsoft.graph.security.alert. |
| assignedTo | String | Owner of the alert, or null if no owner is assigned. Inherited from microsoft.graph.security.alert. |
| categories | String collection | The attack kill-chain categories that the alert belongs to. Inherited from microsoft.graph.security.alert. |
| category | String | The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. Inherited from microsoft.graph.security.alert. |
| classification | microsoft.graph.security.alertClassification | Specifies whether the alert represents a true threat. Inherited from microsoft.graph.security.alert. |
| comments | microsoft.graph.security.alertComment collection | Array of comments created by the Security Operations (SecOps) team during the alert management process. Inherited from microsoft.graph.security.alert. |
| createdDateTime | DateTimeOffset | Time when Microsoft 365 Defender created the alert. Inherited from microsoft.graph.security.alert. |
| customDetails | microsoft.graph.security.dictionary | A dictionary of custom key-value pairs associated with the alert. Inherited from microsoft.graph.security.alert. |
| description | String | String value describing each alert. Inherited from microsoft.graph.security.alert. |
| detectionSource | microsoft.graph.security.detectionSource | Detection technology or sensor that identified the notable component or activity. Inherited from microsoft.graph.security.alert. |
| detectorId | String | The ID of the detector that triggered the alert. Inherited from microsoft.graph.security.alert. |
| determination | microsoft.graph.security.alertDetermination | Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Inherited from microsoft.graph.security.alert. |
| evidence | microsoft.graph.security.alertEvidence collection | Collection of evidence related to the alert. Inherited from microsoft.graph.security.alert. |
| firstActivityDateTime | DateTimeOffset | The earliest activity associated with the alert. Inherited from microsoft.graph.security.alert. |
| id | String | Unique identifier for the alert. Inherited from microsoft.graph.entity. |
| incidentId | String | Unique identifier to represent the incident this alert resource is associated with. Inherited from microsoft.graph.security.alert. |
| incidentWebUrl | String | URL for the incident page in the Microsoft 365 Defender portal. Inherited from microsoft.graph.security.alert. |
| investigationState | microsoft.graph.security.investigationState | The state of the investigation. Inherited from microsoft.graph.security.alert. |
| isExcludedFromCorrelation | Boolean | When true, excludes the alert from automatic correlation. Default is false. |
| lastActivityDateTime | DateTimeOffset | The oldest activity associated with the alert. Inherited from microsoft.graph.security.alert. |
| lastUpdateDateTime | DateTimeOffset | Time when the alert was last updated at Microsoft 365 Defender. Inherited from microsoft.graph.security.alert. |
| linkToIncident | Int64 | ID of an existing incident to link to. If not provided, a new incident is created automatically. |
| mitreTechniques | String collection | The attack techniques, as aligned with the MITRE ATT&CK framework. Inherited from microsoft.graph.security.alert. |
| productName | String | The name of the product which published this alert. Inherited from microsoft.graph.security.alert. |
| providerAlertId | String | The ID of the alert as it appears in the security provider product that generated the alert. Inherited from microsoft.graph.security.alert. |
| recommendedActions | String | Recommended response and remediation actions to take in the event this alert was generated. Inherited from microsoft.graph.security.alert. |
| resolvedDateTime | DateTimeOffset | Time when the alert was resolved. Inherited from microsoft.graph.security.alert. |
| sentinelWorkspace | String | Sentinel workspace identifier for workspace routing. |
| serviceSource | microsoft.graph.security.serviceSource | The service or product that created this alert. Inherited from microsoft.graph.security.alert. |
| severity | microsoft.graph.security.alertSeverity | Indicates the possible impact on assets. Inherited from microsoft.graph.security.alert. |
| status | microsoft.graph.security.alertStatus | The status of the alert. Inherited from microsoft.graph.security.alert. |
| systemTags | String collection | The system tags associated with the alert. Inherited from microsoft.graph.security.alert. |
| tenantId | String | The Microsoft Entra tenant the alert was created in. Inherited from microsoft.graph.security.alert. |
| threatDisplayName | String | The threat associated with this alert. Inherited from microsoft.graph.security.alert. |
| threatFamilyName | String | Threat family associated with this alert. Inherited from microsoft.graph.security.alert. |
| title | String | Brief identifying string value describing the alert. Inherited from microsoft.graph.security.alert. |
Relationships
| Relationship | Type | Description |
|---|---|---|
| entityDefinitions | microsoft.graph.security.entityDefinitionInput collection | The entities associated with the alert. Each item specifies a security entity (such as a user, device, or IP address), its identifier, and its role in the alert context. |
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.manualAlert",
"id": "String (identifier)",
"providerAlertId": "String",
"incidentId": "String",
"status": "String",
"severity": "String",
"classification": "String",
"determination": "String",
"serviceSource": "String",
"detectionSource": "String",
"productName": "String",
"detectorId": "String",
"tenantId": "String",
"title": "String",
"description": "String",
"recommendedActions": "String",
"category": "String",
"categories": [
"String"
],
"assignedTo": "String",
"alertWebUrl": "String",
"incidentWebUrl": "String",
"actorDisplayName": "String",
"threatDisplayName": "String",
"threatFamilyName": "String",
"mitreTechniques": [
"String"
],
"createdDateTime": "String (timestamp)",
"lastUpdateDateTime": "String (timestamp)",
"resolvedDateTime": "String (timestamp)",
"firstActivityDateTime": "String (timestamp)",
"lastActivityDateTime": "String (timestamp)",
"comments": [
{
"@odata.type": "microsoft.graph.security.alertComment"
}
],
"evidence": [
{
"@odata.type": "microsoft.graph.security.alertEvidence"
}
],
"systemTags": [
"String"
],
"alertPolicyId": "String",
"additionalData": {
"@odata.type": "microsoft.graph.security.dictionary"
},
"customDetails": {
"@odata.type": "microsoft.graph.security.dictionary"
},
"investigationState": "String",
"linkToIncident": "Integer",
"isExcludedFromCorrelation": "Boolean",
"sentinelWorkspace": "String"
}