{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "#/components/schemas/microsoft.graph.alert", "title": "microsoft.graph.alert", "allOf": [ { "$ref": "#/components/schemas/microsoft.graph.entity" }, { "title": "alert", "required": [ "@odata.type" ], "type": "object", "properties": { "activityGroupName": { "type": "string", "description": "Name or alias of the activity group (attacker) this alert is attributed to.", "nullable": true }, "alertDetections": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.alertDetection" } }, "assignedTo": { "type": "string", "description": "Name of the analyst the alert is assigned to for triage, investigation, or remediation (supports update).", "nullable": true }, "azureSubscriptionId": { "type": "string", "description": "Azure subscription ID, present if this alert is related to an Azure resource.", "nullable": true }, "azureTenantId": { "type": "string", "description": "Microsoft Entra tenant ID. Required." }, "category": { "type": "string", "description": "Category of the alert (for example, credentialTheft, ransomware).", "nullable": true }, "closedDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z (supports update).", "format": "date-time", "nullable": true }, "cloudAppStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.cloudAppSecurityState" }, "description": "Security-related stateful information generated by the provider about the cloud application/s related to this alert." }, "comments": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Customer-provided comments on alert (for customer alert management) (supports update)." }, "confidence": { "maximum": 2147483647, "minimum": -2147483648, "type": "number", "description": "Confidence of the detection logic (percentage between 1-100).", "format": "int32", "nullable": true }, "createdDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time at which the alert was created by the alert provider. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.", "format": "date-time", "nullable": true }, "description": { "type": "string", "description": "Alert description.", "nullable": true }, "detectionIds": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record)." }, "eventDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time at which the event or events that served as the trigger to generate the alert occurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.", "format": "date-time", "nullable": true }, "feedback": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.alertFeedback" }, { "type": "object", "nullable": true } ], "description": "Analyst feedback on the alert. The possible values are: unknown, truePositive, falsePositive, benignPositive. Supports update." }, "fileStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.fileSecurityState" }, "description": "Security-related stateful information generated by the provider about the file(s) related to this alert." }, "historyStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.alertHistoryState" } }, "hostStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.hostSecurityState" }, "description": "Security-related stateful information generated by the provider about the host(s) related to this alert." }, "incidentIds": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "IDs of incidents related to current alert." }, "investigationSecurityStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.investigationSecurityState" } }, "lastEventDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "format": "date-time", "nullable": true }, "lastModifiedDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time at which the alert entity was last modified. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.", "format": "date-time", "nullable": true }, "malwareStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.malwareState" }, "description": "Threat Intelligence pertaining to malware related to this alert." }, "messageSecurityStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.messageSecurityState" } }, "networkConnections": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.networkConnection" }, "description": "Security-related stateful information generated by the provider about the network connection(s) related to this alert." }, "processes": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.process" }, "description": "Security-related stateful information generated by the provider about the process or processes related to this alert." }, "recommendedActions": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Vendor/provider recommended action(s) to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host)." }, "registryKeyStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.registryKeyState" }, "description": "Security-related stateful information generated by the provider about the registry keys related to this alert." }, "securityResources": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.securityResource" }, "description": "Resources related to current alert. For example, for some alerts this can have the Azure Resource value." }, "severity": { "$ref": "#/components/schemas/microsoft.graph.alertSeverity" }, "sourceMaterials": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search." }, "status": { "$ref": "#/components/schemas/microsoft.graph.alertStatus" }, "tags": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "User-definable labels that can be applied to an alert and can serve as filter conditions (for example 'HVA', 'SAW') (supports update)." }, "title": { "type": "string", "description": "Alert title. Required.", "nullable": true }, "triggers": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.alertTrigger" }, "description": "Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation." }, "uriClickSecurityStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.uriClickSecurityState" } }, "userStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.userSecurityState" }, "description": "Security-related stateful information generated by the provider about the user accounts related to this alert." }, "vendorInformation": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.securityVendorInformation" }, { "type": "object", "nullable": true } ], "description": "Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker). Required." }, "vulnerabilityStates": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.vulnerabilityState" }, "description": "Threat intelligence pertaining to one or more vulnerabilities related to this alert." }, "@odata.type": { "type": "string" } } } ], "x-ms-discriminator-value": "#microsoft.graph.alert" }