[Index]

Model: device/msgraphsecurity/Alert

Model Details: device/msgraphsecurity/Alert

Title Description Details
Alert ID Unique identifier to represent the alert resource
  • Field Name: id
  • Type: String
  • MaxLength: 1024
Provider Alert ID The ID of the alert as it appears in the security provider product that generated the alert
  • Field Name: providerAlertId
  • Type: String
  • MaxLength: 1024
Incident ID Unique identifier to represent the incident this alert resource is associated with
  • Field Name: incidentId
  • Type: String
  • MaxLength: 1024
Title Brief identifying string value describing the alert
  • Field Name: title
  • Type: String
  • MaxLength: 1024
Description String value describing each alert
  • Field Name: description
  • Type: String
  • MaxLength: 1024
Category The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework
  • Field Name: category
  • Type: String
  • MaxLength: 1024
Status The status of the alert
  • Field Name: status
  • Type: String
  • MaxLength: 1024
  • Choices: ["Unknown", "New", "In Progress", "Resolved", "Unknown Future Value"]
Severity Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention
  • Field Name: severity
  • Type: String
  • MaxLength: 1024
  • Choices: ["Unknown", "Informational", "Low", "Medium", "High", "Unknown Future Value"]
Classification Specifies whether the alert represents a true threat
  • Field Name: classification
  • Type: String
  • MaxLength: 1024
  • Choices: ["Unknown", "False Positive", "True Positive", "Informational Expected Activity", "Unknown Future Value"]
Determination Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack
  • Field Name: determination
  • Type: String
  • MaxLength: 1024
  • Choices: ["Unknown", "APT", "Malware", "Security Personnel", "Security Testing", "Unwanted Software", "Other", "Multi-Staged Attack", "Compromised Account", "Phishing", "Malicious User Activity", "Not Malicious", "Not Enough Data To Validate", "Confirmed Activity", "Line of Business Application", "Unknown Future Value"]
Assigned To Owner of the alert, or null if no owner is assigned
  • Field Name: assignedTo
  • Type: String
  • MaxLength: 1024
Service Source The service or product that created this alert
  • Field Name: serviceSource
  • Type: String
  • MaxLength: 1024
  • Choices: ["Unknown", "Microsoft Defender for Endpoint", "Microsoft Defender for Identity", "Microsoft Defender for Cloud Apps", "Microsoft Defender for Office 365", "Microsoft 365 Defender", "Microsoft Entra ID Protection", "Microsoft App Governance", "Data Loss Prevention", "Microsoft Defender for Cloud", "Microsoft Sentinel", "Unknown Future Value"]
Detection Source Detection technology or sensor that identified the notable component or activity
  • Field Name: detectionSource
  • Type: String
  • MaxLength: 1024
  • Choices: ["Unknown", "Microsoft Defender for Endpoint", "Antivirus", "SmartScreen", "Custom Threat Intelligence", "Microsoft Defender for Office 365", "Automated Investigation", "Microsoft Threat Experts", "Custom Detection", "Microsoft Defender for Identity", "Cloud App Security", "Microsoft 365 Defender", "Microsoft Entra ID Protection", "Manual", "Microsoft Data Loss Prevention", "App Governance Policy", "App Governance Detection", "Microsoft Defender for Cloud", "Microsoft Defender for IoT", "Microsoft Defender for Servers", "Microsoft Defender for Storage", "Microsoft Defender for DNS", "Microsoft Defender for Databases", "Microsoft Defender for Containers", "Microsoft Defender for Network", "Microsoft Defender for App Service", "Microsoft Defender for Key Vault", "Microsoft Defender for Resource Manager", "Microsoft Defender for API Management", "Microsoft Sentinel", "NRT Alerts", "Scheduled Alerts", "Microsoft Defender Threat Intelligence Analytics", "Built-in ML", "Unknown Future Value"]
Detector ID The ID of the detector that triggered the alert
  • Field Name: detectorId
  • Type: String
  • MaxLength: 1024
Tenant ID The Microsoft Entra tenant the alert was created in
  • Field Name: tenantId
  • Type: String
  • MaxLength: 1024
Recommended Actions Recommended response and remediation actions to take in the event this alert was generated
  • Field Name: recommendedActions
  • Type: String
  • MaxLength: 1024
Alert Web URL URL for the Microsoft 365 Defender portal alert page
  • Field Name: alertWebUrl
  • Type: String
  • MaxLength: 1024
Incident Web URL URL for the incident page in the Microsoft 365 Defender portal
  • Field Name: incidentWebUrl
  • Type: String
  • MaxLength: 1024
Actor Display Name The adversary or activity group that is associated with this alert
  • Field Name: actorDisplayName
  • Type: String
  • MaxLength: 1024
Threat Display Name The threat associated with this alert
  • Field Name: threatDisplayName
  • Type: String
  • MaxLength: 1024
Threat Family Name Threat family associated with this alert
  • Field Name: threatFamilyName
  • Type: String
  • MaxLength: 1024
MITRE Techniques The attack techniques, as aligned with the MITRE ATT&CK framework
  • Field Name: mitreTechniques.[n]
  • Type: Array
Created DateTime Time when Microsoft 365 Defender created the alert
  • Field Name: createdDateTime
  • Type: String
  • MaxLength: 1024
Last Update DateTime Time when the alert was last updated at Microsoft 365 Defender
  • Field Name: lastUpdateDateTime
  • Type: String
  • MaxLength: 1024
Resolved DateTime Time when the alert was resolved
  • Field Name: resolvedDateTime
  • Type: String
  • MaxLength: 1024
First Activity DateTime The earliest activity associated with the alert
  • Field Name: firstActivityDateTime
  • Type: String
  • MaxLength: 1024
Last Activity DateTime The oldest activity associated with the alert
  • Field Name: lastActivityDateTime
  • Type: String
  • MaxLength: 1024
Comments Array of comments created by the Security Operations (SecOps) team during the alert management process
  • Field Name: comments.[n]
  • Type: Array
Comment The content of the comment
  • Field Name: comments.[n].comment
  • Type: String
  • MaxLength: 1024
Created By Display Name The display name of the user who created the comment
  • Field Name: comments.[n].createdByDisplayName
  • Type: String
  • MaxLength: 1024
Created DateTime The timestamp when the comment was created
  • Field Name: comments.[n].createdDateTime
  • Type: String
  • MaxLength: 1024
System Tags The system tags associated with the alert
  • Field Name: systemTags.[n]
  • Type: Array
Device Evidence Device evidence associated with the alert
  • Field Name: deviceEvidence
  • Type: Object
Created DateTime Time when the evidence was created
  • Field Name: deviceEvidence.createdDateTime
  • Type: String
  • MaxLength: 1024
Verdict The verdict of the evidence
  • Field Name: deviceEvidence.verdict
  • Type: String
  • MaxLength: 1024
Remediation Status The remediation status of the evidence
  • Field Name: deviceEvidence.remediationStatus
  • Type: String
  • MaxLength: 1024
Remediation Status Details Details about the remediation status
  • Field Name: deviceEvidence.remediationStatusDetails
  • Type: String
  • MaxLength: 1024
Roles Roles associated with the evidence
  • Field Name: roles.[n]
  • Type: Array
Detailed Roles Detailed roles associated with the evidence
  • Field Name: detailedRoles.[n]
  • Type: Array
Tags Tags associated with the evidence
  • Field Name: tags.[n]
  • Type: Array
First Seen DateTime Time when the evidence was first seen
  • Field Name: deviceEvidence.firstSeenDateTime
  • Type: String
  • MaxLength: 1024
MDE Device ID The Microsoft Defender for Endpoint device ID
  • Field Name: deviceEvidence.mdeDeviceId
  • Type: String
  • MaxLength: 1024
Azure AD Device ID The Azure AD device ID
  • Field Name: deviceEvidence.azureAdDeviceId
  • Type: String
  • MaxLength: 1024
Device DNS Name The DNS name of the device
  • Field Name: deviceEvidence.deviceDnsName
  • Type: String
  • MaxLength: 1024
Host Name The host name of the device
  • Field Name: deviceEvidence.hostName
  • Type: String
  • MaxLength: 1024
NT Domain The NT domain of the device
  • Field Name: deviceEvidence.ntDomain
  • Type: String
  • MaxLength: 1024
DNS Domain The DNS domain of the device
  • Field Name: deviceEvidence.dnsDomain
  • Type: String
  • MaxLength: 1024
OS Platform The operating system platform
  • Field Name: deviceEvidence.osPlatform
  • Type: String
  • MaxLength: 1024
OS Build The operating system build number
  • Field Name: deviceEvidence.osBuild
  • Type: Integer
Version The version of the operating system
  • Field Name: deviceEvidence.version
  • Type: String
  • MaxLength: 1024
Health Status The health status of the device
  • Field Name: deviceEvidence.healthStatus
  • Type: String
  • MaxLength: 1024
Risk Score The risk score of the device
  • Field Name: deviceEvidence.riskScore
  • Type: String
  • MaxLength: 1024
RBAC Group ID The RBAC group ID
  • Field Name: deviceEvidence.rbacGroupId
  • Type: Integer
RBAC Group Name The RBAC group name
  • Field Name: deviceEvidence.rbacGroupName
  • Type: String
  • MaxLength: 1024
Onboarding Status The onboarding status of the device
  • Field Name: deviceEvidence.onboardingStatus
  • Type: String
  • MaxLength: 1024
Defender AV Status The Microsoft Defender Antivirus status
  • Field Name: deviceEvidence.defenderAvStatus
  • Type: String
  • MaxLength: 1024
Last IP Address The last IP address of the device
  • Field Name: deviceEvidence.lastIpAddress
  • Type: String
  • MaxLength: 1024
Last External IP Address The last external IP address of the device
  • Field Name: deviceEvidence.lastExternalIpAddress
  • Type: String
  • MaxLength: 1024
IP Interfaces The IP interfaces of the device
  • Field Name: ipInterfaces.[n]
  • Type: Array
VM Metadata Virtual machine metadata
  • Field Name: vmMetadata
  • Type: Object
VM ID The virtual machine ID
  • Field Name: deviceEvidence.vmMetadata.vmId
  • Type: String
  • MaxLength: 1024
Cloud Provider The cloud provider
  • Field Name: deviceEvidence.vmMetadata.cloudProvider
  • Type: String
  • MaxLength: 1024
Resource ID The resource ID
  • Field Name: deviceEvidence.vmMetadata.resourceId
  • Type: String
  • MaxLength: 1024
Subscription ID The subscription ID
  • Field Name: deviceEvidence.vmMetadata.subscriptionId
  • Type: String
  • MaxLength: 1024
Logged On Users Users logged on to the device
  • Field Name: loggedOnUsers.[n]
  • Type: Array
Account Name The account name of the user
  • Field Name: deviceEvidence.loggedOnUsers.[n].accountName
  • Type: String
  • MaxLength: 1024
Domain Name The domain name of the user
  • Field Name: deviceEvidence.loggedOnUsers.[n].domainName
  • Type: String
  • MaxLength: 1024
User Evidence User evidence associated with the alert
  • Field Name: userEvidence
  • Type: Object
Created DateTime Time when the evidence was created
  • Field Name: userEvidence.createdDateTime
  • Type: String
  • MaxLength: 1024
Verdict The verdict of the evidence
  • Field Name: userEvidence.verdict
  • Type: String
  • MaxLength: 1024
Remediation Status The remediation status of the evidence
  • Field Name: userEvidence.remediationStatus
  • Type: String
  • MaxLength: 1024
Remediation Status Details Details about the remediation status
  • Field Name: userEvidence.remediationStatusDetails
  • Type: String
  • MaxLength: 1024
Roles Roles associated with the evidence
  • Field Name: roles.[n]
  • Type: Array
Detailed Roles Detailed roles associated with the evidence
  • Field Name: detailedRoles.[n]
  • Type: Array
Tags Tags associated with the evidence
  • Field Name: tags.[n]
  • Type: Array
Stream The stream associated with the evidence
  • Field Name: userEvidence.stream
  • Type: String
  • MaxLength: 1024
User Account The user account associated with the evidence
  • Field Name: userAccount
  • Type: Object
Account Name The account name of the user
  • Field Name: userEvidence.userAccount.accountName
  • Type: String
  • MaxLength: 1024
Domain Name The domain name of the user
  • Field Name: userEvidence.userAccount.domainName
  • Type: String
  • MaxLength: 1024
User SID The security identifier of the user
  • Field Name: userEvidence.userAccount.userSid
  • Type: String
  • MaxLength: 1024
Azure AD User ID The Azure AD user ID
  • Field Name: userEvidence.userAccount.azureAdUserId
  • Type: String
  • MaxLength: 1024
User Principal Name The user principal name
  • Field Name: userEvidence.userAccount.userPrincipalName
  • Type: String
  • MaxLength: 1024
Display Name The display name of the user
  • Field Name: userEvidence.userAccount.displayName
  • Type: String
  • MaxLength: 1024
Alert Policy ID The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy
  • Field Name: alertPolicyId
  • Type: String
  • MaxLength: 1024
Product Name The name of the product which published this alert
  • Field Name: productName
  • Type: String
  • MaxLength: 1024
Device DNS Name The DNS name of the device
  • Field Name: deviceDnsName
  • Type: String
  • MaxLength: 1024
Device Tags Tags associated with the device
  • Field Name: deviceTags.[n]
  • Type: Array
User Account Name The account name of the user associated with the alert
  • Field Name: userAccountName
  • Type: String
  • MaxLength: 1024
User SID The security identifier of the user associated with the alert
  • Field Name: userSid
  • Type: String
  • MaxLength: 1024