alert resource type
Namespace: microsoft.graph.security
This resource corresponds to the most recent batch of alerts generated by the Microsoft Graph security API. This resource represents potential security issues within a customer's tenant that Microsoft 365 Defender, or a security provider integrated with Microsoft 365 Defender, identified.
When a security provider detects a threat, it creates an alert in the system. Microsoft 365 Defender pulls this alert data from the security provider and consumes the alert data to return valuable clues in an alert resource about any related attack, impacted assets, and associated evidence. It automatically correlates other alerts with the same attack techniques or the same attacker into an incident to provide a broader context of an attack. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
Note
This resource is one of the two types of alerts that the v1.0 version of the Microsoft Graph security API offers. For more information, see alerts.
Methods
| Method | Return type | Description |
|---|---|---|
| List | microsoft.graph.security.alert collection | Get a list of alert resources created to track suspicious activities in an organization. |
| Get | microsoft.graph.security.alert | Get the properties of an alert object in an organization based on the specified alert id property. |
| Update | microsoft.graph.security.alert | Update the properties of an alert object in an organization based on the specified alert id property. |
| Create comment | alertComment | Create a comment for an existing alert based on the specified alert id property. |
Properties
| Property | Type | Description |
|---|---|---|
| actorDisplayName | String | The adversary or activity group that is associated with this alert. |
| additionalData | microsoft.graph.security.dictionary | A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here. |
| alertPolicyId | String | The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy. |
| alertWebUrl | String | URL for the Microsoft 365 Defender portal alert page. |
| assignedTo | String | Owner of the alert, or null if no owner is assigned. |
| category | String | The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. |
| classification | microsoft.graph.security.alertClassification | Specifies whether the alert represents a true threat. Possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue. |
| comments | microsoft.graph.security.alertComment collection | Array of comments created by the Security Operations (SecOps) team during the alert management process. |
| createdDateTime | DateTimeOffset | Time when Microsoft 365 Defender created the alert. |
| description | String | String value describing each alert. |
| detectionSource | microsoft.graph.security.detectionSource | Detection technology or sensor that identified the notable component or activity. Possible values are: unknown, microsoftDefenderForEndpoint, antivirus, smartScreen, customTi, microsoftDefenderForOffice365, automatedInvestigation, microsoftThreatExperts, customDetection, microsoftDefenderForIdentity, cloudAppSecurity, microsoft365Defender, azureAdIdentityProtection, manual, microsoftDataLossPrevention, appGovernancePolicy, appGovernanceDetection, unknownFutureValue, microsoftDefenderForCloud, microsoftDefenderForIoT, microsoftDefenderForServers, microsoftDefenderForStorage, microsoftDefenderForDNS, microsoftDefenderForDatabases, microsoftDefenderForContainers, microsoftDefenderForNetwork, microsoftDefenderForAppService, microsoftDefenderForKeyVault, microsoftDefenderForResourceManager, microsoftDefenderForApiManagement, microsoftSentinel, nrtAlerts, scheduledAlerts, microsoftDefenderThreatIntelligenceAnalytics, builtInMl. You must use the Prefer: include-unknown-enum-members request header to get the following value(s) in this evolvable enum: microsoftDefenderForCloud, microsoftDefenderForIoT, microsoftDefenderForServers, microsoftDefenderForStorage, microsoftDefenderForDNS, microsoftDefenderForDatabases, microsoftDefenderForContainers, microsoftDefenderForNetwork, microsoftDefenderForAppService, microsoftDefenderForKeyVault, microsoftDefenderForResourceManager, microsoftDefenderForApiManagement, microsoftSentinel, nrtAlerts, scheduledAlerts, microsoftDefenderThreatIntelligenceAnalytics, builtInMl. |
| detectorId | String | The ID of the detector that triggered the alert. |
| determination | microsoft.graph.security.alertDetermination | Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedAccount, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue. |
| evidence | microsoft.graph.security.alertEvidence collection | Collection of evidence related to the alert. |
| firstActivityDateTime | DateTimeOffset | The earliest activity associated with the alert. |
| id | String | Unique identifier to represent the alert resource. |
| incidentId | String | Unique identifier to represent the incident this alert resource is associated with. |
| incidentWebUrl | String | URL for the incident page in the Microsoft 365 Defender portal. |
| lastActivityDateTime | DateTimeOffset | The oldest activity associated with the alert. |
| lastUpdateDateTime | DateTimeOffset | Time when the alert was last updated at Microsoft 365 Defender. |
| mitreTechniques | Collection(Edm.String) | The attack techniques, as aligned with the MITRE ATT&CK framework. |
| productName | String | The name of the product which published this alert. |
| providerAlertId | String | The ID of the alert as it appears in the security provider product that generated the alert. |
| recommendedActions | String | Recommended response and remediation actions to take in the event this alert was generated. |
| resolvedDateTime | DateTimeOffset | Time when the alert was resolved. |
| serviceSource | microsoft.graph.security.serviceSource | The service or product that created this alert. Possible values are: unknown, microsoftDefenderForEndpoint, microsoftDefenderForIdentity, microsoftDefenderForCloudApps, microsoftDefenderForOffice365, microsoft365Defender, azureAdIdentityProtection, microsoftAppGovernance, dataLossPrevention, unknownFutureValue, microsoftDefenderForCloud, microsoftSentinel. You must use the Prefer: include-unknown-enum-members request header to get the following value(s) in this evolvable enum: microsoftDefenderForCloud, microsoftSentinel. |
| severity | microsoft.graph.security.alertSeverity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue. |
| status | microsoft.graph.security.alertStatus | The status of the alert. Possible values are: new, inProgress, resolved, unknownFutureValue. |
| tenantId | String | The Microsoft Entra tenant the alert was created in. |
| threatDisplayName | String | The threat associated with this alert. |
| threatFamilyName | String | Threat family associated with this alert. |
| title | String | Brief identifying string value describing the alert. |
| systemTags | String collection | The system tags associated with the alert. |
alertClassification values
| Member | Description |
|---|---|
| unknown | The alert isn't classified yet. |
| falsePositive | The alert is a false positive and didn't detect malicious activity. |
| truePositive | The alert is true positive and detected malicious activity. |
| informationalExpectedActivity | The alert is benign positive and detected potentially malicious activity by a trusted/internal user, for example, security testing. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
alertDetermination values
| Member | Description |
|---|---|
| unknown | No determination value was set yet. |
| apt | A true positive alert that detected an advanced persistent threat. |
| malware | A true positive alert that detected malicious software. |
| securityPersonnel | A true positive alert that detected valid suspicious activity that someone on the customer's security team performed. |
| securityTesting | The alert detected valid suspicious activity that was performed as part of a known security testing. |
| unwantedSoftware | The alert detected unwanted software. |
| other | Other determination. |
| multiStagedAttack | A true positive alert that detected multiple kill-chain attack stages. |
| compromisedAccount | A true positive alert that detected that the intended user's credentials were compromised or stolen. |
| phishing | A true positive alert that detected a phishing email. |
| maliciousUserActivity | A true positive alert that detected that the logged-on user performs malicious activities. |
| notMalicious | A false alert, no suspicious activity. |
| notEnoughDataToValidate | A false alert, without enough information to prove otherwise. |
| confirmedActivity | The alert caught a true suspicious activity that is considered OK because it's a known user activity. |
| lineOfBusinessApplication | The alert caught a true suspicious activity that is considered OK because it's a known and confirmed internal application. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
alertSeverity values
| Member | Description |
|---|---|
| unknown | Unknown severity. |
| informational | Alerts that might not be actionable or considered harmful to the network but can drive organizational security awareness on potential security issues. |
| low | Alerts on threats associated with prevalent malware. For example, hack-tools, nonmalware hack tools, such as running exploration commands and clearing logs, that often don't indicate an advanced threat that targets the organization. It can also come from an isolated security tool that a user in your organization is testing. |
| medium | Alerts generated from detections and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This severity level includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be due to internal security testing, they're valid detections and require investigation as they might be a part of an advanced attack. |
| high | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on assets. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
alertStatus values
| Member | Description |
|---|---|
| unknown | Unknown status. |
| new | New alert. |
| inProgress | The alert is in mitigation progress. |
| resolved | The alert is in resolved state. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
serviceSource values
| Value | Description |
|---|---|
| unknown | Unknown service source. |
| microsoftDefenderForEndpoint | Microsoft Defender for Endpoint. |
| microsoftDefenderForIdentity | Microsoft Defender for Identity. |
| microsoftDefenderForCloudApps | Microsoft Defender for Cloud Apps. |
| microsoftDefenderForOffice365 | Microsoft Defender For Office365. |
| microsoft365Defender | Microsoft 365 Defender. |
| azureAdIdentityProtection | Microsoft Entra ID Protection. |
| microsoftAppGovernance | Microsoft app governance. |
| dataLossPrevention | Microsoft Purview Data Loss Prevention. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
| microsoftDefenderForCloud | Microsoft Defender for Cloud. |
| microsoftSentinel | Microsoft Sentinel. |
detectionSource values
| Value | Description |
|---|---|
| unknown | Unknown detection source. |
| microsoftDefenderForEndpoint | Microsoft Defender For Endpoint. |
| antivirus | Antivirus software. |
| smartScreen | Microsoft Defender SmartScreen. |
| customTi | Custom threat intelligence. |
| microsoftDefenderForOffice365 | Microsoft Defender for Office 365. |
| automatedInvestigation | Automated investigation. |
| microsoftThreatExperts | Microsoft Threat Experts. |
| customDetection | Custom detection. |
| microsoftDefenderForIdentity | Microsoft Defender for Identity. |
| cloudAppSecurity | Cloud app security. |
| microsoft365Defender | Microsoft 365 Defender. |
| azureAdIdentityProtection | Microsoft Entra ID Protection. |
| manual | Manual detection. |
| microsoftDataLossPrevention | Microsoft Purview Data Loss Prevention. |
| appGovernancePolicy | App governance policy. |
| appGovernanceDetection | App governance detection. |
| unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
| microsoftDefenderForCloud | Microsoft Defender for Cloud. |
| microsoftDefenderForIoT | Microsoft Defender for IoT. |
| microsoftDefenderForServers | Microsoft Defender for Servers. |
| microsoftDefenderForStorage | Microsoft Defender for Storage. |
| microsoftDefenderForDNS | Microsoft Defender for DNS. |
| microsoftDefenderForDatabases | Microsoft Defender for Databases. |
| microsoftDefenderForContainers | Microsoft Defender for Containers. |
| microsoftDefenderForNetwork | Microsoft Defender for Network. |
| microsoftDefenderForAppService | Microsoft Defender for App Service. |
| microsoftDefenderForKeyVault | Microsoft Defender for Key Vault. |
| microsoftDefenderForResourceManager | Microsoft Defender for Resource Manager. |
| microsoftDefenderForApiManagement | Microsoft Defender for Api Management. |
| microsoftSentinel | Microsoft Sentinel. |
| nrtAlerts | Sentinel NRT Alerts. |
| scheduledAlerts | Sentinel Scheduled Alerts. |
| microsoftDefenderThreatIntelligenceAnalytics | Sentinel Threat Intelligence Alerts. |
| builtInMl | Sentinel Built-in ML. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.alert",
"id": "String (identifier)",
"providerAlertId": "String",
"incidentId": "String",
"status": "String",
"severity": "String",
"classification": "String",
"determination": "String",
"serviceSource": "String",
"detectionSource": "String",
"productName": "String",
"detectorId": "String",
"tenantId": "String",
"title": "String",
"description": "String",
"recommendedActions": "String",
"category": "String",
"assignedTo": "String",
"alertWebUrl": "String",
"incidentWebUrl": "String",
"actorDisplayName": "String",
"threatDisplayName": "String",
"threatFamilyName": "String",
"mitreTechniques": [
"String"
],
"createdDateTime": "String (timestamp)",
"lastUpdateDateTime": "String (timestamp)",
"resolvedDateTime": "String (timestamp)",
"firstActivityDateTime": "String (timestamp)",
"lastActivityDateTime": "String (timestamp)",
"comments": [
{
"@odata.type": "microsoft.graph.security.alertComment"
}
],
"evidence": [
{
"@odata.type": "microsoft.graph.security.alertEvidence"
}
],
"systemTags" : [
"String",
"String"
],
"additionalData": {
"@odata.type": "microsoft.graph.security.dictionary"
}
}