alert resource type

Namespace: microsoft.graph

This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified.

This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in Use the Microsoft Graph security API. It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions.

To learn more, see the sample queries in Graph Explorer.

Note

This resource is one of the two types of alerts that the v1.0 version of the Microsoft Graph security API offers. For more information, see alerts.

Methods

Method Return Type Description
Get alert alert Read properties and relationships of an alert object.
Update alert alert Update an alert object.
List alerts alert collection Get an alert object collection.

Properties

Property Type Description
activityGroupName String Name or alias of the activity group (attacker) this alert is attributed to.
assignedTo String Name of the analyst the alert is assigned to for triage, investigation, or remediation (supports update).
azureSubscriptionId String Azure subscription ID, present if this alert is related to an Azure resource.
azureTenantId String Microsoft Entra tenant ID. Required.
category String Category of the alert (for example, credentialTheft, ransomware, etc.).
closedDateTime DateTimeOffset Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z (supports update).
cloudAppStates cloudAppSecurityState collection Security-related stateful information generated by the provider about the cloud application/s related to this alert.
comments String collection Customer-provided comments on alert (for customer alert management) (supports update).
confidence Int32 Confidence of the detection logic (percentage between 1-100).
createdDateTime DateTimeOffset Time at which the alert was created by the alert provider. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.
description String Alert description.
detectionIds String collection Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record).
eventDateTime DateTimeOffset Time at which the event(s) that served as the trigger(s) to generate the alert occurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.
feedback alertFeedback Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive. (supports update)
fileStates fileSecurityState collection Security-related stateful information generated by the provider about the file(s) related to this alert.
hostStates hostSecurityState collection Security-related stateful information generated by the provider about the host(s) related to this alert.
id String Provider-generated GUID/unique identifier. Read-only. Required.
incidentIds String collection IDs of incidents related to current alert.
lastModifiedDateTime DateTimeOffset Time at which the alert entity was last modified. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
malwareStates malwareState collection Threat Intelligence pertaining to malware related to this alert.
networkConnections networkConnection collection Security-related stateful information generated by the provider about the network connection(s) related to this alert.
processes process collection Security-related stateful information generated by the provider about the process or processes related to this alert.
recommendedActions String collection Vendor/provider recommended action(s) to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host).
registryKeyStates registryKeyState collection Security-related stateful information generated by the provider about the registry keys related to this alert.
securityResources securityResource collection Resources related to current alert. For example, for some alerts this can have the Azure Resource value.
severity alertSeverity Alert severity - set by vendor/provider. Possible values are: unknown, informational, low, medium, high. Required.
sourceMaterials String collection Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search, etc.
status alertStatus Alert lifecycle status (stage). Possible values are: unknown, newAlert, inProgress, resolved. (supports update). Required.
tags String collection User-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.) (supports update).
title String Alert title. Required.
triggers alertTrigger collection Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation.
userStates userSecurityState collection Security-related stateful information generated by the provider about the user accounts related to this alert.
vendorInformation securityVendorInformation Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker). Required.
vulnerabilityStates vulnerabilityState collection Threat intelligence pertaining to one or more vulnerabilities related to this alert.

Relationships

None.

JSON representation

The following is a JSON representation of the resource.

{
  "activityGroupName": "String",
  "assignedTo": "String",
  "azureSubscriptionId": "String",
  "azureTenantId": "String",
  "category": "String",
  "closedDateTime": "String (timestamp)",
  "cloudAppStates": [{"@odata.type": "microsoft.graph.cloudAppSecurityState"}],
  "comments": ["String"],
  "confidence": 1024,
  "createdDateTime": "String (timestamp)",
  "description": "String",
  "detectionIds": ["String"],
  "eventDateTime": "String (timestamp)",
  "feedback": "@odata.type: microsoft.graph.alertFeedback",
  "fileStates": [{"@odata.type": "microsoft.graph.fileSecurityState"}],
  "hostStates": [{"@odata.type": "microsoft.graph.hostSecurityState"}],
  "id": "String (identifier)",
  "incidentIds": ["String"],
  "lastModifiedDateTime": "String (timestamp)",
  "malwareStates": [{"@odata.type": "microsoft.graph.malwareState"}],
  "networkConnections": [{"@odata.type": "microsoft.graph.networkConnection"}],
  "processes": [{"@odata.type": "microsoft.graph.process"}],
  "recommendedActions": ["String"],
  "registryKeyStates": [{"@odata.type": "microsoft.graph.registryKeyState"}],
  "securityResources": [{"@odata.type": "microsoft.graph.securityResource"}],
  "severity": "@odata.type: microsoft.graph.alertSeverity",
  "sourceMaterials": ["String"],
  "status": "@odata.type: microsoft.graph.alertStatus",
  "tags": ["String"],
  "title": "String",
  "triggers": [{"@odata.type": "microsoft.graph.alertTrigger"}],
  "userStates": [{"@odata.type": "microsoft.graph.userSecurityState"}],
  "vendorInformation": {"@odata.type": "microsoft.graph.securityVendorInformation"},
  "vulnerabilityStates": [{"@odata.type": "microsoft.graph.vulnerabilityState"}]
}