[Index]

Model: device/msgraphsecurity/Alert

Model Details: device/msgraphsecurity/Alert

Title Description Details
Alert ID Unique identifier to represent the alert resource
  • Field Name: id
  • Type: String
Provider Alert ID The ID of the alert as it appears in the security provider product that generated the alert
  • Field Name: providerAlertId
  • Type: String
Incident ID Unique identifier to represent the incident this alert resource is associated with
  • Field Name: incidentId
  • Type: String
Title Brief identifying string value describing the alert
  • Field Name: title
  • Type: String
Description String value describing each alert
  • Field Name: description
  • Type: String
Category The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework
  • Field Name: category
  • Type: String
Status The status of the alert
  • Field Name: status
  • Type: String
  • Choices: ["Unknown", "New", "In Progress", "Resolved", "Unknown Future Value"]
Severity Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention
  • Field Name: severity
  • Type: String
  • Choices: ["Unknown", "Informational", "Low", "Medium", "High", "Unknown Future Value"]
Classification Specifies whether the alert represents a true threat
  • Field Name: classification
  • Type: String
  • Choices: ["Unknown", "False Positive", "True Positive", "Informational Expected Activity", "Unknown Future Value"]
Determination Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack
  • Field Name: determination
  • Type: String
  • Choices: ["Unknown", "APT", "Malware", "Security Personnel", "Security Testing", "Unwanted Software", "Other", "Multi-Staged Attack", "Compromised Account", "Phishing", "Malicious User Activity", "Not Malicious", "Not Enough Data To Validate", "Confirmed Activity", "Line of Business Application", "Unknown Future Value"]
Assigned To Owner of the alert, or null if no owner is assigned
  • Field Name: assignedTo
  • Type: String
Service Source The service or product that created this alert
  • Field Name: serviceSource
  • Type: String
  • Choices: ["Unknown", "Microsoft Defender for Endpoint", "Microsoft Defender for Identity", "Microsoft Defender for Cloud Apps", "Microsoft Defender for Office 365", "Microsoft 365 Defender", "Microsoft Entra ID Protection", "Microsoft App Governance", "Data Loss Prevention", "Microsoft Defender for Cloud", "Microsoft Sentinel", "Unknown Future Value"]
Detection Source Detection technology or sensor that identified the notable component or activity
  • Field Name: detectionSource
  • Type: String
  • Choices: ["Unknown", "Microsoft Defender for Endpoint", "Antivirus", "SmartScreen", "Custom Threat Intelligence", "Microsoft Defender for Office 365", "Automated Investigation", "Microsoft Threat Experts", "Custom Detection", "Microsoft Defender for Identity", "Cloud App Security", "Microsoft 365 Defender", "Microsoft Entra ID Protection", "Manual", "Microsoft Data Loss Prevention", "App Governance Policy", "App Governance Detection", "Microsoft Defender for Cloud", "Microsoft Defender for IoT", "Microsoft Defender for Servers", "Microsoft Defender for Storage", "Microsoft Defender for DNS", "Microsoft Defender for Databases", "Microsoft Defender for Containers", "Microsoft Defender for Network", "Microsoft Defender for App Service", "Microsoft Defender for Key Vault", "Microsoft Defender for Resource Manager", "Microsoft Defender for API Management", "Microsoft Sentinel", "NRT Alerts", "Scheduled Alerts", "Microsoft Defender Threat Intelligence Analytics", "Built-in ML", "Unknown Future Value"]
Detector ID The ID of the detector that triggered the alert
  • Field Name: detectorId
  • Type: String
Tenant ID The Microsoft Entra tenant the alert was created in
  • Field Name: tenantId
  • Type: String
Recommended Actions Recommended response and remediation actions to take in the event this alert was generated
  • Field Name: recommendedActions
  • Type: String
Alert Web URL URL for the Microsoft 365 Defender portal alert page
  • Field Name: alertWebUrl
  • Type: String
Incident Web URL URL for the incident page in the Microsoft 365 Defender portal
  • Field Name: incidentWebUrl
  • Type: String
Actor Display Name The adversary or activity group that is associated with this alert
  • Field Name: actorDisplayName
  • Type: String
Threat Display Name The threat associated with this alert
  • Field Name: threatDisplayName
  • Type: String
Threat Family Name Threat family associated with this alert
  • Field Name: threatFamilyName
  • Type: String
MITRE Techniques The attack techniques, as aligned with the MITRE ATT&CK framework
  • Field Name: mitreTechniques.[n]
  • Type: Array
Created DateTime Time when Microsoft 365 Defender created the alert
  • Field Name: createdDateTime
  • Type: String
Last Update DateTime Time when the alert was last updated at Microsoft 365 Defender
  • Field Name: lastUpdateDateTime
  • Type: String
Resolved DateTime Time when the alert was resolved
  • Field Name: resolvedDateTime
  • Type: String
First Activity DateTime The earliest activity associated with the alert
  • Field Name: firstActivityDateTime
  • Type: String
Last Activity DateTime The oldest activity associated with the alert
  • Field Name: lastActivityDateTime
  • Type: String
Comments Array of comments created by the Security Operations (SecOps) team during the alert management process
  • Field Name: comments.[n]
  • Type: Array
Comment The content of the comment
  • Field Name: comments.[n].comment
  • Type: String
Created By Display Name The display name of the user who created the comment
  • Field Name: comments.[n].createdByDisplayName
  • Type: String
Created DateTime The timestamp when the comment was created
  • Field Name: comments.[n].createdDateTime
  • Type: String
System Tags The system tags associated with the alert
  • Field Name: systemTags.[n]
  • Type: Array
Device Evidence Device evidence associated with the alert
  • Field Name: deviceEvidence
  • Type: Object
Created DateTime Time when the evidence was created
  • Field Name: deviceEvidence.createdDateTime
  • Type: String
Verdict The verdict of the evidence
  • Field Name: deviceEvidence.verdict
  • Type: String
Remediation Status The remediation status of the evidence
  • Field Name: deviceEvidence.remediationStatus
  • Type: String
Remediation Status Details Details about the remediation status
  • Field Name: deviceEvidence.remediationStatusDetails
  • Type: String
Roles Roles associated with the evidence
  • Field Name: roles.[n]
  • Type: Array
Detailed Roles Detailed roles associated with the evidence
  • Field Name: detailedRoles.[n]
  • Type: Array
Tags Tags associated with the evidence
  • Field Name: tags.[n]
  • Type: Array
First Seen DateTime Time when the evidence was first seen
  • Field Name: deviceEvidence.firstSeenDateTime
  • Type: String
MDE Device ID The Microsoft Defender for Endpoint device ID
  • Field Name: deviceEvidence.mdeDeviceId
  • Type: String
Azure AD Device ID The Azure AD device ID
  • Field Name: deviceEvidence.azureAdDeviceId
  • Type: String
Device DNS Name The DNS name of the device
  • Field Name: deviceEvidence.deviceDnsName
  • Type: String
Host Name The host name of the device
  • Field Name: deviceEvidence.hostName
  • Type: String
NT Domain The NT domain of the device
  • Field Name: deviceEvidence.ntDomain
  • Type: String
DNS Domain The DNS domain of the device
  • Field Name: deviceEvidence.dnsDomain
  • Type: String
OS Platform The operating system platform
  • Field Name: deviceEvidence.osPlatform
  • Type: String
OS Build The operating system build number
  • Field Name: deviceEvidence.osBuild
  • Type: Integer
Version The version of the operating system
  • Field Name: deviceEvidence.version
  • Type: String
Health Status The health status of the device
  • Field Name: deviceEvidence.healthStatus
  • Type: String
Risk Score The risk score of the device
  • Field Name: deviceEvidence.riskScore
  • Type: String
RBAC Group ID The RBAC group ID
  • Field Name: deviceEvidence.rbacGroupId
  • Type: Integer
RBAC Group Name The RBAC group name
  • Field Name: deviceEvidence.rbacGroupName
  • Type: String
Onboarding Status The onboarding status of the device
  • Field Name: deviceEvidence.onboardingStatus
  • Type: String
Defender AV Status The Microsoft Defender Antivirus status
  • Field Name: deviceEvidence.defenderAvStatus
  • Type: String
Last IP Address The last IP address of the device
  • Field Name: deviceEvidence.lastIpAddress
  • Type: String
Last External IP Address The last external IP address of the device
  • Field Name: deviceEvidence.lastExternalIpAddress
  • Type: String
IP Interfaces The IP interfaces of the device
  • Field Name: ipInterfaces.[n]
  • Type: Array
VM Metadata Virtual machine metadata
  • Field Name: vmMetadata
  • Type: Object
VM ID The virtual machine ID
  • Field Name: deviceEvidence.vmMetadata.vmId
  • Type: String
Cloud Provider The cloud provider
  • Field Name: deviceEvidence.vmMetadata.cloudProvider
  • Type: String
Resource ID The resource ID
  • Field Name: deviceEvidence.vmMetadata.resourceId
  • Type: String
Subscription ID The subscription ID
  • Field Name: deviceEvidence.vmMetadata.subscriptionId
  • Type: String
Logged On Users Users logged on to the device
  • Field Name: loggedOnUsers.[n]
  • Type: Array
Account Name The account name of the user
  • Field Name: deviceEvidence.loggedOnUsers.[n].accountName
  • Type: String
Domain Name The domain name of the user
  • Field Name: deviceEvidence.loggedOnUsers.[n].domainName
  • Type: String
User Evidence User evidence associated with the alert
  • Field Name: userEvidence
  • Type: Object
Created DateTime Time when the evidence was created
  • Field Name: userEvidence.createdDateTime
  • Type: String
Verdict The verdict of the evidence
  • Field Name: userEvidence.verdict
  • Type: String
Remediation Status The remediation status of the evidence
  • Field Name: userEvidence.remediationStatus
  • Type: String
Remediation Status Details Details about the remediation status
  • Field Name: userEvidence.remediationStatusDetails
  • Type: String
Roles Roles associated with the evidence
  • Field Name: roles.[n]
  • Type: Array
Detailed Roles Detailed roles associated with the evidence
  • Field Name: detailedRoles.[n]
  • Type: Array
Tags Tags associated with the evidence
  • Field Name: tags.[n]
  • Type: Array
Stream The stream associated with the evidence
  • Field Name: userEvidence.stream
  • Type: String
User Account The user account associated with the evidence
  • Field Name: userAccount
  • Type: Object
Account Name The account name of the user
  • Field Name: userEvidence.userAccount.accountName
  • Type: String
Domain Name The domain name of the user
  • Field Name: userEvidence.userAccount.domainName
  • Type: String
User SID The security identifier of the user
  • Field Name: userEvidence.userAccount.userSid
  • Type: String
Azure AD User ID The Azure AD user ID
  • Field Name: userEvidence.userAccount.azureAdUserId
  • Type: String
User Principal Name The user principal name
  • Field Name: userEvidence.userAccount.userPrincipalName
  • Type: String
Display Name The display name of the user
  • Field Name: userEvidence.userAccount.displayName
  • Type: String
Alert Policy ID The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy
  • Field Name: alertPolicyId
  • Type: String
Product Name The name of the product which published this alert
  • Field Name: productName
  • Type: String
Device DNS Name The DNS name of the device
  • Field Name: deviceDnsName
  • Type: String
Device Tags Tags associated with the device
  • Field Name: deviceTags.[n]
  • Type: Array
User Account Name The account name of the user associated with the alert
  • Field Name: userAccountName
  • Type: String
User SID The security identifier of the user associated with the alert
  • Field Name: userSid
  • Type: String