[Index]
Model ref.: device/msgraphsecurity/Alert
The full URL would include the host-proxy name: https://[host-proxy].
Variables are enclosed in square brackets.
{
"$schema": "http://json-schema.org/draft-03/schema",
"type": "object",
"properties": {
"id": {
"type": "string",
"title": "Alert ID",
"description": "Unique identifier to represent the alert resource",
"readonly": true
},
"providerAlertId": {
"type": "string",
"title": "Provider Alert ID",
"description": "The ID of the alert as it appears in the security provider product that generated the alert",
"readonly": true
},
"incidentId": {
"type": "string",
"title": "Incident ID",
"description": "Unique identifier to represent the incident this alert resource is associated with",
"readonly": true
},
"title": {
"type": "string",
"title": "Title",
"description": "Brief identifying string value describing the alert",
"readonly": true
},
"description": {
"type": "string",
"title": "Description",
"description": "String value describing each alert",
"readonly": true
},
"category": {
"type": "string",
"title": "Category",
"description": "The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework",
"readonly": true
},
"status": {
"type": "string",
"title": "Status",
"description": "The status of the alert",
"readonly": false,
"choices": [
{
"value": "unknown",
"title": "Unknown"
},
{
"value": "new",
"title": "New"
},
{
"value": "inProgress",
"title": "In Progress"
},
{
"value": "resolved",
"title": "Resolved"
},
{
"value": "unknownFutureValue",
"title": "Unknown Future Value"
}
]
},
"severity": {
"type": "string",
"title": "Severity",
"description": "Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention",
"readonly": true,
"choices": [
{
"value": "unknown",
"title": "Unknown"
},
{
"value": "informational",
"title": "Informational"
},
{
"value": "low",
"title": "Low"
},
{
"value": "medium",
"title": "Medium"
},
{
"value": "high",
"title": "High"
},
{
"value": "unknownFutureValue",
"title": "Unknown Future Value"
}
]
},
"classification": {
"type": "string",
"title": "Classification",
"description": "Specifies whether the alert represents a true threat",
"readonly": false,
"choices": [
{
"value": "unknown",
"title": "Unknown"
},
{
"value": "falsePositive",
"title": "False Positive"
},
{
"value": "truePositive",
"title": "True Positive"
},
{
"value": "informationalExpectedActivity",
"title": "Informational Expected Activity"
},
{
"value": "unknownFutureValue",
"title": "Unknown Future Value"
}
]
},
"determination": {
"type": "string",
"title": "Determination",
"description": "Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack",
"readonly": false,
"choices": [
{
"value": "unknown",
"title": "Unknown"
},
{
"value": "apt",
"title": "APT"
},
{
"value": "malware",
"title": "Malware"
},
{
"value": "securityPersonnel",
"title": "Security Personnel"
},
{
"value": "securityTesting",
"title": "Security Testing"
},
{
"value": "unwantedSoftware",
"title": "Unwanted Software"
},
{
"value": "other",
"title": "Other"
},
{
"value": "multiStagedAttack",
"title": "Multi-Staged Attack"
},
{
"value": "compromisedAccount",
"title": "Compromised Account"
},
{
"value": "phishing",
"title": "Phishing"
},
{
"value": "maliciousUserActivity",
"title": "Malicious User Activity"
},
{
"value": "notMalicious",
"title": "Not Malicious"
},
{
"value": "notEnoughDataToValidate",
"title": "Not Enough Data To Validate"
},
{
"value": "confirmedActivity",
"title": "Confirmed Activity"
},
{
"value": "lineOfBusinessApplication",
"title": "Line of Business Application"
},
{
"value": "unknownFutureValue",
"title": "Unknown Future Value"
}
]
},
"assignedTo": {
"type": "string",
"title": "Assigned To",
"description": "Owner of the alert, or null if no owner is assigned",
"readonly": false
},
"serviceSource": {
"type": "string",
"title": "Service Source",
"description": "The service or product that created this alert",
"readonly": true,
"choices": [
{
"value": "unknown",
"title": "Unknown"
},
{
"value": "microsoftDefenderForEndpoint",
"title": "Microsoft Defender for Endpoint"
},
{
"value": "microsoftDefenderForIdentity",
"title": "Microsoft Defender for Identity"
},
{
"value": "microsoftDefenderForCloudApps",
"title": "Microsoft Defender for Cloud Apps"
},
{
"value": "microsoftDefenderForOffice365",
"title": "Microsoft Defender for Office 365"
},
{
"value": "microsoft365Defender",
"title": "Microsoft 365 Defender"
},
{
"value": "azureAdIdentityProtection",
"title": "Microsoft Entra ID Protection"
},
{
"value": "microsoftAppGovernance",
"title": "Microsoft App Governance"
},
{
"value": "dataLossPrevention",
"title": "Data Loss Prevention"
},
{
"value": "microsoftDefenderForCloud",
"title": "Microsoft Defender for Cloud"
},
{
"value": "microsoftSentinel",
"title": "Microsoft Sentinel"
},
{
"value": "unknownFutureValue",
"title": "Unknown Future Value"
}
]
},
"detectionSource": {
"type": "string",
"title": "Detection Source",
"description": "Detection technology or sensor that identified the notable component or activity",
"readonly": true,
"choices": [
{
"value": "unknown",
"title": "Unknown"
},
{
"value": "microsoftDefenderForEndpoint",
"title": "Microsoft Defender for Endpoint"
},
{
"value": "antivirus",
"title": "Antivirus"
},
{
"value": "smartScreen",
"title": "SmartScreen"
},
{
"value": "customTi",
"title": "Custom Threat Intelligence"
},
{
"value": "microsoftDefenderForOffice365",
"title": "Microsoft Defender for Office 365"
},
{
"value": "automatedInvestigation",
"title": "Automated Investigation"
},
{
"value": "microsoftThreatExperts",
"title": "Microsoft Threat Experts"
},
{
"value": "customDetection",
"title": "Custom Detection"
},
{
"value": "microsoftDefenderForIdentity",
"title": "Microsoft Defender for Identity"
},
{
"value": "cloudAppSecurity",
"title": "Cloud App Security"
},
{
"value": "microsoft365Defender",
"title": "Microsoft 365 Defender"
},
{
"value": "azureAdIdentityProtection",
"title": "Microsoft Entra ID Protection"
},
{
"value": "manual",
"title": "Manual"
},
{
"value": "microsoftDataLossPrevention",
"title": "Microsoft Data Loss Prevention"
},
{
"value": "appGovernancePolicy",
"title": "App Governance Policy"
},
{
"value": "appGovernanceDetection",
"title": "App Governance Detection"
},
{
"value": "microsoftDefenderForCloud",
"title": "Microsoft Defender for Cloud"
},
{
"value": "microsoftDefenderForIoT",
"title": "Microsoft Defender for IoT"
},
{
"value": "microsoftDefenderForServers",
"title": "Microsoft Defender for Servers"
},
{
"value": "microsoftDefenderForStorage",
"title": "Microsoft Defender for Storage"
},
{
"value": "microsoftDefenderForDNS",
"title": "Microsoft Defender for DNS"
},
{
"value": "microsoftDefenderForDatabases",
"title": "Microsoft Defender for Databases"
},
{
"value": "microsoftDefenderForContainers",
"title": "Microsoft Defender for Containers"
},
{
"value": "microsoftDefenderForNetwork",
"title": "Microsoft Defender for Network"
},
{
"value": "microsoftDefenderForAppService",
"title": "Microsoft Defender for App Service"
},
{
"value": "microsoftDefenderForKeyVault",
"title": "Microsoft Defender for Key Vault"
},
{
"value": "microsoftDefenderForResourceManager",
"title": "Microsoft Defender for Resource Manager"
},
{
"value": "microsoftDefenderForApiManagement",
"title": "Microsoft Defender for API Management"
},
{
"value": "microsoftSentinel",
"title": "Microsoft Sentinel"
},
{
"value": "nrtAlerts",
"title": "NRT Alerts"
},
{
"value": "scheduledAlerts",
"title": "Scheduled Alerts"
},
{
"value": "microsoftDefenderThreatIntelligenceAnalytics",
"title": "Microsoft Defender Threat Intelligence Analytics"
},
{
"value": "builtInMl",
"title": "Built-in ML"
},
{
"value": "unknownFutureValue",
"title": "Unknown Future Value"
}
]
},
"detectorId": {
"type": "string",
"title": "Detector ID",
"description": "The ID of the detector that triggered the alert",
"readonly": true
},
"tenantId": {
"type": "string",
"title": "Tenant ID",
"description": "The Microsoft Entra tenant the alert was created in",
"readonly": true
},
"recommendedActions": {
"type": "string",
"title": "Recommended Actions",
"description": "Recommended response and remediation actions to take in the event this alert was generated",
"readonly": true
},
"alertWebUrl": {
"type": "string",
"title": "Alert Web URL",
"description": "URL for the Microsoft 365 Defender portal alert page",
"readonly": true
},
"incidentWebUrl": {
"type": "string",
"title": "Incident Web URL",
"description": "URL for the incident page in the Microsoft 365 Defender portal",
"readonly": true
},
"actorDisplayName": {
"type": "string",
"title": "Actor Display Name",
"description": "The adversary or activity group that is associated with this alert",
"readonly": true
},
"threatDisplayName": {
"type": "string",
"title": "Threat Display Name",
"description": "The threat associated with this alert",
"readonly": true
},
"threatFamilyName": {
"type": "string",
"title": "Threat Family Name",
"description": "Threat family associated with this alert",
"readonly": true
},
"mitreTechniques": {
"type": "array",
"title": "MITRE Techniques",
"description": "The attack techniques, as aligned with the MITRE ATT&CK framework",
"items": {
"type": "string"
},
"readonly": true
},
"createdDateTime": {
"type": "string",
"title": "Created DateTime",
"description": "Time when Microsoft 365 Defender created the alert",
"readonly": true
},
"lastUpdateDateTime": {
"type": "string",
"title": "Last Update DateTime",
"description": "Time when the alert was last updated at Microsoft 365 Defender",
"readonly": true
},
"resolvedDateTime": {
"type": "string",
"title": "Resolved DateTime",
"description": "Time when the alert was resolved",
"readonly": true
},
"firstActivityDateTime": {
"type": "string",
"title": "First Activity DateTime",
"description": "The earliest activity associated with the alert",
"readonly": true
},
"lastActivityDateTime": {
"type": "string",
"title": "Last Activity DateTime",
"description": "The oldest activity associated with the alert",
"readonly": true
},
"comments": {
"type": "array",
"title": "Comments",
"description": "Array of comments created by the Security Operations (SecOps) team during the alert management process",
"items": {
"type": "object",
"properties": {
"comment": {
"type": "string",
"title": "Comment",
"description": "The content of the comment"
},
"createdByDisplayName": {
"type": "string",
"title": "Created By Display Name",
"description": "The display name of the user who created the comment"
},
"createdDateTime": {
"type": "string",
"title": "Created DateTime",
"description": "The timestamp when the comment was created"
}
}
},
"readonly": true
},
"systemTags": {
"type": "array",
"title": "System Tags",
"description": "The system tags associated with the alert",
"items": {
"type": "string"
},
"readonly": true
},
"deviceEvidence": {
"type": "object",
"title": "Device Evidence",
"description": "Device evidence associated with the alert",
"properties": {
"createdDateTime": {
"type": "string",
"title": "Created DateTime",
"description": "Time when the evidence was created"
},
"verdict": {
"type": "string",
"title": "Verdict",
"description": "The verdict of the evidence"
},
"remediationStatus": {
"type": "string",
"title": "Remediation Status",
"description": "The remediation status of the evidence"
},
"remediationStatusDetails": {
"type": "string",
"title": "Remediation Status Details",
"description": "Details about the remediation status"
},
"roles": {
"type": "array",
"title": "Roles",
"description": "Roles associated with the evidence",
"items": {
"type": "string"
}
},
"detailedRoles": {
"type": "array",
"title": "Detailed Roles",
"description": "Detailed roles associated with the evidence",
"items": {
"type": "string"
}
},
"tags": {
"type": "array",
"title": "Tags",
"description": "Tags associated with the evidence",
"items": {
"type": "string"
}
},
"firstSeenDateTime": {
"type": "string",
"title": "First Seen DateTime",
"description": "Time when the evidence was first seen"
},
"mdeDeviceId": {
"type": "string",
"title": "MDE Device ID",
"description": "The Microsoft Defender for Endpoint device ID"
},
"azureAdDeviceId": {
"type": "string",
"title": "Azure AD Device ID",
"description": "The Azure AD device ID"
},
"deviceDnsName": {
"type": "string",
"title": "Device DNS Name",
"description": "The DNS name of the device"
},
"hostName": {
"type": "string",
"title": "Host Name",
"description": "The host name of the device"
},
"ntDomain": {
"type": "string",
"title": "NT Domain",
"description": "The NT domain of the device"
},
"dnsDomain": {
"type": "string",
"title": "DNS Domain",
"description": "The DNS domain of the device"
},
"osPlatform": {
"type": "string",
"title": "OS Platform",
"description": "The operating system platform"
},
"osBuild": {
"type": "integer",
"title": "OS Build",
"description": "The operating system build number"
},
"version": {
"type": "string",
"title": "Version",
"description": "The version of the operating system"
},
"healthStatus": {
"type": "string",
"title": "Health Status",
"description": "The health status of the device"
},
"riskScore": {
"type": "string",
"title": "Risk Score",
"description": "The risk score of the device"
},
"rbacGroupId": {
"type": "integer",
"title": "RBAC Group ID",
"description": "The RBAC group ID"
},
"rbacGroupName": {
"type": "string",
"title": "RBAC Group Name",
"description": "The RBAC group name"
},
"onboardingStatus": {
"type": "string",
"title": "Onboarding Status",
"description": "The onboarding status of the device"
},
"defenderAvStatus": {
"type": "string",
"title": "Defender AV Status",
"description": "The Microsoft Defender Antivirus status"
},
"lastIpAddress": {
"type": "string",
"title": "Last IP Address",
"description": "The last IP address of the device"
},
"lastExternalIpAddress": {
"type": "string",
"title": "Last External IP Address",
"description": "The last external IP address of the device"
},
"ipInterfaces": {
"type": "array",
"title": "IP Interfaces",
"description": "The IP interfaces of the device",
"items": {
"type": "string"
}
},
"vmMetadata": {
"type": "object",
"title": "VM Metadata",
"description": "Virtual machine metadata",
"properties": {
"vmId": {
"type": "string",
"title": "VM ID",
"description": "The virtual machine ID"
},
"cloudProvider": {
"type": "string",
"title": "Cloud Provider",
"description": "The cloud provider"
},
"resourceId": {
"type": "string",
"title": "Resource ID",
"description": "The resource ID"
},
"subscriptionId": {
"type": "string",
"title": "Subscription ID",
"description": "The subscription ID"
}
}
},
"loggedOnUsers": {
"type": "array",
"title": "Logged On Users",
"description": "Users logged on to the device",
"items": {
"type": "object",
"properties": {
"accountName": {
"type": "string",
"title": "Account Name",
"description": "The account name of the user"
},
"domainName": {
"type": "string",
"title": "Domain Name",
"description": "The domain name of the user"
}
}
}
}
},
"readonly": true
},
"userEvidence": {
"type": "object",
"title": "User Evidence",
"description": "User evidence associated with the alert",
"properties": {
"createdDateTime": {
"type": "string",
"title": "Created DateTime",
"description": "Time when the evidence was created"
},
"verdict": {
"type": "string",
"title": "Verdict",
"description": "The verdict of the evidence"
},
"remediationStatus": {
"type": "string",
"title": "Remediation Status",
"description": "The remediation status of the evidence"
},
"remediationStatusDetails": {
"type": "string",
"title": "Remediation Status Details",
"description": "Details about the remediation status"
},
"roles": {
"type": "array",
"title": "Roles",
"description": "Roles associated with the evidence",
"items": {
"type": "string"
}
},
"detailedRoles": {
"type": "array",
"title": "Detailed Roles",
"description": "Detailed roles associated with the evidence",
"items": {
"type": "string"
}
},
"tags": {
"type": "array",
"title": "Tags",
"description": "Tags associated with the evidence",
"items": {
"type": "string"
}
},
"stream": {
"type": "string",
"title": "Stream",
"description": "The stream associated with the evidence"
},
"userAccount": {
"type": "object",
"title": "User Account",
"description": "The user account associated with the evidence",
"properties": {
"accountName": {
"type": "string",
"title": "Account Name",
"description": "The account name of the user"
},
"domainName": {
"type": "string",
"title": "Domain Name",
"description": "The domain name of the user"
},
"userSid": {
"type": "string",
"title": "User SID",
"description": "The security identifier of the user"
},
"azureAdUserId": {
"type": "string",
"title": "Azure AD User ID",
"description": "The Azure AD user ID"
},
"userPrincipalName": {
"type": "string",
"title": "User Principal Name",
"description": "The user principal name"
},
"displayName": {
"type": "string",
"title": "Display Name",
"description": "The display name of the user"
}
}
}
},
"readonly": true
},
"alertPolicyId": {
"type": "string",
"title": "Alert Policy ID",
"description": "The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy",
"readonly": true
},
"productName": {
"type": "string",
"title": "Product Name",
"description": "The name of the product which published this alert",
"readonly": true
},
"deviceDnsName": {
"type": "string",
"title": "Device DNS Name",
"description": "The DNS name of the device",
"readonly": true
},
"deviceTags": {
"type": "array",
"title": "Device Tags",
"description": "Tags associated with the device",
"items": {
"type": "string"
},
"readonly": true
},
"userAccountName": {
"type": "string",
"title": "User Account Name",
"description": "The account name of the user associated with the alert",
"readonly": true
},
"userSid": {
"type": "string",
"title": "User SID",
"description": "The security identifier of the user associated with the alert",
"readonly": true
}
},
"schema_version": "1.0"
}
| Task | Call | URL | Parameters | Response |
|---|---|---|---|---|
| List | GET | /api/device/msgraphsecurity/Alert/ |
|
The device/msgraphsecurity/Alert schema and all instances as JSON. |
(The list will return 0 to 3 device/msgraphsecurity/Alert instances)
{
"pagination": {
"skip": 0,
"limit": 3,
"maximum_limit": 2000,
"total": 0,
"total_limit": null,
"order_by": "title",
"direction": "asc",
"current": "/api/device/msgraphsecurity/Alert/?skip=0&limit=3&order_by=title&direction=asc&traversal=down"
},
"operations": [
"list"
],
"meta": {
"model_type": "device/msgraphsecurity/Alert",
"summary_attrs": [
{
"name": "title",
"title": "Title"
},
{
"name": "deviceTags",
"title": "Device Tags"
},
{
"name": "severity",
"title": "Severity"
},
{
"name": "status",
"title": "Status"
},
{
"name": "category",
"title": "Category"
},
{
"name": "detectionSource",
"title": "Detection Source"
},
{
"name": "createdDateTime",
"title": "Created DateTime"
},
{
"name": "lastUpdateDateTime",
"title": "Last Update DateTime"
},
{
"name": "classification",
"title": "Classification"
},
{
"name": "determination",
"title": "Determination"
},
{
"name": "assignedTo",
"title": "Assigned To"
},
{
"name": "description",
"title": "Description"
},
{
"name": "hierarchy_friendly_name",
"title": "Located At",
"allow_filtering": true
}
],
"tagged_versions": [],
"tags": [],
"title": "",
"business_key": {},
"api_version": "21.2",
"cached": true,
"references": {
"children": [],
"parent": [
{
"href": "/api/data/HierarchyNode/6t0ggef2c0deab00hb595101",
"pkid": "6t0ggef2c0deab00hb595101"
}
],
"device": [
{
"href": "",
"pkid": ""
}
],
"foreign_key": []
},
"model_specific_actions": [
"list",
"get",
"update"
],
"schema_version": "1.0",
"actions": [
{
"list": {
"method": "GET",
"class": "list",
"href": "/api/device/msgraphsecurity/Alert/?hierarchy=[hierarchy]",
"support_async": false,
"title": "List"
}
},
{
"purge": {
"method": "POST",
"class": "purge",
"href": "/api/device/msgraphsecurity/Alert/purge/?hierarchy=[hierarchy]",
"support_async": false,
"title": "Purge"
}
}
]
},
"resources": []
}
| Task | Call | URL | Parameters | Response |
|---|---|---|---|---|
| Purge | POST | /api/device/msgraphsecurity/Alert/purge/ |
|
| Task | Call | URL | Parameters | Payload |
|---|---|---|---|---|
| Modify | PUT | /api/device/msgraphsecurity/Alert/[pkid] | hierarchy=[hierarchy] | (For payload specification) |
For Bulk modification, refer to the Bulk Modify section.
| Task | Call | URL | Parameters | Response |
|---|---|---|---|---|
| Get | GET | /api/device/msgraphsecurity/Alert/[pkid] | hierarchy=[hierarchy] | The device/msgraphsecurity/Alert instance with [pkid]. |
| Task | Call | URL | Parameters | Payload |
|---|---|---|---|---|
| Purge | POST | /api/device/msgraphsecurity/Alert/[pkid]/purge | hierarchy=[hierarchy] | If payload required: |