securityAction resource type
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Take immediate action to defend against threats using the Microsoft Graph Security securityAction entity. When a security analyst discovers a new indicator, such as a malicious file, URL, domain, or IP address, protection can be instantly enabled in your Microsoft security solutions. Invoke an action for a specific provider, see all actions taken, and cancel an action if needed. Try security actions with Windows Defender for Endpoint to block malicious activity on your Windows endpoints using properties seen in alerts or identified during investigations.
Note: Currently security actions only support application permissions.
Methods
| Method | Return Type | Description |
|---|---|---|
| Get security action | securityAction | Read properties and relationships of securityAction object. |
| Create security action | securityAction | Create a new securityAction by posting to the securityActions collection. |
| List security actions | securityAction collection | Get a securityAction object collection. |
| Cancel security action | None | Cancel a security operation. |
Properties
| Property | Type | Description |
|---|---|---|
| actionReason | String | Reason for invoking this action. |
| appId | String | The Application ID of the calling application that submitted (POST) the action. The appId should be extracted from the auth token and not entered manually by the calling application. |
| azureTenantId | String | Azure tenant ID of the entity to determine which tenant the entity belongs to (multi-tenancy support). The azureTenantId should be extracted from the auth token and not entered manually by the calling application. |
| clientContext | String | Unique client context string. Can have a maximum of 256 characters. |
| completedDateTime | DateTimeOffset | Timestamp when the action was completed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| createdDateTime | DateTimeOffset | Timestamp when the action is created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| errorInfo | resultInfo | Error info when the action fails. |
| id | String | Created by the system when the action is ingested. Generated GUID/unique identifier. Read-only. |
| lastActionDateTime | DateTimeOffset | Timestamp when this action was last updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| name | String | Action name. |
| parameters | keyValuePair collection | Collection of parameters (key-value pairs) necessary to invoke the action, for example, URL or fileHash to block.). Required. |
| states | securityActionState collection | Collection of securityActionState to keep the history of an action. |
| status | string | Status of the action. Possible values are: NotStarted, Running, Completed, Failed. |
| user | String | The user principal name of the signed-in user that submitted (POST) the action. The user should be extracted from the auth token and not entered manually by the calling application. |
| vendorInformation | securityVendorInformation | Complex Type containing details about the Security product/service vendor, provider, and sub-provider (for example, vendor=Microsoft; provider=Windows Defender ATP; sub-provider=AppLocker). |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"actionReason": "String",
"appId": "String",
"azureTenantId": "String",
"clientContext": "String",
"completedDateTime": "String (timestamp)",
"createdDateTime": "String (timestamp)",
"errorInfo": {"@odata.type": "microsoft.graph.resultInfo"},
"id": "String (identifier)",
"lastActionDateTime": "String (timestamp)",
"name": "String",
"parameters": [{"@odata.type": "microsoft.graph.keyValuePair"}],
"states": [{"@odata.type": "microsoft.graph.securityActionState"}],
"status": "string",
"user": "String",
"vendorInformation": {"@odata.type": "microsoft.graph.securityVendorInformation"}
}