{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "#/components/schemas/microsoft.graph.security.alert", "title": "microsoft.graph.security.alert", "allOf": [ { "$ref": "#/components/schemas/microsoft.graph.entity" }, { "title": "alert", "required": [ "@odata.type" ], "type": "object", "properties": { "actorDisplayName": { "type": "string", "description": "The adversary or activity group that is associated with this alert.", "nullable": true }, "additionalData": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.dictionary" }, { "type": "object", "nullable": true } ], "description": "A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here." }, "alertPolicyId": { "type": "string", "description": "The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy.", "nullable": true }, "alertWebUrl": { "type": "string", "description": "URL for the Microsoft 365 Defender portal alert page.", "nullable": true }, "assignedTo": { "type": "string", "description": "Owner of the alert, or null if no owner is assigned.", "nullable": true }, "category": { "type": "string", "description": "The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.", "nullable": true }, "classification": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.alertClassification" }, { "type": "object", "nullable": true } ], "description": "Specifies whether the alert represents a true threat. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue." }, "comments": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.security.alertComment" }, "description": "Array of comments created by the Security Operations (SecOps) team during the alert management process." }, "createdDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time when Microsoft 365 Defender created the alert.", "format": "date-time", "nullable": true }, "customDetails": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.dictionary" }, { "type": "object", "nullable": true } ], "description": "User defined custom fields with string values." }, "description": { "type": "string", "description": "String value describing each alert.", "nullable": true }, "detectionSource": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.detectionSource" }, { "type": "object", "nullable": true } ], "description": "Detection technology or sensor that identified the notable component or activity. The possible values are: unknown, microsoftDefenderForEndpoint, antivirus, smartScreen, customTi, microsoftDefenderForOffice365, automatedInvestigation, microsoftThreatExperts, customDetection, microsoftDefenderForIdentity, cloudAppSecurity, microsoft365Defender, azureAdIdentityProtection, manual, microsoftDataLossPrevention, appGovernancePolicy, appGovernanceDetection, unknownFutureValue, microsoftDefenderForCloud, microsoftDefenderForIoT, microsoftDefenderForServers, microsoftDefenderForStorage, microsoftDefenderForDNS, microsoftDefenderForDatabases, microsoftDefenderForContainers, microsoftDefenderForNetwork, microsoftDefenderForAppService, microsoftDefenderForKeyVault, microsoftDefenderForResourceManager, microsoftDefenderForApiManagement, microsoftSentinel, nrtAlerts, scheduledAlerts, microsoftDefenderThreatIntelligenceAnalytics, builtInMl, microsoftThreatIntelligence, microsoftDefenderForAIServices, securityCopilot. Use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: microsoftDefenderForCloud, microsoftDefenderForIoT, microsoftDefenderForServers, microsoftDefenderForStorage, microsoftDefenderForDNS, microsoftDefenderForDatabases, microsoftDefenderForContainers, microsoftDefenderForNetwork, microsoftDefenderForAppService, microsoftDefenderForKeyVault, microsoftDefenderForResourceManager, microsoftDefenderForApiManagement, microsoftSentinel, nrtAlerts, scheduledAlerts, microsoftDefenderThreatIntelligenceAnalytics, builtInMl, microsoftThreatIntelligence, microsoftDefenderForAIServices, securityCopilot." }, "detectorId": { "type": "string", "description": "The ID of the detector that triggered the alert.", "nullable": true }, "determination": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.alertDetermination" }, { "type": "object", "nullable": true } ], "description": "Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedAccount, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue." }, "evidence": { "type": "array", "items": { "$ref": "#/components/schemas/microsoft.graph.security.alertEvidence" }, "description": "Collection of evidence related to the alert." }, "firstActivityDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "The earliest activity associated with the alert.", "format": "date-time", "nullable": true }, "incidentId": { "type": "string", "description": "Unique identifier to represent the incident this alert resource is associated with.", "nullable": true }, "incidentWebUrl": { "type": "string", "description": "URL for the incident page in the Microsoft 365 Defender portal.", "nullable": true }, "investigationState": { "anyOf": [ { "$ref": "#/components/schemas/microsoft.graph.security.investigationState" }, { "type": "object", "nullable": true } ], "description": "Information on the current status of the investigation. The possible values are: unknown, terminated, successfullyRemediated, benign, failed, partiallyRemediated, running, pendingApproval, pendingResource, queued, innerFailure, preexistingAlert, unsupportedOs, unsupportedAlertType, suppressedAlert, partiallyInvestigated, terminatedByUser, terminatedBySystem, unknownFutureValue." }, "lastActivityDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "The oldest activity associated with the alert.", "format": "date-time", "nullable": true }, "lastUpdateDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time when the alert was last updated at Microsoft 365 Defender.", "format": "date-time", "nullable": true }, "mitreTechniques": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "The attack techniques, as aligned with the MITRE ATT&CK framework." }, "productName": { "type": "string", "description": "The name of the product which published this alert.", "nullable": true }, "providerAlertId": { "type": "string", "description": "The ID of the alert as it appears in the security provider product that generated the alert.", "nullable": true }, "recommendedActions": { "type": "string", "description": "Recommended response and remediation actions to take in the event this alert was generated.", "nullable": true }, "resolvedDateTime": { "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$", "type": "string", "description": "Time when the alert was resolved.", "format": "date-time", "nullable": true }, "serviceSource": { "$ref": "#/components/schemas/microsoft.graph.security.serviceSource" }, "severity": { "$ref": "#/components/schemas/microsoft.graph.security.alertSeverity" }, "status": { "$ref": "#/components/schemas/microsoft.graph.security.alertStatus" }, "systemTags": { "type": "array", "items": { "type": "string", "nullable": true }, "description": "The system tags associated with the alert." }, "tenantId": { "type": "string", "description": "The Microsoft Entra tenant the alert was created in.", "nullable": true }, "threatDisplayName": { "type": "string", "description": "The threat associated with this alert.", "nullable": true }, "threatFamilyName": { "type": "string", "description": "Threat family associated with this alert.", "nullable": true }, "title": { "type": "string", "description": "Brief identifying string value describing the alert.", "nullable": true }, "@odata.type": { "type": "string" } } } ], "x-ms-discriminator-value": "#microsoft.graph.security.alert" }