+For delegated scenarios, the calling user must have the *Global Administrator* [Azure AD role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).

+This method supports the `$filter` and `$select` [OData query parameters](/graph/query-parameters) to help customize the response.

+> **Note**: While creating a channel, you can only add one member per shared channel; however, you can add up to 200 members per private channel.

+Get a list of all notifications that one or more users can access, from the Microsoft Endpoint Manager admin center.

+Set the status of the specified notification on the Microsoft EndPoint Manager admin center as sent, by modifying the **isPortalNotificationSent** property to `true`.

+This method does not delete the rubric itself and can only be performed by teachers.

+Get the [educationRubric](../resources/educationrubric.md) object attached to an [educationAssignment](../resources/educationassignment.md), if one exists. Only teachers, students, and applications with application permissions can perform this operation.

+Get the properties and relationships of an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the categories associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Get all the [educationAssignmentResource](../resources/educationassignmentresource.md) objects associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the [submissions](../resources/educationsubmission.md) associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Add one or more existing [educationCategory](../resources/educationcategory.md) objects to this [educationAssignment](../resources/educationassignment.md). Only teachers and students can perform this operation.

+Create an [assignment resource](../resources/educationassignmentresource.md). Only teachers can perform this operation.

+You can create the following types of assignment resources:

+Every resource has an **@odata.type** property to indicate which type of resource is being created.

+ "@odata.type": "microsoft.graph.educationTeamsAppResource"

+Attach an existing [educationRubric](../resources/educationrubric.md) object to an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Remove an [educationCategory](../resources/educationcategory.md) from an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload feedback files for a given [educationSubmission](../resources/educationsubmission.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload files for a given [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+The teacher determines the resources to upload in the assignment's folder.

+These are the class-level assignment defaults respected by new [assignments](../resources/educationassignment.md) created in the class. Callers can continue to specify custom values on each **assignment** creation if they don't want the default behaviors. Only teachers can perform this operation.

+Get the properties of an [education assignment resource](../resources/educationassignmentresource.md) associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Read the properties and relationships of an [educationAssignmentSettings](../resources/educationassignmentsettings.md) object. Only teachers can perform this operation.

+Delete an existing category. Only teachers can perform this operation.

+Retrieve an [educationCategory](../resources/educationcategory.md) object. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of assignment objects. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationCategory](../resources/educationcategory.md) objects. Only teachers can perform this operation.

+Create a new assignment.

+Creates a new [educationCategory](../resources/educationcategory.md) on an [educationClass](../resources/educationclass.md). Only teachers can perform this operation.

+Update the properties of an [educationOutcome](../resources/educationoutcome.md) object. Only teachers can perform this operation.

+Delete an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve the properties and relationships of an [educationRubric](../resources/educationrubric.md) object. Only teachers and students can perform this operation.

+Update the properties of an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve a particular [submission](../resources/educationsubmission.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationOutcome](../resources/educationoutcome.md) objects. There are four types of outcomes: **educationPointsOutcome**, **educationFeedbackOutcome**, **educationRubricOutcome**, and **educationFeedbackResourceOutcome**. Only teachers, students, and applications with application permissions can perform this operation.

+List the resources associated with a submission. Only teachers, students, and applications with application permissions can perform this operation.

+List the [educationSubmissionResource](../resources/educationsubmissionresource.md) objects that have officially been submitted for grading. Only teachers, students, and applications with application permissions can perform this operation.

+The student who owns the submission cannot change the submitted list without resubmitting the assignment. This is a wrapper around the real resource and can contain a pointer back to the actual assignment resource if this resource was copied from the assignment.

+Only teachers and students can perform this operation.

+The operation will not succeed if the **allowStudentsToAddResources** flag is not set to `true`.

+Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission. Only teachers and students can perform this operation.

+Indicate that a student is done with the work and is ready to hand in the assignment. Only teachers, students, and applications with application permissions can perform this operation.

+Indicate that a student wants to work on the submitted assignment after it was turned in. Only teachers, students, and applications with application permissions can perform this operation.

+Delete an [educationSubmissionResource](../resources/educationsubmissionresource.md) from the submission. Only teachers and students can perform this operation.

+If the resource was copied from the assignment, a new copy of the resource will be created after the current copy is deleted. This allows you to "reset" the resource to its original state. If the resource was not copied from the assignment but was added from the student, the resource is simply deleted.

+Retrieve the properties of a specific resource associated with a [submission](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a [submitted resource](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Returns a list of assignments assigned to a user for all classes. Only teachers, students, and applications with application permissions can perform this operation.

+ "includeTargets": [],

+ "excludeTargets": []

+ ],

+ "excludeTargets": []

+Get a list of the group's members. A group can different object types as members. For more information about supported member types for different groups, see [Group membership](/graph/groups-overview#group-membership).

+This operation is transitive and returns a flat list of all nested members. An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code.

+ An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code. For example, `/groups/{id}}/transitiveMembers/microsoft.graph.group` when the group is a Microsoft 365 group will return this error, because Microsoft 365 groups cannot have other groups as members.

+ "blockType": "response"

+A group with **isAssignableToRole** property set to `true` cannot be of dynamic membership type, its **securityEnabled** must be set to `true`, and **visibility** can only be `Private`.

+>- The **attendanceRecords** property does not return information about a breakout room.

+ "excludeTargets": [],

+ "isSoftwareOathEnabled": true,

+| Delegated (work or school account) | Tasks.ReadWrite, Group.ReadWrite.All |

+The following table shows the properties that are required when you create a [plannerPlan](../resources/plannerplan.md).

+|Property|Type|Description|

+|:|:|:|

+|container|[plannerPlanContainer](../resources/plannerplancontainer.md)|Identifies the container of the plan. Specify only the **url**, the **containerId** and **type**, or all properties. After it is set, this property canΓÇÖt be updated.|

+|title|String|The title of the plan.|

+If successful, this method returns a `201 Created` response code and a [plannerPlan](../resources/plannerplan.md) object in the response body.

+This method can return any of the [HTTP status codes](/graph/errors). The most common errors that apps should handle for this method are the 400, 403, and 404 responses. For more information about these errors, see [Common Planner error conditions](../resources/planner-overview.md#common-planner-error-conditions).

+The following is an example of the request.

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+ Title: "presence: setStatusMessage"

+description: "Set a presence status message for a user."

+ms.localizationpriority: medium

+# presence: setStatusMessage

+Namespace: microsoft.graph

+Set a presence status message for a user. An optional expiration date and time can be supplied.

+## Permissions

+The following permission is required to call the API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+| Permission type | Permissions (from least to most privileged) |

+| :- | : |

+| Delegated (work or school account) | Presence.ReadWrite |

+| Delegated (personal Microsoft account) | Not Supported. |

+| Application | Not Supported. |

+## HTTP Request

+<!-- { "blockType": "ignored" } -->

+```http

+POST /users/{userId}/presence/setStatusMessage

+```

+## Request headers

+| Name | Description |

+| : | :-- |

+| Authorization | Bearer \{token\}. Required. |

+| Content-Type | application/json. Required. |

+## Request body

+In the request body, provide a JSON object with the following parameters.

+| Parameter | Type | Description |

+| | |- |

+| `statusMessage` | [microsoft.graph.presenceStatusMessage](../resources/presenceStatusMessage.md) |It can be set to display the presence status message of a user. |

+## Response

+If successful, this method returns a `200 OK` response code.

+## Examples

+### Example 1: Set status message with expiry date

+The following request sets the presence status message as "Hey I'm currently in a meeting." for user `fa8bf3dc-eca7-46b7-bad1-db199b62afc3`, with the expiration on 2022-10-18 at 17:05:33.2079781 Pacific Standard Time.

+#### Request

+<!-- {

+ "blockType": "request",

+ "name": "setstatusmessage"

+}-->

+```http

+POST https://graph.microsoft.com/beta/users/fa8bf3dc-eca7-46b7-bad1-db199b62afc3/presence/setStatusMessage

+Content-Type: application/json

+{

+ "statusMessage": {

+ "message": {

+ "content": "Hey I'm currently in a meeting.",

+ "contentType": "text"

+ },

+ "expiryDateTime": {

+ "dateTime": "2022-10-18T17:05:33.2079781",

+ "timeZone": "Pacific Standard Time"

+ }

+ }

+}

+```

+#### Response

+<!-- {

+ "blockType": "response",

+ "name": "setstatusmessage",

+ "truncated": true

+} -->

+```http

+HTTP/1.1 200 OK

+```

+### Example 2: Get status message of another user.

+The following request sets the presence status message as "Hey I'm currently in a meeting." for user `fa8bf3dc-eca7-46b7-bad1-db199b62afc3`. Then presence for user `fa8bf3dc-eca7-46b7-bad1-db199b62afc3`is obtained on behalf of other user via a [getPresence](presence-get.md) request.

+#### Set status message: request

+<!-- {

+ "blockType": "request",

+ "name": "setstatusmessage-another-user"

+}-->

+```http

+POST https://graph.microsoft.com/beta/users/fa8bf3dc-eca7-46b7-bad1-db199b62afc3/presence/setStatusMessage

+Content-Type: application/json

+{

+ "statusMessage": {

+ "message": {

+ "content": "Hey I am available now",

+ "contentType": "text"

+ }

+ }

+}

+```

+#### Set status message: response

+<!-- {

+ "blockType": "response",

+ "name": "setstatusmessage-another-user",

+ "truncated": true

+} -->

+```http

+HTTP/1.1 200 OK

+```

+#### Get another user presence: request

+This request should be executed on behalf of another user.

+<!-- {

+ "blockType": "request",

+ "name": "setstatusmessage-another-user-get-presence"

+}-->

+```http

+GET https://graph.microsoft.com/beta/users/fa8bf3dc-eca7-46b7-bad1-db199b62afc3/presence

+```

+#### Get another user presence: response

+Since this presence request does not qualify as a [self presence](presence-get.md#example-1-get-your-own-presence-information) request, `statusMessage.expiryDateTime` and `statusMessage.publishedDateTime` properties are not included in the response body.

+<!-- {

+ "blockType": "response",

+ "name": "setstatusmessage-another-user-get-presence",

+ "@odata.type": "microsoft.graph.presence",

+ "truncated":"true"

+} -->

+```http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "id": "fa8bf3dc-eca7-46b7-bad1-db199b62afc3",

+ "availability": "Available",

+ "activity": "Available",

+ "outOfOfficeSettings": {

+ "message": null,

+ "isOutOfOffice": false

+ },

+ "statusMessage": {

+ "message": {

+ "content": "Hey I am available now",

+ "contentType": "text"

+ }

+ }

+}

+```

+| Delegated (work or school account) | Mail.Read, Calendars.Read, Files.Read.All, Sites.Read.All, ExternalItem.Read.All, Acronym.Read.All, Bookmark.Read.All, ChannelMessage.Read.All, Chat.Read, QnA.Read.All |

+Delete Microsoft Teams messages contained in a [eDiscovery search](../resources/security-ediscoverysearch.md).

+ "customTags": [

+# Create comment

+|customTags|String collection|Array of custom tags associated with an incident.|

+ "customTags": [

+ "customTags": [

+#### Request

+#### Response

+ "customTags": [

+### Example 2: List all incidents with their alerts

+#### Request

+#### Response

+This is the method for advanced hunting in Microsoft 365 Defender. This method includes a query in Kusto Query Language (KQL). It specifies a data table in the [advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide&preserve-view=true) and a piped sequence of operators to filter or search that data, and format the query output in specific ways.

+Find out more about [hunting for threats across devices, emails, apps, and identities](/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide&preserve-view=true). Learn about [KQL](/azure/data-explorer/kusto/query/).

+For information on using advanced hunting in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide&preserve-view=true), see [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide&preserve-view=true).

+- Looks into the [DeviceProcessEvents](/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide&preserve-view=true) table in the advanced hunting schema.

+Add an owner for the [servicePrincipal](../resources/serviceprincipal.md). Service principal owners can be users, the service principal itself, or other service principals.

+ Title: "sitepage: getWebPartsByPosition"

+description: "Get a collection of webParts by position information"

+# sitepage: getWebPartsByPosition

+ ],

+ "excludeTargets": []

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+The following is an example of the response

+ "truncated": true

+HTTP/1.1 204 No Content

+ Title: "Delete softwareOathAuthenticationMethodConfiguration"

+description: "Delete a softwareOathAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Delete softwareOathAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Revert the [third-party software Oath authentication method policy](../resources/softwareoathauthenticationmethodconfiguration.md) to its default configuration.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_softwareoathauthenticationmethodconfiguration"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Get softwareOathAuthenticationMethodConfiguration"

+description: "Read the properties and relationships of a softwareOathAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Get softwareOathAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Read the properties and relationships of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object, which represents the third-party software OATH authentication method policy for the Azure AD tenant.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Global Reader

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_softwareoathauthenticationmethodconfiguration"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.softwareOathAuthenticationMethodConfiguration"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": {

+ "@odata.type": "#microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "id": "SoftwareOath",

+ "state": "enabled",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false

+ }

+ ],

+ "excludeTargets": []

+ }

+}

+```

+ Title: "Update softwareOathAuthenticationMethodConfiguration"

+description: "Update the properties of a softwareOathAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Update softwareOathAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Update the properties of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object, which represents the third-party software OATH authentication method policy for the Azure AD tenant.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object with the values of fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.

+For the list of properties, see [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md).

+>**Note:** The `@odata.type` property with a value of `#microsoft.graph.softwareOathAuthenticationMethodConfiguration` must be included in the body.

+## Response

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_softwareoathauthenticationmethodconfiguration"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/softwareOath

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "state": "disabled"

+}

+```

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ ],

+ "excludeTargets": []

+ Title: "Delete voiceAuthenticationMethodConfiguration"

+description: "Delete a voiceAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Delete voiceAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Revert the [voice call authentication method policy](../resources/voiceauthenticationmethodconfiguration.md) to its default configuration.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+DELETE /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `204 No Content` response code.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "delete_voiceauthenticationmethodconfiguration"

+}

+-->

+``` http

+DELETE https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ Title: "Get voiceAuthenticationMethodConfiguration"

+description: "Read the properties and relationships of a voiceAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Get voiceAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Read the properties and relationships of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.Read.All, Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Global Reader

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "get_voiceauthenticationmethodconfiguration"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.voiceAuthenticationMethodConfiguration"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": {

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "id": "Voice",

+ "state": "enabled",

+ "includeTargets": [

+ {

+ "targetType": "group",

+ "id": "all_users",

+ "isRegistrationRequired": false

+ }

+ ],

+ "excludeTargets": [],

+ "isOfficePhoneAllowed": "true"

+ }

+}

+```

+ Title: "Update voiceAuthenticationMethodConfiguration"

+description: "Update the properties of a voiceAuthenticationMethodConfiguration object."

+ms.localizationpriority: medium

+# Update voiceAuthenticationMethodConfiguration

+Namespace: microsoft.graph

+Update the properties of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object, which represents the voice call authentication method policy for the Azure AD tenant.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|Policy.ReadWrite.AuthenticationMethod|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|Policy.ReadWrite.AuthenticationMethod|

+For delegated scenarios, the administrator needs one of the following [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles):

+* Authentication Policy Administrator

+* Global Administrator

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, supply a JSON representation of the [voiceAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object with the values of fields that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance, don't include existing values that haven't changed.

+For the list of properties, see [voiceAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md).

+>**Note:** The `@odata.type` property with a value of `#microsoft.graph.voiceAuthenticationMethodConfiguration` must be included in the body.

+## Response

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "name": "update_voiceauthenticationmethodconfiguration"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/policies/authenticationMethodsPolicy/authenticationMethodConfigurations/voice

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "isOfficePhoneAllowed": "false"

+}

+```

+### Response

+The following is an example of the response

+<!-- {

+ "blockType": "response",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 204 No Content

+```

+ ],

+ "excludeTargets": []

+If successful, this method returns a `204 No Content` response code. It does not return anything in the response body.

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from a policy.|

+|policyMigrationState|authenticationMethodsPolicyMigrationState|The state of migration of the authentication methods policy from the legacy multifactor authentication and self-service password reset (SSPR) policies. The possible values are: <br/><li>`premigration` - means the authentication methods policy is used for authentication only, legacy policies are respected. <li>`migrationInProgress` - means the authentication methods policy is used for both authenication and SSPR, legacy policies are respected. <li>`migrationComplete` - means the authentication methods policy is used for authentication and SSPR, legacy policies are ignored. <li>`unknownFutureValue` - Evolvable enumeration sentinel value. Do not use. |

+|reconfirmationInDays|Int32|Days before the user will be asked to reconfirm their method. |

+description: "A collection of groups that are enabled to use an authentication method as part of an authentication method policy."

+A collection of groups that are enabled to use an authentication method as part of an authentication method policy in Azure AD. Inherits from [entity](entity.md).

+|targetType|authenticationMethodTargetType| Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group.|

+|Set up rules to alert issues on the Microsoft Endpoint Manager admin center with provisioning Cloud PCs, uploading Cloud PC images, and checking Azure network connections. |[alertRecord](devicemanagement-alertrecord.md), [alertRule](devicemanagement-alertrule.md) | [Alert monitoring API](devicemanagement-monitoring.md) |

+|aggregationType|[microsoft.graph.deviceManagement.aggregationType](../resources/devicemanagement-ruleThreshold.md#aggregationtype-values)|The aggregation type of the impact. The possible values are: `count`, `percentage`, `affectedCloudPcCount`, `affectedCloudPcPercentage`, `unknownFutureValue`. |

+|value|Int32|The number value of the impact. For the aggregation types of `count` and `affectedCloudPcCount`, the value indicates the number of affected instances. For example, `6 affectedCloudPcCount` means that 6 Cloud PCs are affected. For the aggregation types of `percentage` and `affectedCloudPcPercentage`, the value indicates the percent of affected instances. For example, `12 affectedCloudPcPercentage` means that 12% of Cloud PCs are affected. |

+Represents the record of an alert event in the Microsoft Endpoint Manager admin center triggered by an [alertRule](devicemanagement-alertrule.md).

+When the threshold of an **alertRule** is reached, an **alertRecord** is generated and stored, and administrators receive notifications via defined notification channels.

+For more information, see the [monitoring](devicemanagement-monitoring.md) resource.

+|[getPortalNotifications](../api/devicemanagement-alertrecord-getportalnotifications.md)|[microsoft.graph.deviceManagement.portalNotification](../resources/devicemanagement-portalnotification.md) collection|Get a list of all portal notifications that one or more users can access, from the Microsoft Endpoint Manager admin center.|

+|[setPortalNotificationAsSent](../api/devicemanagement-alertrecord-setportalnotificationassent.md)|None|Set the status of the specified notification on the Microsoft EndPoint Manager admin center as sent.|

+|alertImpact|[microsoft.graph.deviceManagement.alertImpact](../resources/devicemanagement-alertimpact.md)|The impact of the alert event. Consists of a number followed by the aggregation type. For example, `6 affectedCloudPcCount` means that 6 Cloud PCs are affected. `12 affectedCloudPcPercentage` means 12% of Cloud PCs are affected.|

+Represents a rule that an IT administrator with the appropriate roles can configure to monitor issues and trigger alerts on the Microsoft Endpoint Manager admin center.

+When the threshold of an **alertRule** is reached, an [alertRecord](devicemanagement-alertrecord.md) is generated and stored, and administrators receive notifications via defined notification channels.

+For more information, see the [monitoring](devicemanagement-monitoring.md) resource.

+|isSystemRule|Boolean|Indicates whether the rule is a system rule. If `true`, the rule is a system rule; otherwise, the rule is a custom defined rule and can be edited. System rules are built-in and only a few properties can be edited.|

+|threshold|[microsoft.graph.deviceManagement.ruleThreshold](../resources/devicemanagement-rulethreshold.md)|The conditions to send alerts. For example, send alert when provisioning has failed for greater than or equal to 6 Cloud PCs.|

+description: "Represents the entry point entity type to access all resources related to alerts in the Microsoft Endpoint Manager admin center."

+Represents the entry point to access all resources related to alerts in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).

+The alert monitoring API provide a programmatic alert experience in the Microsoft Endpoint Manager admin center. A Microsoft Endpoint Manager admin can create an [alert rule](devicemanagement-alertrule.md) with preferred notification channels, and receive alerts when conditions set as thresholds in alert rules are met. Notification channels may include email and Microsoft Endpoint Manager admin center notifications. Each alert is recorded as an [alert record](devicemanagement-alertrecord.md). Admins can review alert records to learn about alert impact, severity, status, and more.

+Only the role of Windows 365 admin has access to the alert monitoring API. Admins also need a role of global admin, Intune admin, or Cloud PC admin to successfully make API calls.

+> [!Note]

+> Currently this API set supports only [Windows 365](/windows-365/overview) and Cloud PC scenarios. It allows admins to set up rules to alert issues with provisioning Cloud PCs, uploading Cloud PC images, and checking Azure network connections.

+>

+> Have a different scenario that can use additional programmatic alert support on the Microsoft Endpoint Manager admin center? [Suggest the feature or vote for existing feature requests](https://developer.microsoft.com/en-us/graph/support).

+Represents the portal notification associated with the [alert record](devicemanagement-alertrecord.md) of a user.

+|isPortalNotificationSent|Boolean|`true` if the portal notification has already been sent to the user; `false` otherwise.|

+Represents details about the threshold settings of an [alert rule](devicemanagement-alertrule.md).

+description: "An abstract type that represents the base class for all education-related resource objects in a system."

+An abstract type that represents the base class for all education-related resource objects in a system.

+Base type of [educationExcelResource](../resources/educationexcelresource.md), [educationFileResource](../resources/educationfileresource.md), [educationLinkResource](../resources/educationlinkresource.md), [educationPowerPointResource](../resources/educationpowerpointresource.md), [educationWordResource](../resources/educationwordresource.md), [educationMediaResource](../resources/educationmediaresource.md), [educationExternalResource](../resources/educationexternalresource.md), and [educationTeamsAppResource](../resources/educationteamsappresource.md).

+description: "Corresponds to an installed Microsoft Teams app."

+Corresponds to an [installed Microsoft Teams app](teamsappinstallation.md). This allows education service users to create and share assignments with embedded Teams applications, such as YouTube or Flip.

+For information about using Flip for education on Microsoft Teams, see [introduction to Flip](/training/educator-center/product-guides/flip).

+Inherits from [educationResource](educationresource.md).

+| Property | Type | Description |

+|:|:|:--|

+| appIconWebUrl | String | URL that points to the icon of the app. |

+| appId | String | Teams app ID of the application. |

+| createdBy | [identitySet](identityset.md) | Identity of the user who created this resource. Inherited from **educationResource**. |

+| createdDateTime | DateTimeOffset | The date and time when the resource was added. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from **educationResource**. |

+| displayName | String | The display name of the resource. Inherited from **educationResource**. |

+| lastModifiedBy | [identitySet](identityset.md) | Identity of the user who last modified the resource. Inherited from **educationResource**. |

+| lastModifiedDateTime | DateTimeOffset | The date and time when the resource was last modified. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from **educationResource**. |

+| teamsEmbeddedContentUrl | String | URL for the app resource that will be opened by Teams. |

+| webUrl | String | URL for the app resource that can be opened in the browser. |

+ "appIconWebUrl": "String",

+ "appId": "String",

+ "displayName": "String",

+ "lastModifiedDateTime": "String (timestamp)",

+ "teamsEmbeddedContentUrl": "String",

+ "webUrl": "String"

+ "description": "educationTeamsAppResource resource",

+|[Update emailAuthenticationMethodConfiguration](../api/emailauthenticationmethodconfiguration-update.md)|None|Update the properties of an emailAuthenticationMethodConfiguration object.|

+|[Delete emailAuthenticationMethodConfiguration](../api/emailauthenticationmethodconfiguration-delete.md)|None|Reverts the emailAuthenticationMethodConfiguration object to its default configuration.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+### authenticationMethodTargetType values

+|Member|

+|:--|

+|group|

+|unknownFutureValue|

+### authenticationMethodsPolicyMigrationState values

+|Member|

+|:--|

+|premigration|

+|migrationInProgress|

+|migrationComplete|

+|id|String|The object identifier of an Azure AD group.|

+|targetType|authenticationMethodTargetType|The type of the authentication method target. Possible values are: `group` and `unknownFutureValue`.|

+|[Update](../api/fido2authenticationmethodconfiguration-update.md)|None|Update the properties of a fido2AuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+| isAssignableToRole | Boolean | Indicates whether this group can be assigned to an Azure Active Directory role. Optional. <br><br>This property can only be set while creating the group and is immutable. If set to `true`, the **securityEnabled** property must also be set to `true`, **visibility** must be `Hidden`, and the group cannot be a dynamic group (that is, **groupTypes** cannot contain `DynamicMembership`). <br/><br/>Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the _RoleManagement.ReadWrite.Directory_ permission to set this property or update the membership of such groups. For more, see [Using a group to manage Azure AD role assignments](https://go.microsoft.com/fwlink/?linkid=2103037)<br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`). |

+## Group membership

+Not all object types can be members of both Microsoft 365 and security groups.

+|[Update](../api/microsoftauthenticatorauthenticationmethodconfiguration-update.md)|None|Update the properties of a microsoftAuthenticatorAuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|isSoftwareOathEnabled|Boolean|`true` if users can use the OTP code generated by the Microsoft Authenticator app, `false` otherwise.|

+|includeTargets|[microsoftAuthenticatorAuthenticationMethodTarget](../resources/microsoftauthenticatorauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method. Expanded by default.|

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+ "isSoftwareOathEnabled": "Boolean",

+ "featureSettings": {

+ "@odata.type": "microsoft.graph.microsoftAuthenticatorFeatureSettings"

+ }

+description: "A collection of groups enabled to use Microsoft Authenticator authentication methods policy."

+A collection of groups enabled to use [Microsoft Authenticator authentication methods policy](../resources/microsoftAuthenticatorAuthenticationMethodConfiguration.md) in Azure AD. Inherits from [authenticationMethodTarget](authenticationMethodTarget.md).

+|isRegistrationRequired|Boolean|Determines whether the user is enforced to register the authentication method. Inherited from [authenticationMethodTarget](authenticationmethodtarget.md). **Not supported**. |

+|targetType|authenticationMethodTargetType| Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group. Inherited from [authenticationMethodTarget](authenticationMethodTarget.md).|

+|includeTargets|[passwordlessMicrosoftAuthenticatorAuthenticationMethodTarget](../resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+description: "A collection of groups enabled to use Microsoft Authenticator Passwordless Phone Sign-in authentication methods policy."

+A collection of groups enabled to use Microsoft Authenticator Passwordless Phone Sign-in authentication methods policy](../resources/passwordlessMicrosoftAuthenticatorAuthenticationMethodConfiguration.md) in Azure AD.

+Contains information about the relationship of a [plannerBucket](plannerbucket.md) to a user experience outside of Planner. This allows surfacing or syncing buckets in Planner with other experiences to track work in the context of that experience.

+You can display data in a **plannerExternalBucketSource** in a user interface to sync information for an external service, or to simply point to where a task was created in the external service.

+The combination of the **contextScenarioId** and **externalObjectId** properties is unique within a tenant. If creation is called with existing **contextScenarioId** and **externalObjectId** values, the existing object is returned with no modifications.

+This type is derived from [plannerBucketCreation](plannerBucketCreation.md).

+Contains information about the relationship of a [plannerPlan](plannerplan.md) to a user experience outside of Planner. This allows surfacing or syncing plans in Planner with other experiences to track work in the context of that experience.

+You can display data in a **plannerExternalPlanSource** in a user interface to sync information for an external service, or to simply point to where a plan was created in the external service.

+The combination of the **contextScenarioId** and **externalObjectId** properties is unique within a tenant. If creation is called with existing **contextScenarioId** and **externalObjectId** values, the existing object is returned with no modifications.

+This type is derived from [plannerPlanCreation](plannerPlanCreation.md).

+Contains information about the relationship of a [plannerTask](plannerTask.md) to a user experience outside of Planner. This allows surfacing or syncing tasks in Planner with other experiences to track work in the context of that experience.

+You can display data in a **plannerExternalTaskSource** in a user interface to sync information for an external service, or to simply point to where a task was created in the external service.

+The combination of the **contextScenarioId** and **externalObjectId** properties is unique within a tenant. If creation is called with existing **contextScenarioId** and **externalObjectId** values, the existing object is returned with no modifications.

+This type is derived from [plannerTaskCreation](plannerTaskCreation.md).

+|container|[plannerPlanContainer](../resources/plannerplancontainer.md)|Identifies the container of the plan. Specify only the **url**, the **containerId** and **type**, or all properties. After it is set, this property canΓÇÖt be updated. Required.|

+|containerId|String|The identifier of the resource that contains the plan. Optional.|

+|type|plannerContainerType|The type of the resource that contains the plan. For supported types, see the previous table. Possible values are: `group`, `unknownFutureValue`, `roster`, and `project`. Note that you must use the `Prefer: include-unknown-enum-members` request header to get the following value in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `roster`, `project`. Optional.|

+|url|String|The full canonical URL of the container. Optional.|

+| [Set user status message](../api/presence-setstatusmessage.md) | | Set a presence status message for a user. |

+| outOfOfficeSettings | [outOfOfficeSettings](outOfOfficeSettings.md) | The out of office settings for a user. |

+| statusMessage | [microsoft.graph.presenceStatusMessage](presenceStatusMessage.md) | The presence status message of a user. |

+ "outOfOfficeSettings":{"@odata.type": "#microsoft.graph.outOfOfficeSettings"},

+ "statusMessage":{"@odata.type": "#microsoft.graph.presenceStatusMessage"}

+ Title: "presenceStatusMessage resource type"

+description: "Represents a presence status message related to the presence of a user on Teams."

+ms.localizationpriority: medium

+# presenceStatusMessage resource type

+Namespace: microsoft.graph

+Represents a presence status message related to the [presence](presence.md) of a user on Teams.

+## Properties

+| Property | Type | Description |

+| -- | -- | - |

+| message | [microsoft.graph.itemBody](itemBody.md) | Status message item.<br/><br/> The only supported format currently is `message.contentType = 'text'`. |

+| publishedDateTime | Edm.DateTimeOffset |Time in which the status message was published.<br/>Read-only.<br/><br/>`publishedDateTime` is not available when requesting presence of another user. |

+| expiryDateTime | [microsoft.graph.dateTimeTimeZone](dateTimeTimeZone.md) | Time in which the status message expires.<br/>If not provided, the status message does not expire.<br/><br/>`expiryDateTime.dateTime` should not include time zone.<br/><br/>`expiryDateTime` is not available when requesting presence of another user. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ "publishedDateTime",

+ "expiryDateTime"

+ ],

+ "@odata.type": "microsoft.graph.presenceStatusMessage"

+}-->

+```json

+{

+ "message": {"@odata.type": "#microsoft.graph.itemBody"},

+ "publishedDateTime": "string",

+ "expiryDateTime": {"@odata.type": "#microsoft.graph.dateTimeTimeZone"}

+}

+```

+Note that collapsing results is currently supported on the following entity types: [driveItem](driveitem.md), [listItem](listitem.md), [drive](drive.md), [list](list.md), [site](site.md), [externalItem](externalconnectors-externalitem.md).

+The properties on which the collapse clause are applied need to be queryable and either sortable or refinable. For multi-level collapse, each subsequent property limit size specified in a multi-level request should be less than or equal to the previous; otherwise, the response will return an `HTTP 400 Bad Request` error.

+|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](#evidenceremediationstatus-values)|Status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `unknownFutureValue`.|

+| notFound | The evidence was not found. |

+description: "The Microsoft Graph security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners."

+## Advanced hunting

+Alerts are detailed warnings about suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is alerts from multiple security providers for multiple entities in the tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming.

+- [Alerts and incidents](#alerts-and-incidents) - these are the latest generation of alerts in the Microsoft Graph security API. They are represented by the [alert](security-alert.md) resource and its collection, [incident](security-incident.md) resource, defined in the `microsoft.graph.security` namespace.

+### Alerts and incidents

+## Incidents

+| **Alerts and incidents**|||

+| **Attack simulation and training**|||

+|customTags|String collection|Array of custom tags associated with an incident.|

+ "customTags": [

+|countryLetterCode|String|The two-letter country code according to ISO 3166 format, for example: `US`, `UK`, `CA`, etc..).|

+ "ipAddress": "String",

+ "countryLetterCode": "String"

+|[Update](../api/smsauthenticationmethodconfiguration-update.md)|None|Update the properties of a smsAuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[smsAuthenticationMethodTarget](../resources/smsauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ]

+description: "A collection of groups enabled to use Text Message authentication methods policy."

+A collection of groups enabled to use [Text Message authentication methods policy](../resources/smsAuthenticationMethodConfiguration.md) in Azure AD.

+|isUsableForSignIn|Boolean|Determines if users can use this authentication method to sign in to Azure AD. `true` if users can use this method for primary authentication, otherwise `false`.|

+|targetType|authenticationMethodTargetType|Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group. Inherited from [authenticationMethodTarget](authenticationMethodTarget.md).|

+ Title: "softwareOathAuthenticationMethodConfiguration resource type"

+description: "Represents the authentication policy for a third-party software OATH authentication method."

+ms.localizationpriority: medium

+# softwareOathAuthenticationMethodConfiguration resource type

+Namespace: microsoft.graph

+Represents the authentication policy for a third-party software OATH authentication method. Authentication methods policies define configuration settings and users or groups that are enabled to use the authentication method.

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[Get softwareOathAuthenticationMethodConfiguration](../api/softwareoathauthenticationmethodconfiguration-get.md)|[softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md)|Read the properties and relationships of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object.|

+|[Update softwareOathAuthenticationMethodConfiguration](../api/softwareoathauthenticationmethodconfiguration-update.md)|None|Update the properties of a [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object.|

+|[Delete softwareOathAuthenticationMethodConfiguration](../api/softwareoathauthenticationmethodconfiguration-delete.md)|None|Reverts the [softwareOathAuthenticationMethodConfiguration](../resources/softwareoathauthenticationmethodconfiguration.md) object to its default configuration.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|id|String|The authentication method policy identifier.|

+|state|authenticationMethodState|Represents whether users can register this authentication method. The possible values are: `enabled`, `disabled`.|

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection| A collection of groups that are enabled to use the authentication method. Expanded by default.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "baseType": "microsoft.graph.authenticationMethodConfiguration",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.softwareOathAuthenticationMethodConfiguration",

+ "id": "String (identifier)",

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ]

+}

+```

+| Property | Type | Description |

+||||

+| applicationId | String | Optional. Identifier of the application used to create the subscription. Read-only. |

+| changeType | String | Required. Indicates the type of change in the subscribed resource that will raise a change notification. The supported values are: `created`, `updated`, `deleted`. Multiple values can be combined using a comma-separated list. <br><br>**Note:** <li> Drive root item and list change notifications support only the `updated` changeType. <li>[User](../resources/user.md) and [group](../resources/user.md) change notifications support `updated` and `deleted` changeType. Use `updated` to receive notifications when user or group is created, updated or soft deleted. Use `deleted` to receive notifications when user or group is permanently deleted. |

+| clientState | String | Optional. Specifies the value of the **clientState** property sent by the service in each change notification. The maximum length is 255 characters. The client can check that the change notification came from the service by comparing the value of the **clientState** property sent with the subscription with the value of the **clientState** property received with each change notification. |

+| creatorId | String | Optional. Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the ID of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the ID of the service principal corresponding to the app. Read-only. |

+| encryptionCertificate | String | Optional. A base64-encoded representation of a certificate with a public key used to encrypt resource data in change notifications. Optional but required when **includeResourceData** is `true`. |

+| encryptionCertificateId | String | Optional. A custom app-provided identifier to help identify the certificate needed to decrypt resource data. Required when **includeResourceData** is `true`. |

+| expirationDateTime | DateTimeOffset | Required. Specifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. For the maximum supported subscription length of time, see [the table below](#maximum-length-of-subscription-per-resource-type). |

+| id | String | Optional. Unique identifier for the subscription. Read-only. |

+| includeResourceData | Boolean | Optional. When set to `true`, change notifications [include resource data](/graph/webhooks-with-resource-data) (such as content of a chat message). |

+| latestSupportedTlsVersion | String | Optional. Specifies the latest version of Transport Layer Security (TLS) that the notification endpoint, specified by **notificationUrl**, supports. The possible values are: `v1_0`, `v1_1`, `v1_2`, `v1_3`. </br></br>For subscribers whose notification endpoint supports a version lower than the currently recommended version (TLS 1.2), specifying this property by a set [timeline](https://developer.microsoft.com/graph/blogs/microsoft-graph-subscriptions-deprecating-tls-1-0-and-1-1/) allows them to temporarily use their deprecated version of TLS before completing their upgrade to TLS 1.2. For these subscribers, not setting this property per the timeline would result in subscription operations failing. </br></br>For subscribers whose notification endpoint already supports TLS 1.2, setting this property is optional. In such cases, Microsoft Graph defaults the property to `v1_2`. |

+| lifecycleNotificationUrl | String | Optional. The URL of the endpoint that receives lifecycle notifications, including `subscriptionRemoved`, `reauthorizationRequired`, and `missed` notifications. This URL must make use of the HTTPS protocol. |

+| notificationContentType | String | Optional. Desired **content-type** for Microsoft Graph change notifications for supported resource types. The default content-type is `application/json`. |

+| notificationQueryOptions | String | Optional. OData query options for specifying the value for the targeting resource. Clients receive notifications when the resource reaches the state matching the query options provided here. With this new property in the subscription creation payload along with all existing properties, Webhooks will deliver notifications whenever a resource reaches the desired state mentioned in the **notificationQueryOptions** property. For example, when the print job is completed or when a print job resource `isFetchable` property value becomes `true` etc. <br/><br/> Supported only for Universal Print Service. For more information, see [Subscribe to change notifications from cloud printing APIs using Microsoft Graph](/graph/universal-print-webhook-notifications). |

+| notificationUrl | String | Required. The URL of the endpoint that receives the change notifications. This URL must make use of the HTTPS protocol. |

+| notificationUrlAppId | String | Optional. The app ID that the subscription service can use to generate the validation token. This allows the client to validate the authenticity of the notification received. |

+| resource | String | Required. Specifies the resource that will be monitored for changes. Do not include the base URL (`https://graph.microsoft.com/bet) for each supported resource. |

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+ Title: "voiceAuthenticationMethodConfiguration resource type"

+description: "Represents a voice call authenticaiton methods policy"

+ms.localizationpriority: medium

+# voiceAuthenticationMethodConfiguration resource type

+Namespace: microsoft.graph

+Represents a voice call authentication methods policy. Authentication methods policies define configuration settings and users or groups that are enabled to use the authentication method.

+Inherits from [authenticationMethodConfiguration](../resources/authenticationmethodconfiguration.md).

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[Get voiceAuthenticationMethodConfiguration](../api/voiceauthenticationmethodconfiguration-get.md)|[voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md)|Read the properties and relationships of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object.|

+|[Update voiceAuthenticationMethodConfiguration](../api/voiceauthenticationmethodconfiguration-update.md)|None|Update the properties of a [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object.|

+|[Delete voiceAuthenticationMethodConfiguration](../api/voiceauthenticationmethodconfiguration-delete.md)|None|Revert the [voiceAuthenticationMethodConfiguration](../resources/voiceauthenticationmethodconfiguration.md) object to its default configuration.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|id|String|The authentication method policy identifier.|

+|isOfficePhoneAllowed|Boolean|`true` if users can register office phones, otherwise, `false`. |

+|state|authenticationMethodState|Represents whether users can register this authentication method. The possible values are: `enabled`, `disabled`.|

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|includeTargets|[voiceAuthenticationMethodTarget](../resources/voiceauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method. Expanded by default.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "baseType": "microsoft.graph.authenticationMethodConfiguration",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodConfiguration",

+ "id": "String (identifier)",

+ "state": "String",

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+ "isOfficePhoneAllowed": "Boolean"

+}

+```

+ Title: "voiceAuthenticationMethodTarget resource type"

+description: "A collection of groups enabled to use voice call authentication method via policy."

+ms.localizationpriority: medium

+# voiceAuthenticationMethodTarget resource type

+Namespace: microsoft.graph

+A collection of groups enabled to use voice call authentication via the [voice call authentication methods policy](../resources/voiceAuthenticationMethodConfiguration.md) in Azure AD.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|id|String|Object ID of an Azure AD group.|

+|isRegistrationRequired|Boolean|Determines whether the user is enforced to register the authentication method. **Not supported**.|

+|targetType|authenticationMethodTargetType|Possible values are: `group`, and `unknownFutureValue`. From December 2022, targeting individual users using `user` is no longer recommended. Existing targets will remain but we recommend to move the individual users to a targeted group. Inherited from [authenticationMethodTarget](authenticationMethodTarget.md).|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.voiceAuthenticationMethodTarget",

+ "baseType": "microsoft.graph.authenticationMethodTarget",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.voiceAuthenticationMethodTarget",

+ "id": "String (identifier)",

+ "targetType": "String",

+ "isRegistrationRequired": "Boolean"

+}

+```

+- [subscription resource type](subscription.md)

+- [Training module: Use change notifications and track changes with Microsoft Graph](/training/modules/msgraph-changenotifications-trackchanges)

+- [Lifecycle notifications](/graph/webhooks-lifecycle.md)

+<!-- Links -->

+|[Update x509CertificateAuthenticationMethodConfiguration](../api/x509certificateauthenticationmethodconfiguration-update.md)|None|Update the properties of a x509CertificateAuthenticationMethodConfiguration object.|

+|excludeTargets|[excludeTarget](../resources/excludetarget.md) collection|Groups of users that are excluded from the policy.|

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ "excludeTargets": [

+ {

+ "@odata.type": "microsoft.graph.excludeTarget"

+ }

+ ],

+For delegated scenarios, the calling user must have the *Global Administrator* [Azure AD role](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).

+This method supports the `$filter`and `$select` [OData query parameters](/graph/query-parameters) to help customize the response.

+> **Note**: While creating a channel, you can only add one member per shared channel; however, you can add up to 200 members per private channel.

+This method does not delete the rubric itself and can only be performed by teachers.

+Get the [educationRubric](../resources/educationrubric.md) object attached to an [educationAssignment](../resources/educationassignment.md), if one exists. Only teachers, students, and applications with application permissions can perform this operation.

+Get the properties and relationships of an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the categories associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Get all the [educationAssignmentResource](../resources/educationassignmentresource.md) objects associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+List all the submissions associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Add one or more existing [educationCategory](../resources/educationcategory.md) objects to the specified [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Create an [assignment resource](../resources/educationassignmentresource.md). Only teachers can perform this operation.

+You can create the following types of assignment resources:

+- [educationTeamsAppResource](../resources/educationteamsappresource.md)

+Every resource has an **@odata.type** property to indicate which type of resource is being created.

+- [educationTeamsAppResource](../resources/educationteamsappresource.md)

+### Example 7: Create an educationTeamsAppResource

+#### Request

+The following is an example of the request.

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2003c52e-807a-4186-9b49-60c573095461", "820371a1-4589-4a4a-8b40-9d5db94b9186"],

+ "name": "create_educationTeamsAppResource_from_educationassignmentsApp"

+}-->

+```http

+POST https://graph.microsoft.com/v1.0/education/classes/2003c52e-807a-4186-9b49-60c573095461/assignments/820371a1-4589-4a4a-8b40-9d5db94b9186/resources

+Content-type: application/json

+{

+ "distributeForStudentWork": false,

+ "resource": {

+ "displayName": "Template - My Story",

+ "appId": "6fbeb90c-3d55-4bd5-82c4-bfe824be4300",

+ "appIconWebUrl": "https://statics.teams.cdn.office.net/evergreen-assets/ThirdPartyApps/6fbeb90c-3d55-4bd5-82c4-bfe824be4300_largeImage.png?v=2.0.2",

+ "teamsEmbeddedContentUrl": "https://app.api.edu.buncee.com/player/C7B0866C9B7E485EAE21AE14DBC3FD08?embed=1&render_slide_panel=1",

+ "webUrl": "https://app.edu.buncee.com/buncee/C7B0866C9B7E485EAE21AE14DBC3FD08",

+ "@odata.type": "#microsoft.graph.educationTeamsAppResource"

+ }

+}

+```

+#### Response

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.educationTeamsAppResource"

+} -->

+```http

+HTTP/1.1 201 Created

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#education/classes('2003c52e-807a-4186-9b49-60c573095461')/assignments('820371a1-4589-4a4a-8b40-9d5db94b9186')/resources/$entity",

+ "distributeForStudentWork": false,

+ "id": "6821bff5-91e4-4b63-8f98-8157305ff004",

+ "resource": {

+ "@odata.type": "#microsoft.graph.educationTeamsAppResource",

+ "displayName": "Template - My Story",

+ "createdDateTime": "2022-12-01T16:35:58.0718192Z",

+ "lastModifiedDateTime": "2022-12-01T16:35:58.0718396Z",

+ "appId": "6fbeb90c-3d55-4bd5-82c4-bfe824be4300",

+ "appIconWebUrl": "https://statics.teams.cdn.office.net/evergreen-assets/ThirdPartyApps/6fbeb90c-3d55-4bd5-82c4-bfe824be4300_largeImage.png?v=2.0.2",

+ "teamsEmbeddedContentUrl": "https://app.api.edu.buncee.com/player/C7B0866C9B7E485EAE21AE14DBC3FD08?embed=1&render_slide_panel=1",

+ "webUrl": "https://app.edu.buncee.com/buncee/C7B0866C9B7E485EAE21AE14DBC3FD08",

+ "createdBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": "fffafb29-e8bc-4de3-8106-be76ed2ad499",

+ "displayName": null

+ }

+ },

+ "lastModifiedBy": {

+ "application": null,

+ "device": null,

+ "user": {

+ "id": "fffafb29-e8bc-4de3-8106-be76ed2ad499",

+ "displayName": null

+ }

+ }

+ }

+}

+```

+Attach an existing [educationRubric](../resources/educationrubric.md) object to an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Remove an [educationCategory](../resources/educationcategory.md) from an [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload feedback files for a given [educationSubmission](../resources/educationsubmission.md). Only teachers can perform this operation.

+Create a SharePoint folder to upload files for a given [educationAssignment](../resources/educationassignment.md). Only teachers can perform this operation.

+These are the class-level assignment defaults respected by new [assignments](../resources/educationassignment.md) created in the class. Callers can continue to specify custom values on each **assignment** creation if they don't want the default behaviors. Only teachers can perform this operation.

+Get the properties of an [education assignment resource](../resources/educationassignmentresource.md) associated with an [assignment](../resources/educationassignment.md). Only teachers, students, and applications with application permissions can perform this operation.

+Read the properties and relationships of an [educationAssignmentSettings](../resources/educationassignmentsettings.md) object. Only teachers can perform this operation.

+Delete an existing [category](../resources/educationcategory.md). Only teachers can perform this operation.

+Retrieve an [educationCategory](../resources/educationcategory.md) object. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of assignment objects. Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationCategory](../resources/educationcategory.md) objects. Only teachers can perform this operation.

+Create a new assignment.

+Creates a new [educationCategory](../resources/educationcategory.md) on an [educationClass](../resources/educationclass.md). Only teachers can perform this operation.

+Update the properties of an [educationOutcome](../resources/educationoutcome.md) object. Only teachers can perform this operation.

+Delete an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve the properties and relationships of an [educationRubric](../resources/educationrubric.md) object. Only teachers and students can perform this operation.

+Update the properties of an [educationRubric](../resources/educationrubric.md) object. Only teachers can perform this operation.

+Retrieve a particular [submission](../resources/educationsubmission.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a list of [educationOutcome](../resources/educationoutcome.md) objects. There are four types of outcomes: **educationPointsOutcome**, **educationFeedbackOutcome**, **educationRubricOutcome**, and **educationFeedbackResourceOutcome**. Only teachers, students, and applications with application permissions can perform this operation.

+List the resources associated with a [submission](../resources/educationsubmission.md). Only teachers, students, and applications with application permissions can perform this operation.

+List the [educationSubmissionResource](../resources/educationsubmissionresource.md) objects that have officially been submitted for grading. Only teachers, students, and applications with application permissions can perform this operation.

+Add an [educationSubmissionResource](../resources/educationsubmissionresource.md) to a submission resource list. Only teachers and students can perform this operation.

+The operation will not succeed if the **allowStudentsToAddResources** flag is not set to `true`.

+Trigger the creation of the SharePoint resource folder where all file-based resources (Word, Excel, and so on) should be uploaded for a given submission. Only teachers and students can perform this operation.

+Indicate that a student is done with the work and is ready to hand in the assignment. Only teachers, students, and applications with application permissions can perform this operation.

+Indicate that a student wants to work on the submission of the assignment after it was turned in. Only teachers, students, and applications with application permissions can perform this operation.

+Delete an [educationSubmissionResource](../resources/educationsubmissionresource.md) from the submission. Only teachers and students can perform this operation.

+If the resource was copied from the assignment, a new copy of the resource will be created after the current copy is deleted. This allows you to "reset" the resource to its original state. If the resource was not copied from the assignment but was added from the student, the resource is simply deleted.

+Retrieve the properties of a specific resource associated with a [submission](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Retrieve a [submitted resource](../resources/educationsubmissionresource.md). Only teachers, students, and applications with application permissions can perform this operation.

+Returns a list of [educationAssignment](../resources/educationassignment.md) assigned to a [educationUser](../resources/educationuser.md) for all [classes](../resources/educationclass.md). Only teachers, students, and applications with application permissions can perform this operation.

+Get a list of the group's members. A group can different object types as members. For more information about supported member types for different groups, see [Group membership](/graph/groups-overview#group-membership).

+This operation is transitive and returns a flat list of all nested members. An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code.

+ An attempt to filter by an OData cast that represents an unsupported member type returns a `400 Bad Request` error with the `Request_UnsupportedQuery` code. For example, `/groups/{id}}/transitiveMembers/microsoft.graph.group` when the group is a Microsoft 365 group will return this error, because Microsoft 365 groups cannot have other groups as members.

+A group with **isAssignableToRole** property set to `true` cannot be of dynamic membership type, its **securityEnabled** must be set to `true`, and **visibility** can only be `Private`.

+> [!CAUTION]

+>

+>- The **attendanceRecords** property does not return information about a breakout room.

+| Delegated (work or school account) | Tasks.ReadWrite, Group.ReadWrite.All |

+The following table shows the properties that are required when you create a [plannerPlan](../resources/plannerplan.md).

+|Property|Type|Description|

+|:|:|:|

+|container|[plannerPlanContainer](../resources/plannerplancontainer.md)|Identifies the container of the plan. Specify only the **url**, the **containerId** and **type**, or all properties. After it is set, this property canΓÇÖt be updated.|

+|title|String|The title of the plan.|

+>**Note:** If the container is a Microsoft 365 group, the user who is creating the plan must be a member of the group that will contain the plan. When you create a new group by using [Create group](../api/group-post-groups.md), you are not added to the group as a member. After the group is created, add yourself as a member by using [group post members](../api/group-post-members.md).

+If successful, this method returns a `201 Created` response code and a [plannerPlan](../resources/plannerplan.md) object in the response body.

+This method can return any of the [HTTP status codes](/graph/errors). The most common errors that apps should handle for this method are the 400, 403, and 404 responses. For more information about these errors, see [Common Planner error conditions](../resources/planner-overview.md#common-planner-error-conditions).

+The following is an example of the request.

+ "container": {

+ "url": "https://graph.microsoft.com/beta/groups/ebf3b108-5234-4e22-b93d-656d7dae5874"

+ },

+The following is an example of the response.

+>**Note:** The response object shown here might be shortened for readability.

+ "id": "b108ebf3-4e22-b93d-5234-dae5874656d7"

+ "container": {

+ "@odata.type": "microsoft.graph.plannerPlanContainer",

+ "url": "https://graph.microsoft.com/beta/groups/ebf3b108-5234-4e22-b93d-656d7dae5874",

+ "containerId": "ebf3b108-5234-4e22-b93d-656d7dae5874",

+ "type": "group"

+ },

+ Title: "Get alert"

+description: "Retrieve the properties and relationships of an security alert object."

+ms.localizationpriority: medium

+# Get alert

+Namespace: microsoft.graph.security

+Get the properties and relationships of an [alert](../resources/security-alert.md) in an organization based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2/{alertId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [alert](../resources/security-alert.md) object in the response body.

+## Examples

+### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637578995287051192_756343937"],

+ "name": "get_security_alert"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/alerts_v2/da637578995287051192_756343937

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.alert"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637578995287051192_756343937",

+ "providerAlertId": "da637578995287051192_756343937",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637578995287051192_756343937?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+}

+```

+ Title: "Create comment for alert"

+description: "Adds a comment to the end of the alert comments list"

+ms.localizationpriority: medium

+# Create comment for alert

+Namespace: microsoft.graph

+Create a comment for an existing [alert](../resources/security-alert.md) based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/alerts_v2/{alertId}/comments

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, use `@odata.type` to specify the parameter type of [alertComment](../resources/security-alertcomment.md), and provide a JSON object for the parameter, `comment`. See an [example](#examples).

+| Parameter | Type |Description|

+|:|:--|:-|

+|comment|String|The comment to be added.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated list of all [alertComment](../resources/security-alertcomment.md) resources for the specified alert.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637865765418431569_-773071023"],

+ "name": "alert_v2_addcomment"

+}

+-->

+``` http

+POST https://graph.microsoft.com/v1.0/security/alerts_v2/da637865765418431569_-773071023/comments

+Content-Type: application/json

+{

+ "@odata.type": "microsoft.graph.security.alertComment",

+ "comment": "Demo for docs"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "collection(microsoft.graph.security.alertComment)",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/alerts_v2('da637865765418431569_-773071023')/comments",

+ "value": [

+ {

+ "comment": "test",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:30.1606766Z"

+ },

+ {

+ "comment": "Demo for docs",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:40.3825324Z"

+ }

+ ]

+}

+```

+ Title: "Update alert"

+description: "Update the properties of an alert object."

+ms.localizationpriority: medium

+# Update alert

+Namespace: microsoft.graph

+Update the properties of an [alert](../resources/security-alert.md) object in an organization based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/alerts_v2/{alertId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|status|microsoft.graph.security.alertStatus|The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.|

+|classification|microsoft.graph.security.alertClassification|Specifies the classification of the alert. Possible values are: `unknown`, `falsePositive`, `truePositive`, `benignPositive`, `unknownFutureValue`.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the alert. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated [alert](../resources/security-alert.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637551227677560813_-961444813"],

+ "name": "update_alert_v2"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/v1.0/security/alerts_v2/da637551227677560813_-961444813

+Content-Type: application/json

+Content-length: 2450

+{

+ "assignedTo": "secAdmin@contoso.onmicrosoft.com",

+ "classification": "truePositive",

+ "determination": "malware",

+ "status": "inProgress"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.alert",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "inProgress",

+ "severity": "low",

+ "classification": "truePositive",

+ "determination": "malware",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": "secAdmin@contoso.onmicrosoft.com",

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": []

+}

+```

+Delete Microsoft Teams messages contained in an [eDiscovery search](../resources/security-ediscoverysearch.md).

+ Title: "Get incident"

+description: "Retrieve the properties and relationships of an incident object."

+ms.localizationpriority: medium

+# Get incident

+Namespace: microsoft.graph.security

+Retrieve the properties and relationships of an [incident](../resources/security-incident.md) object.

+Attacks are typically inflicted on different types of entities, such as devices, users, and mailboxes, resulting in multiple [alert](../resources/security-alert.md) objects. Microsoft 365 Defender correlates alerts with the same attack techniques or the same attacker into an **incident**.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents/{incidentId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [incident](../resources/security-incident.md) object in the response body.

+## Examples

+### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2972395"],

+ "name": "get_incident"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/incidents/2972395

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "customTags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+}

+```

+ Title: "Create comment for incident"

+description: "Adds a comment to the end of the incident comments list"

+ms.localizationpriority: medium

+# Create comment

+Namespace: microsoft.graph

+Create a comment for an existing [incident](../resources/security-incident.md) based on the specified incident **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/incidents/{incidentId}/comments

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, use `@odata.type` to specify the parameter type of [alertComment](../resources/security-alertcomment.md), and provide a JSON object for the parameter, `comment`. See an [example](#examples).

+| Parameter | Type |Description|

+|:|:--|:-|

+|comment|String|The comment to be added.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated list of all [alertComment](../resources/security-alertcomment.md) resources of the incident.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["3962396"],

+ "name": "incident_addcomment"

+}

+-->

+``` http

+POST https://graph.microsoft.com/v1.0/security/incidents/3962396/comments

+Content-Type: application/json

+{

+ "@odata.type": "microsoft.graph.security.alertComment",

+ "comment": "Demo for docs"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "collection(microsoft.graph.security.alertComment)",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts_v2('da637865765418431569_-773071023')/comments",

+ "value": [

+ {

+ "comment": "test",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:45.4626766Z"

+ },

+ {

+ "comment": "Demo for docs",

+ "createdByDisplayName": "secAdmin@contoso.onmicrosoft.com",

+ "createdDateTime": "2022-10-13T07:08:50.5821324Z"

+ }

+ ]

+}

+```

+ Title: "Update incident"

+description: "Update the properties of an incident object."

+ms.localizationpriority: medium

+# Update incident

+Namespace: microsoft.graph.security

+Update the properties of an [incident](../resources/security-incident.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/incidents/{incidentId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.|

+|classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|status|microsoft.graph.security.incidentStatus|The status of the incident. Possible values are: `active`, `resolved`, `redirected`, `unknownFutureValue`.|

+|customTags|String collection|Array of custom tags associated with an incident.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated [incident](../resources/security-incident.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2972395"],

+ "name": "update_incident"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/v1.0/security/incidents/2972395

+Content-Type: application/json

+{

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "customTags": [

+ "Demo"

+ ]

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.incident",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "customTags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+}

+```

+ Title: "List alerts_v2"

+description: "Get a list of the security alert objects and their properties."

+ms.localizationpriority: medium

+# List alerts_v2

+Namespace: microsoft.graph.security

+Get a list of [alert](../resources/security-alert.md) resources that have been created to track suspicious activities in an organization.

+This operation lets you filter and sort through alerts to create an informed cyber security response. It exposes a collection of alerts that were flagged in your network, within the time range you specified in your environment retention policy. The most recent alerts are displayed at the top of the list.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2

+```

+## Optional query parameters

+This method supports the following OData query parameters to help customize the response: `$count`, `$filter`, `$skip`, `$top`.

+The following properties support `$filter` : **assignedTo**, **classification**, **determination**, **createdDateTime**, **lastUpdateDateTime**, **severity**, **serviceSource** and **status**.

+Use `@odata.nextLink` for pagination.

+The following are examples of their use:

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2?$filter={property}+eq+'{property-value}'

+GET /security/alerts_V2?$top=100&$skip=200

+```

+For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [alert](../resources/security-alert.md) objects in the response body.

+## Examples

+### Request

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "security_list_alerts"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/alerts_v2

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.alert",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+ }

+ ]

+}

+```

+ Title: "List incidents"

+description: "Get a list of the incident objects and their properties."

+ms.localizationpriority: medium

+# List incidents

+Namespace: microsoft.graph.security

+Get a list of [incident](../resources/security-incident.md) objects that Microsoft 365 Defender has created to track attacks in an organization.

+Attacks are typically inflicted on different types of entities, such as devices, users, and mailboxes, resulting in multiple [alert](../resources/security-alert.md) objects. Microsoft 365 Defender correlates alerts with the same attack techniques or the same attacker into an **incident**.

+This operation allows you to filter and sort through incidents to create an informed cyber security response. It exposes a collection of incidents that were flagged in your network, within the time range you specified in your environment retention policy. The most recent incidents are displayed at the top of the list.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents

+```

+## Optional query parameters

+This method supports the following OData query parameters to help customize the response: `$count`, `$filter`, `$skip`, `$top`, `$expand`.

+The following properties support `$filter` : **assignedTo**, **classification**, **createdDateTime**, **determination**, **lastUpdateDateTime**, **severity**, and **status**.

+Use `@odata.nextLink` for pagination.

+The following are examples of their use:

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents?$count=true

+GET /security/incidents?$filter={property}+eq+'{property-value}'

+GET /security/incidents?$top=10

+```

+For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [incident](../resources/security-incident.md) objects in the response body.

+## Examples

+### Example 1: List all incidents

+#### Request

+<!-- {

+ "blockType": "request",

+ "name": "list_incident_for_defender"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/incidents

+```

+#### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "customTags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+ }

+ ]

+}

+```

+### Example 2: List all incidents with their alerts

+#### Request

+<!-- {

+ "blockType": "request",

+ "name": "list_incident_with_their_alerts"

+}

+-->

+``` http

+GET https://graph.microsoft.com/v1.0/security/incidents?$expand=alerts

+```

+#### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "truePositive",

+ "determination": "multiStagedAttack",

+ "status": "active",

+ "severity": "medium",

+ "tags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ],

+ "alerts": [

+ {

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+ }

+ ]

+ }

+ ]

+}

+```

+ Title: "security: runHuntingQuery"

+description: "Run Hunting query API"

+ms.localizationpriority: medium

+# security: runHuntingQuery

+Namespace: microsoft.graph.security

+Queries a specified set of event, activity, or entity data supported by Microsoft 365 Defender to proactively look for specific threats in your environment.

+This is the method for advanced hunting in Microsoft 365 Defender. This method includes a query in Kusto Query Language (KQL). It specifies a data table in the [advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide&preserve-view=true) and a piped sequence of operators to filter or search that data, and format the query output in specific ways.

+Find out more about [hunting for threats across devices, emails, apps, and identities](/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide&preserve-view=true). Learn about [KQL](/azure/data-explorer/kusto/query/).

+For information on using advanced hunting in the [Microsoft 365 Defender portal](/microsoft-365/security/defender/microsoft-365-defender-portal?view=o365-worldwide&preserve-view=true), see [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide&preserve-view=true).

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|ThreatHunting.Read.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|ThreatHunting.Read.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+POST /security/runHuntingQuery

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+In the request body, provide a JSON object for the parameter, `Query`.

+| Parameter | Type |Description|

+|:|:--|:-|

+|Query|String|The hunting query in Kusto Query Language (KQL). For more information on KQL syntax, see [KQL quick reference](/azure/data-explorer/kql-quick-reference).|

+## Response

+If successful, this action returns a `200 OK` response code and a [huntingQueryResults](../resources/security-huntingqueryresults.md) in the response body.

+## Examples

+### Request

+This example specifies a KQL query which does the following:

+- Looks into the [DeviceProcessEvents](/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide&preserve-view=true) table in the advanced hunting schema.

+- Filters on the condition that the event is initiated by the powershell.exe process.

+- Specifies the output of 3 columns from the same table for each row: `Timestamp`, `FileName`, `InitiatingProcessFileName`.

+- Sorts the output by the `Timestamp` value.

+- Limits the output to 2 records (2 rows).

+# [HTTP](#tab/http)

+<!-- {

+ "blockType": "request",

+ "name": "security_runhuntingquery"

+}

+-->

+``` http

+POST https://graph.microsoft.com/v1.0/security/runHuntingQuery

+{

+ "Query": "DeviceProcessEvents | where InitiatingProcessFileName =~ \"powershell.exe\" | project Timestamp, FileName, InitiatingProcessFileName | order by Timestamp desc | limit 2"

+}

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.huntingQueryResults"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "schema": [

+ {

+ "Name": "Timestamp",

+ "Type": "DateTime"

+ },

+ {

+ "Name": "FileName",

+ "Type": "String"

+ },

+ {

+ "Name": "InitiatingProcessFileName",

+ "Type": "String"

+ }

+ ],

+ "results": [

+ {

+ "Timestamp": "2020-08-30T06:38:35.7664356Z",

+ "FileName": "conhost.exe",

+ "InitiatingProcessFileName": "powershell.exe"

+ },

+ {

+ "Timestamp": "2020-08-30T06:38:30.5163363Z",

+ "FileName": "conhost.exe",

+ "InitiatingProcessFileName": "powershell.exe"

+ }

+ ]

+}

+```

+ "@odata.context":"https://graph.microsoft.com/v1.0/$metadata#servicePrincipals",

+Use this API to add an owner for the [servicePrincipal](../resources/serviceprincipal.md). Service principal owners can be users, the service principal itself, or other service principals.

+ "/deployedge",

+ "/training",

+ "/windows-hardware"

+|id|String| Read-only. Unique ID of the user.|

+|roles| string collection | The roles for that user. |

+|userId| string | The guid of the user. |

+| reviewers |[accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection| This collection of access review scopes is used to define who the reviewers are. Supports `$select`. For examples of options for assigning reviewers, see [Assign reviewers to your access review definition using the Microsoft Graph API](/graph/accessreviews-scope-concept).|

+| notificationTemplateType |String | Indicates the type of access review email to be sent. Supported template type is `CompletedAdditionalRecipients`, which sends review completion notifications to the recipients.|

+| queryType | String | Indicates the type of query. Allowed value is `MicrosoftGraph`. |

+| queryType | String | The type of query. Examples include `MicrosoftGraph` and `ARM`. |

+| backupReviewers (deprecated) |[accessReviewReviewerScope](../resources/accessreviewreviewerscope.md) collection| This collection of reviewer scopes is used to define the list of fallback reviewers. These fallback reviewers will be notified to take action if no users are found from the list of reviewers specified. This could occur when either the group owner is specified as the reviewer but the group owner does not exist, or manager is specified as reviewer but a user's manager does not exist. Supports `$select`. <br>**Note:** This property has been replaced by **fallbackReviewers**. However, specifying either **backupReviewers** or **fallbackReviewers** automatically populates the same values to the other property. |

+|stageSettings|[accessReviewStageSettings](../resources/accessreviewstagesettings.md) collection| Required only for a multi-stage access review to define the stages and their settings. You can break down each review instance into up to three sequential stages, where each stage can have a different set of reviewers, fallback reviewers, and settings. Stages will be created sequentially based on the **dependsOn** property. Optional. <br/><br/>When this property is defined, its settings are used instead of the corresponding settings in the [accessReviewScheduleDefinition](accessreviewscheduledefinition.md) object and its **settings**, **reviewers**, and **fallbackReviewers** properties. |

+|id|String| Unique identifier for this policy. Read-only.|

+description: "Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified."

+This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified.

+This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in [Use the Microsoft Graph security API](security-api-overview.md#legacy-alerts). It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions.

+To learn more, see the sample queries in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+| type | Int32 | For internal use only

+|acquiredByPrinter|Boolean|True if the job was acquired by a printer; false otherwise. Read-only.|

+|createdDateTime|DateTimeOffset|The dateTimeOffset when the job was created. Read-only.|

+|id|String|The archived print job's GUID. Read-only.|

+|printerId|String|The printer ID that the job was queued for. Read-only.|

+|processingState|printJobProcessingState|The print job's final processing state. Read-only.|

+| labelId | String | The unique identifier of the label. |

+|type|attendeeType| The type of attendee. The possible values are: `required`, `optional`, `resource`. Currently if the attendee is a person, [findMeetingTimes](../api/user-findmeetingtimes.md) always considers the person is of the `Required` type.|

+| dialinUrl | String | A URL to the externally-accessible web page that contains dial-in information. |

+|displayName|String| The display name is the friendly name of the authenticationContextClassReference object. This value should be used to identify the authentication context class reference when building user-facing admin experiences. For example, a selection UX.|

+|id|String| Identifier used to reference the authentication context class. The id is used to trigger step-up authentication for the referenced authentication requirements and is the value that will be issued in the `acrs` claim of an access token. This value in the claim is used to verify that the required authentication context has been satisfied. The allowed values are `c1` through `c25`. <br/> Supports `$filter` (`eq`).|

+|displayName|String| Inherited property. The human-readable name of the policy. Optional. Read-only.|

+|id|String| Inherited property. The identifier of the authentication flows policy. Optional. Read-only.|

+description: "A collection of groups that are enabled to use an authentication method as part of an authentication method policy."

+A collection of groups that are enabled to use an authentication method as part of an authentication method policy in Azure AD.

+description: "An abstract type that represents the base class for all education-related resource objects in a system."

+An abstract type that represents the base class for all education-related resource objects in a system.

+Base type of [educationExcelResource](../resources/educationexcelresource.md), [educationFileResource](../resources/educationfileresource.md), [educationLinkResource](../resources/educationlinkresource.md), [educationPowerPointResource](../resources/educationpowerpointresource.md), [educationWordResource](../resources/educationwordresource.md), [educationMediaResource](../resources/educationmediaresource.md), [educationExternalResource](../resources/educationexternalresource.md), and [educationTeamsAppResource](../resources/educationteamsappresource.md).

+ Title: "educationTeamsAppResource resource type"

+description: "Corresponds to an installed Microsoft Teams app."

+ms.localizationpriority: medium

+# educationTeamsAppResource resource type

+Namespace: microsoft.graph

+Corresponds to an [installed Microsoft Teams app](teamsappinstallation.md). This allows education service users to create and share assignments with embedded Teams applications, such as YouTube or Flip.

+For information about using Flip for education on Microsoft Teams, see [introduction to Flip](/training/educator-center/product-guides/flip).

+Inherits from [educationResource](educationresource.md).

+## Properties

+| Property | Type | Description |

+|:|:|:--|

+| appIconWebUrl | String | URL that points to the icon of the app. |

+| appId | String | Teams app ID of the application. |

+| createdBy | [identitySet](identityset.md) | Identity of the user who created this resource. Inherited from **educationResource**. |

+| createdDateTime | DateTimeOffset | The date and time when the resource was added. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from **educationResource**. |

+| displayName | String | The display name of the resource. Inherited from **educationResource**. |

+| lastModifiedBy | [identitySet](identityset.md) | Identity of the user who last modified the resource. Inherited from **educationResource**. |

+| lastModifiedDateTime | DateTimeOffset | The date and time when the resource was last modified. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from **educationResource**. |

+| teamsEmbeddedContentUrl | String | URL for the app resource that will be opened by Teams. |

+| webUrl | String | URL for the app resource that can be opened in the browser. |

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "optionalProperties": [

+ ],

+ "@odata.type": "microsoft.graph.educationTeamsAppResource"

+}-->

+```json

+{

+ "appIconWebUrl": "String",

+ "appId": "String",

+ "createdBy": {"@odata.type": "microsoft.graph.identitySet"},

+ "createdDateTime": "String (timestamp)",

+ "displayName": "String",

+ "lastModifiedBy": {"@odata.type": "microsoft.graph.identitySet"},

+ "lastModifiedDateTime": "String (timestamp)",

+ "teamsEmbeddedContentUrl": "String",

+ "webUrl": "String"

+}

+```

+<!-- uuid: 8fcb5dbc-d5aa-4681-8e31-b001d5168d79

+2022-12-01 14:57:30 UTC -->

+<!--

+{

+ "type": "#page.annotation",

+ "description": "educationTeamsAppResource resource",

+ "keywords": "",

+ "section": "documentation",

+ "tocPath": "",

+ "suppressions": []

+}

+-->

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ Title: "Security enum values"

+description: "Microsoft Graph security subnamespace enumeration values"

+ms.localizationpriority: medium

+# Security enum values

+Namespace: microsoft.graph.security

+### detectionStatus values

+| Member

+|:--

+| detected

+| blocked

+| prevented

+| unknownFutureValue

+<!--

+{

+ "type": "#page.annotation",

+ "namespace": "microsoft.graph.security"

+}

+-->

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+| isAssignableToRole | Boolean | Indicates whether this group can be assigned to an Azure Active Directory role or not. Optional. <br><br>This property can only be set while creating the group and is immutable. If set to `true`, the **securityEnabled** property must also be set to `true`, **visibility** must be `Hidden`, and the group cannot be a dynamic group (that is, **groupTypes** cannot contain `DynamicMembership`). <br/><br/>Only callers in Global Administrator and Privileged Role Administrator roles can set this property. The caller must also be assigned the _RoleManagement.ReadWrite.Directory_ permission to set this property or update the membership of such groups. For more, see [Using a group to manage Azure AD role assignments](https://go.microsoft.com/fwlink/?linkid=2103037)<br><br>Returned by default. Supports `$filter` (`eq`, `ne`, `not`). |

+## Group membership

+Not all object types can be members of both Microsoft 365 and security groups.

+|includeTargets|[microsoftAuthenticatorAuthenticationMethodTarget](../resources/microsoftauthenticatorauthenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method. Expanded by default.|

+description: "A collection of groups enabled to use Microsoft Authenticator authentication methods policy."

+A collection of groups enabled to use [Microsoft Authenticator authentication methods policy](../resources/microsoftAuthenticatorAuthenticationMethodConfiguration.md) in Azure AD.

+|container|[plannerPlanContainer](../resources/plannerplancontainer.md)|Identifies the container of the plan. Specify only the **url**, the **containerId** and **type**, or all properties. After it is set, this property canΓÇÖt be updated. Required.|

+|containerId|String|The identifier of the resource that contains the plan. Optional.|

+|type|plannerContainerType| The type of the resource that contains the plan. For supported types, see the previous table. Possible values are: `group`, `unknownFutureValue`, `roster`. Note that you must use the `Prefer: include-unknown-enum-members` request header to get the following value in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `roster`. Optional.|

+|url|String|The full canonical URL of the container. Optional.|

+ Title: "alert resource type"

+description: "Represents potential security issues within a customer's tenant that Microsoft 365 Defender have identified."

+ms.localizationpriority: medium

+# alert resource type

+Namespace: microsoft.graph.security

+This resource corresponds to the latest generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft 365 Defender, or a security provider integrated with Microsoft 365 Defender, has identified.

+When detecting a threat, a security provider creates an alert in the system. Microsoft 365 Defender pulls this alert data from the security provider, and consumes the alert data to return valuable clues in an [alert](security-alert.md) resource about any related attack, impacted assets, and associated [evidence](security-alertevidence.md). It automatically correlates other alerts with the same attack techniques or the same attacker into an [incident](security-incident.md) to provide a broader context of an attack. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[List alerts_v2](../api/security-list-alerts_v2.md)|[microsoft.graph.security.alert](security-alert.md) collection|Get a list of [alert](../resources/security-alert.md) resources that have been created to track suspicious activities in an organization.|

+|[Get alert](../api/security-alert-get.md)|[microsoft.graph.security.alert](security-alert.md)|Get the properties of an [alert](../resources/security-alert.md) object in an organization based on the specified alert **id** property.|

+|[Update alert](../api/security-alert-update.md)|[microsoft.graph.security.alert](../resources/security-alert.md)|Update the properties of an [alert](../resources/security-alert.md) object in an organization based on the specified alert **id** property.|

+|[Create comment for alert](../api/security-alert-post-comments.md)| [alertComment](../resources/security-alertcomment.md) | Create a comment for an existing [alert](../resources/security-alert.md) based on the specified alert **id** property.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|actorDisplayName|String|The adversary or activity group that is associated with this alert.|

+|alertWebUrl|String|URL for the alert page in the Microsoft 365 Defender portal.|

+|assignedTo|String|Owner of the **alert**, or null if no owner is assigned.|

+|category|String|The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.|

+|classification|[microsoft.graph.security.alertClassification](#alertclassification-values)|Specifies whether the alert represents a true threat. Possible values are: `unknown`, `falsePositive`, `truePositive`, `benignPositive`, `unknownFutureValue`.|

+|comments|[microsoft.graph.security.alertComment](security-alertComment.md) collection|Array of comments created by the Security Operations (SecOps) team during the alert management process.|

+|createdDateTime|DateTimeOffset|Time when Microsoft 365 Defender created the alert.|

+|description|String|String value describing each alert.|

+|detectionSource|[microsoft.graph.security.detectionSource](#detectionsource-values)|Detection technology or sensor that identified the notable component or activity.|

+|detectorId|String|The ID of the detector that triggered the alert.|

+|determination|[microsoft.graph.security.alertDetermination](#alertdetermination-values)|Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|evidence|[microsoft.graph.security.alertEvidence](security-alertEvidence.md) collection|Collection of evidence related to the alert.|

+|firstActivityDateTime|DateTimeOffset|The earliest activity associated with the alert.|

+|id|String|Unique identifier to represent the **alert** resource.|

+|incidentId|String|Unique identifier to represent the [incident](security-incident.md) this **alert** resource is associated with.|

+|incidentWebUrl|String|URL for the incident page in the Microsoft 365 Defender portal.|

+|lastActivityDateTime|DateTimeOffset|The oldest activity associated with the alert.|

+|lastUpdateDateTime|DateTimeOffset|Time when the alert was last updated at Microsoft 365 Defender.|

+|mitreTechniques|Collection(Edm.String)|The attack techniques, as aligned with the MITRE ATT&CK framework.|

+|providerAlertId|String|The ID of the alert as it appears in the security provider product that generated the alert.|

+|recommendedActions|String|Recommended response and remediation actions to take in the event this alert was generated.|

+|resolvedDateTime|DateTimeOffset|Time when the alert was resolved.|

+|serviceSource|[microsoft.graph.security.serviceSource](#servicesource-values)|The service or product that created this alert. Possible values are: `microsoftDefenderForEndpoint`, `microsoftDefenderForIdentity`, `microsoftCloudAppSecurity`, `microsoftDefenderForOffice365`, `microsoft365Defender`, `aadIdentityProtection`, `appGovernance`, `dataLossPrevention`.|

+|severity|[microsoft.graph.security.alertSeverity](#alertseverity-values)|Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: `unknown`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.|

+|status|[microsoft.graph.security.alertStatus](#alertstatus-values)|The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.|

+|tenantId|String|The Azure Active Directory tenant the alert was created in.|

+|threatDisplayName|String|The threat associated with this alert.|

+|threatFamilyName|String|Threat family associated with this alert.|

+|title|String|Brief identifying string value describing the alert.|

+### alertClassification values

+| Member | Description |

+| :-| :- |

+| unknown | The alert isn't classified yet. |

+| falsePositive | The alert is a false positive and didn't detect malicious activity. |

+| truePositive | The alert is true positive and detected malicious activity. |

+| informationalExpectedActivity | The alert is benign positive and detected potentially malicious activity by a trusted/internal user, for example, security testing. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### alertDetermination values

+| Member | Description |

+| :--| : |

+| unknown | No determination value was set yet. |

+| apt | A true positive alert that detected an advanced persistent threat. |

+| malware | A true positive alert that detected malicious software. |

+| securityPersonnel | A true positive alert that detected valid suspicious activity that was performed by someone on the customer's security team. |

+| securityTesting | The alert detected valid suspicious activity that was performed as part of a known security testing. |

+| unwantedSoftware | The alert detected unwanted software. |

+| multiStagedAttack | A true positive alert that detected multiple kill-chain attack stages. |

+| compromisedAccount | A true positive alert that detected that the intended user's credentials were compromised or stolen. |

+| phishing | A true positive alert that detected a phishing email. |

+| maliciousUserActivity | A true positive alert that detected that the logged-on user performs malicious activities. |

+| notMalicious | A false alert, no suspicious activity. |

+| notEnoughDataToValidate | A false alert, without enough information to prove otherwise. |

+| confirmedActivity | The alert caught a true suspicious activity that is considered OK because it is a known user activity. |

+| lineOfBusinessApplication | The alert caught a true suspicious activity that is considered OK because it is a known and confirmed internal application. |

+| other | Other determination. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### alertSeverity values

+| Member | Description |

+| :--| : |

+| unknown | Unknown severity. |

+| informational | Alerts that may not be actionable or considered harmful to the network but can drive organizational security awareness on potential security issues. |

+| low | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands and clearing logs, that often don't indicate an advanced threat that targets the organization. It can also come from an isolated security tool that is tested by a user in your organization. |

+| medium | Alerts generated from detections and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be due to internal security testing, they are valid detections and require investigation as they may be a part of an advanced attack. |

+| high | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on assets. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### alertStatus values

+| Member | Description |

+| :-| :- |

+| unknown | Unknown status. |

+| new | New alert. |

+| inProgress | The alert is in mitigation progress. |

+| resolved | The alert is in resolved state. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### serviceSource values

+| Value | Description |

+| :-| :-|

+| unknown | Unknown service source. |

+| microsoftDefenderForEndpoint | Microsoft Defender for Endpoint. |

+| microsoftDefenderForIdentity | Microsoft Defender for Identity. |

+| microsoftDefenderForCloudApps| Microsoft Defender for Cloud Apps. |

+| microsoftDefenderForOffice365| Microsoft Defender For Office365. |

+| microsoft365Defender | Microsoft 365 Defender. |

+| microsoftAppGovernance | Microsoft app governance. |

+| microsoftDataLossPrevention | Microsoft Purview Data Loss Prevention. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use.|

+### detectionSource values

+| Value | Description |

+| :-| :-|

+| unknown | Unknown detection source. |

+| microsoftDefenderForEndpoint | Microsoft Defender For Endpoint. |

+| antivirus | Antivirus software. |

+| smartScreen | Microsoft Defender SmartScreen. |

+| customTi | Custom threat intelligence. |

+| microsoftDefenderForOffice365 | Microsoft Defender for Office 365. |

+| automatedInvestigation | Automated investigation. |

+| microsoftThreatExperts | Microsoft Threat Experts. |

+| customDetection | Custom detection. |

+| microsoftDefenderForIdentity | Microsoft Defender for Identity. |

+| cloudAppSecurity | Cloud app security. |

+| microsoft365Defender | Microsoft 365 Defender. |

+| azureAdIdentityProtection | Azure Active Directory Identity Protection. |

+| manual | Manual detection. |

+| microsoftDataLossPrevention | Microsoft Purview Data Loss Prevention. |

+| appGovernancePolicy | App governance policy. |

+| appGovernanceDetection | App governance detection. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.security.alert",

+ "baseType": "microsoft.graph.entity",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "String (identifier)",

+ "providerAlertId": "String",

+ "incidentId": "String",

+ "status": "String",

+ "severity": "String",

+ "classification": "String",

+ "determination": "String",

+ "serviceSource": "String",

+ "detectionSource": "String",

+ "detectorId": "String",

+ "tenantId": "String",

+ "title": "String",

+ "description": "String",

+ "recommendedActions": "String",

+ "category": "String",

+ "assignedTo": "String",

+ "alertWebUrl": "String",

+ "incidentWebUrl": "String",

+ "actorDisplayName": "String",

+ "threatDisplayName": "String",

+ "threatFamilyName": "String",

+ "mitreTechniques": [

+ "String"

+ ],

+ "createdDateTime": "String (timestamp)",

+ "lastUpdateDateTime": "String (timestamp)",

+ "resolvedDateTime": "String (timestamp)",

+ "firstActivityDateTime": "String (timestamp)",

+ "lastActivityDateTime": "String (timestamp)",

+ "comments": [

+ {

+ "@odata.type": "microsoft.graph.security.alertComment"

+ }

+ ],

+ "evidence": [

+ {

+ "@odata.type": "microsoft.graph.security.alertEvidence"

+ }

+ ]

+}

+```

+<!--

+{

+ "type": "#page.annotation",

+ "namespace": "microsoft.graph.security"

+}

+-->

+ Title: "alertComment resource type"

+description: "An analyst-generated comment that is associated with an alert or incident."

+ms.localizationpriority: medium

+# alertComment resource type

+Namespace: microsoft.graph.security

+An analyst-generated comment that is associated with an alert or incident.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|comment|String|The comment text.|

+|createdByDisplayName|String|The person or app name that submitted the comment.|

+|createdDateTime|DateTimeOffset|The time when the comment was submitted.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.alertComment"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.alertComment",

+ "comment": "String",

+ "createdByDisplayName": "String",

+ "createdDateTime": "String (timestamp)"

+}

+```

+ Title: "alertEvidence resource type"

+description: "Each alert contains a list of related evidence."

+ms.localizationpriority: medium

+# alertEvidence resource type

+Namespace: microsoft.graph.security

+Evidence related to an [alert](security-alert.md).

+This is the base type of [analyzedMessageEvidence](security-analyzedmessageevidence.md), [cloudApplicationEvidence](security-cloudapplicationevidence.md), [deviceEvidence](security-deviceevidence.md), [fileEvidence](security-fileevidence.md), [ipEvidence](security-ipEvidence.md), [mailboxEvidence](security-mailboxevidence.md), [mailClusterEvidence](security-mailclusterevidence.md), [oauthApplicationEvidence](security-oauthapplicationevidence.md), [processEvidence](security-processevidence.md), [registryKeyEvidence](security-registrykeyevidence.md), [registryValueEvidence](security-registryvalueevidence.md), [securityGroupEvidence](security-securitygroupevidence.md), [urlEvidence](security-urlevidence.md), and [userEvidence](security-userevidence.md).

+This alert evidence base type and its derived evidence types provide a means to organize and track rich data about each artifact involved in an **alert**. For example, an **alert** about an attacker's IP address logging into a cloud service using a compromised user account can track the following evidence:

+- [IP evidence](security-ipevidence.md) with the roles of `attacker` and `source`, remediation status of `running`, and verdict of `malicious`.

+- [Cloud application evidence](security-cloudapplicationevidence.md) with a role of `contextual`.

+- [Mailbox evidence](security-mailboxevidence.md) for the hacked user account with a role of `compromised`.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|createdDateTime|DateTimeOffset|The time the evidence was created and added to the alert.|

+|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](#evidenceremediationstatus-values)|Status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `unknownFutureValue`.|

+|remediationStatusDetails|String|Details about the remediation status.|

+|roles|[microsoft.graph.security.evidenceRole](#evidencerole-values) collection|The role/s that an evidence entity represents in an alert, e.g., an IP address that is associated with an attacker will have the evidence role "Attacker".|

+|tags|String collection|Array of custom tags associated with an evidence instance, for example to denote a group of devices, high value assets, etc.|

+|verdict|[microsoft.graph.security.evidenceVerdict](#evidenceverdict-values)|The decision reached by automated investigation. The possible values are: `unknown`, `suspicious`, `malicious`, `noThreatsFound`, `unknownFutureValue`.|

+### detectionSource values

+| Value | Description |

+| :-| :--|

+| detected | A product of the threat that executed was detected. |

+| blocked | the threat was remediated at run time. |

+| prevented | the threat was prevented from occurring (running, downloading, etc,).|

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceRemediationStatus values

+| Member | Description |

+| :--| : |

+| none | No threats were found. |

+| remediated | Remediation action has completed successfully. |

+| prevented | The threat was prevented from executing. |

+| blocked | The threat was blocked while executing. |

+| notFound | The evidence was not found. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceRole values

+| Member | Description |

+| :--| :- |

+| unknown | The evidence role is unknown. |

+| contextual | An entity that arose likely benign but was reported as a side effect of an attacker's action, e.g. the benign services.exe process was used to start a malicious service.|

+| scanned | An entity identified as a target of discovery scanning or reconnaissance actions, e.g. a port scanner was used to scan a network. |

+| source | The entity the activity originated from, e.g. device, user, IP address, etc. |

+| destination | The entity the activity was sent to, e.g. device, user, IP address, etc. |

+| created | The entity was created as a result of the actions of an attacker, e.g. a user account was created. |

+| added | The entity was added as a result of the actions of an attacker, e.g. a user account was added to a permissions group. |

+| compromised | The entity was compromised and is under the control of an attacker, e.g. a user account was compromised and used to log into a cloud service. |

+| edited | The entity was edited or changed by an attacker, e.g. the registry key for a service was edited to point to the location of a new malicious payload. |

+| attacked | The entity was attacked, e.g. a device was targeted in a DDoS attack. |

+| attacker | The entity represents the attacker, e.g. the attacker`s IP address observed logging into a cloud service using a compromised user account. |

+| commandAndControl | The entity is being used for command and control, e.g. a C2 (command and control) domain used by malware. |

+| loaded | The entity was loaded by a process under the control of an attacker, e.g. a Dll was loaded into an attacker-controlled process. |

+| suspicious | The entity is suspected of being malicious or controlled by an attacker but has not been incriminated. |

+| policyViolator | The entity is a violator of a customer defined policy. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceRemediationStatus values

+| Member | Description |

+| :--| : |

+| unknown | No verdict was determined for the evidence. |

+| suspicious | Recommended remediation actions awaiting approval.|

+| malicious | The evidence was determined to be malicious. |

+| clean | No threat was detected - the evidence is benign. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceVerdict values

+| Member | Description |

+| :--| : |

+| unknown | No verdict was determined for the evidence.|

+| suspicious | |

+| malicious | The evidence was determined to be malicious. |

+| noThreatsFound | No threat was detected - the evidence is benign. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.alertEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.alertEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ]

+}

+```

+ Title: "analyzedMessageEvidence resource type"

+description: "An email, or analyzed message, that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# analyzedMessageEvidence resource type

+Namespace: microsoft.graph.security

+An email, or analyzed message, that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|antiSpamDirection|String|Direction of the email relative to your network. The possible values are: `inbound`, `outbound` or `intraorg`.|

+|attachmentsCount|Int64|Number of attachments in the email.|

+|deliveryAction|String|Delivery action of the email. The possible values are: `delivered`, `deliveredAsSpam`, `junked`, `blocked`, or `replaced`.|

+|deliveryLocation|String|Location where the email was delivered. The possible values are: `inbox`, `external`, `junkFolder`, `quarantine`, `failed`, `dropped`, `deletedFolder` or `forwarded`.|

+|internetMessageId|String|Public-facing identifier for the email that is set by the sending email system.|

+|language|String|Detected language of the email content.|

+|networkMessageId|String|Unique identifier for the email, generated by Microsoft 365.|

+|p1Sender|[microsoft.graph.security.emailSender](../resources/security-emailsender.md)|The P1 sender.|

+|p2Sender|[microsoft.graph.security.emailSender](../resources/security-emailsender.md)|The P2 sender.|

+|receivedDateTime|DateTimeOffset|Date and time when the email was received.|

+|recipientEmailAddress|String|Email address of the recipient, or email address of the recipient after distribution list expansion.|

+|senderIp|String|IP address of the last detected mail server that relayed the message.|

+|subject|String|Subject of the email.|

+|threatDetectionMethods|String collection|Collection of methods used to detect malware, phishing, or other threats found in the email.|

+|threats|String collection|Collection of detection names for malware or other threats found.|

+|urlCount|Int64|Number of embedded URLs in the email.|

+|urls|String collection|Collection of the URLs contained in this email.|

+|urn|String|Uniform resource name (URN) of the automated investigation where the cluster was identified.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.analyzedMessageEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.analyzedMessageEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "networkMessageId": "String",

+ "internetMessageId": "String",

+ "subject": "String",

+ "language": "String",

+ "senderIp": "String",

+ "recipientEmailAddress": "String",

+ "antiSpamDirection": "String",

+ "deliveryAction": "String",

+ "deliveryLocation": "String",

+ "urn": "String",

+ "threats": [

+ "String"

+ ],

+ "threatDetectionMethods": [

+ "String"

+ ],

+ "urls": [

+ "String"

+ ],

+ "urlCount": "Integer",

+ "attachmentsCount": "Integer",

+ "receivedDateTime": "String (timestamp)",

+ "p1Sender": {

+ "@odata.type": "microsoft.graph.security.emailSender"

+ },

+ "p2Sender": {

+ "@odata.type": "microsoft.graph.security.emailSender"

+ }

+}

+```

+- Pull and investigate all incidents and alerts from services that are part of or integrated with Microsoft 365 Defender.

+## Advanced hunting

+Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.

+Use [runHuntingQuery](../api/security-security-runhuntingquery.md) to run a [Kusto Query Language](/azure/data-explorer/kusto/query/) (KQL) query on data stored in Microsoft 365 Defender. Leverage the returned result set to enrich an existing investigation or to uncover undetected threats in your network.

+### Quotas and resource allocation

+1. You can run a query on data from only the last 30 days.

+2. The results include a maximum of 100,000 rows.

+3. The number of executions is limited per tenant:

+ - API calls: Up to 45 requests per minute, and up to 1500 requests per hour.

+ - Execution time: 10 minutes of running time every hour and 3 hours of running time a day.

+4. The maximal execution time of a single request is 200 seconds.

+5. A response code of HTTP 429 means you have reached the quota for either the number of API calls or execution time. Refer to the response body to confirm the limit you have reached.

+6. The maximum query result size of a single request cannot exceed 124 MB. Exceeding the size limit results in HTTP 400 Bad Request with the message "Query execution has exceeded the allowed result size. Optimize your query by limiting the number of results and try again."

+Alerts are detailed warnings about suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is alerts from multiple security providers for multiple entities in the tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming.

+The security API offers two types of alerts that aggregate other alerts from security providers and make analyzing attacks and determining response easier:

+- [Alerts and incidents](#alerts-and-incidents) - these are the latest generation of alerts in the Microsoft Graph security API. They are represented by the [alert](security-alert.md) resource and its collection, [incident](security-incident.md) resource, defined in the `microsoft.graph.security` namespace.

+- [Legacy alerts](#legacy-alerts) - these are the first generation of alerts in the Microsoft Graph security API. They are represented by the [alert](alert.md) resource defined in the `microsoft.graph` namespace.

+### Alerts and incidents

+These [alert](security-alert.md) resources first pull alert data from security provider services, that are either part of or integrated with [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide&preserve-view=true). Then they consume the data to return rich, valuable clues about a completed or ongoing attack, the impacted assets, and associated [evidence](security-alertevidence.md). In addition, they automatically correlate other alerts with the same attack techniques or the same attacker into an [incident](security-incident.md) to provide a broader context of an attack. They recommend response and remediation actions, offering consistent actionability across all the different providers. The rich content makes it easier for analysts to collectively investigate and respond to threats.

+Alerts from the following security providers are available via these rich alerts and incidents:

+- [Azure Active Directory Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection)

+- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide&preserve-view=true)

+- [Microsoft Defender for Cloud Apps](/cloud-app-security/monitor-alerts)

+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide&preserve-view=true)

+- [Microsoft Defender for Identity](/defender-for-identity/alerts-overview)

+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/overview?view=o365-worldwide&preserve-view=true)

+- [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide&preserve-view=true)

+### Legacy alerts

+These [alert](alert.md) resources federate calling of supported Azure and Microsoft 365 Defender security providers. They aggregate common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions. They enable applications to correlate alerts and context to improve threat protection and response.

+The legacy version of the security API offers the [alert](alert.md) resource which federates calling of supported Azure and Microsoft 365 Defender security providers. This **alert** resource aggregates alert data thatΓÇÖs common among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions. This enables applications to correlate alerts and context to improve threat protection and response.

+## Incidents

+An [incident](security-incident.md) is a collection of correlated  [alerts](security-alert.md) and associated data that make up the story of an attack. Incident management is part of Microsoft 365 Defender, and is available in the Microsoft 365 Defender portal (https://security.microsoft.com/).

+Microsoft 365 services and apps create  alerts  when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple  alerts for multiple entities in your tenant.

+Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an [incident](security-incident.md).

+Grouping related alerts into an incident gives you a comprehensive view of an attack. For example, you can see:

+- Where the attack started.

+- What tactics were used.

+- How far the attack has gone into your tenant.

+- The scope of the attack, such as how many devices, users, and mailboxes were impacted.

+- All of the data associated with the attack.

+TheΓÇ» [incident](security-incident.md) resource and its APIs allow you to sort through incidents to create an informed cyber security response. It exposes a collection of incidents, with their relatedΓÇ» [alerts](security-alert.md), that were flagged in your network, within the time range you specified in your environment retention policy.

+|Update secure score control profiles|[Update secureScoreControlProfile](../api/securescorecontrolprofile-update.md) |[https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles/{id}](https://developer.microsoft.com/graph/graph-explorer?request=security/secureScoreControlProfiles/{id}&method=PATCH&version=v1.0&GraphUrl=https://graph.microsoft.com)|

+| **Alerts and incidents**|||

+| List alerts | [List alerts](../api/security-list-alerts_v2.md) | [https://graph.microsoft.com/v1.0/security/alerts_v2](https://developer.microsoft.com/graph/graph-explorer?request=security/alerts_v2&method=GET&version=v1.0&GraphUrl=https://graph.microsoft.com) |

+| Update alert | [Update alert](../api/security-alert-update.md) | [https://graph.microsoft.com/v1.0/security/alerts/{id}](https://developer.microsoft.com/graph/graph-explorer?request=security/alerts/{id}&method=PATCH&version=v1.0&GraphUrl=https://graph.microsoft.com) |

+| List incidents | [List incidents](../api/security-list-incidents.md) | [https://graph.microsoft.com/v1.0/security/incidents](https://developer.microsoft.com/graph/graph-explorer?request=security/incidents&method=GET&version=v1.0&GraphUrl=https://graph.microsoft.com) |

+| List incidents with alerts| [List incidents](../api/security-list-incidents.md) | [https://graph.microsoft.com/v1.0/security/incidents?$expand=alerts](https://developer.microsoft.com/graph/graph-explorer?request=security/incidents?$expand=alerts&method=GET&version=v1.0&GraphUrl=https://graph.microsoft.com) |

+| Update incident | [Update incident](../api/security-incident-update.md) | [https://graph.microsoft.com/v1.0/security/incidents/{id}](https://developer.microsoft.com/graph/graph-explorer?request=security/incidents/{id}&method=PATCH&version=v1.0&GraphUrl=https://graph.microsoft.com) |

+| **eDiscovery**|||

+|List eDiscovery cases|[List eDiscoveryCases](../api/security-casesroot-list-ediscoverycases.md)|[https://graph.microsoft.com/v1.0/security/cases/eDiscoveryCases](https://developer.microsoft.com/graph/graph-explorer?request=security%2Fcases%2FeDiscoverycases&method=GET&version=v1.0&GraphUrl=https://graph.microsoft.com)|

+|List eDiscovery case operations|[List caseOperations](../api/security-ediscoverycase-list-operations.md)|[https://graph.microsoft.com/v1.0/security/cases/ediscoveryCases/{id}/operations](https://developer.microsoft.com/graph/graph-explorer?request=security%2Fcases%2FeDiscoverycases%2F%7Bid%7D%2Foperations&method=GET&version=v1.0&GraphUrl=https://graph.microsoft.com)|

+| **Legacy alerts**|||

+| **Secure scores**|||

+ Title: "cloudApplicationEvidence resource type"

+description: "A cloud application that is reported in the alert."

+ms.localizationpriority: medium

+# cloudApplicationEvidence resource type

+Namespace: microsoft.graph.security

+A cloud application that is reported in the alert.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|appId|Int64|Unique identifier of the application.|

+|displayName|String|Name of the application.|

+|instanceId|Int64|Identifier of the instance of the Software as a Service (SaaS) application.|

+|instanceName|String|Name of the instance of the SaaS application.|

+|saasAppId|Int64|The identifier of the SaaS application.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.cloudApplicationEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.cloudApplicationEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "appId": "Integer",

+ "displayName": "String",

+ "instanceId": "Integer",

+ "instanceName": "String",

+ "saasAppId": "Integer"

+}

+```

+ Title: "deviceEvidence resource type"

+description: "A device that is reported in the alert."

+ms.localizationpriority: medium

+# deviceEvidence resource type

+Namespace: microsoft.graph.security

+A device that is reported in the alert.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|azureAdDeviceId|String|A unique identifier assigned to a device by Azure Active Directory (Azure AD) when device is Azure AD-joined.|

+|defenderAvStatus|[microsoft.graph.security.defenderAvStatus](#defenderavstatus-values)|State of the Defender AntiMalware engine. The possible values are: `notReporting`, `disabled`, `notUpdated`, `updated`, `unknown`, `notSupported`, `unknownFutureValue`.|

+|deviceDnsName|String|The fully qualified domain name (FQDN) for the device.|

+|firstSeenDateTime|DateTimeOffset|The date and time when the device was first seen.|

+|healthStatus|[microsoft.graph.security.deviceHealthStatus](#devicehealthstatus-values)|The health state of the device.The possible values are: `active`, `inactive`, `impairedCommunication`, `noSensorData`, `noSensorDataImpairedCommunication`, `unknown`, `unknownFutureValue`.|

+|loggedOnUsers|[microsoft.graph.security.loggedOnUser](../resources/security-loggedonuser.md) collection|Users that were logged on the machine during the time of the alert.|

+|mdeDeviceId|String|A unique identifier assigned to a device by Microsoft Defender for Endpoint.|

+|onboardingStatus|[microsoft.graph.security.onboardingStatus](#onboardingstatus-values)|The status of the machine onboarding to Microsoft Defender for Endpoint.The possible values are: `insufficientInfo`, `onboarded`, `canBeOnboarded`, `unsupported`, `unknownFutureValue`.|

+|osBuild|Int64|The build version for the operating system the device is running.|

+|osPlatform|String|The operating system platform the device is running.|

+|rbacGroupId|Int32|The ID of the role-based access control (RBAC) device group.|

+|rbacGroupName|String|The name of the RBAC device group.|

+|riskScore|[microsoft.graph.security.deviceRiskScore](#deviceriskscore-values)|Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: `none`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.|

+|version|String|The version of the operating system platform.|

+|vmMetadata|[microsoft.graph.security.vmMetadata](../resources/security-vmmetadata.md)|Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running.|

+### defenderAvStatus values

+| Member | Description |

+| :--| : |

+| notReporting | Defender AntiMalware engine is not reporting. |

+| disabled | Defender AntiMalware engine has been disabled. |

+| notUpdated | Defender AntiMalware engine is not up to date. |

+| updated | Defender AntiMalware engine is up to date. |

+| unknown | State of Defender AntiMalware engine is unknown. |

+| notSupported | Defender AntiMalware engine is not supported on this platform.|

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |

+### deviceHealthStatus values

+| Member | Description |

+| :--| : |

+| active | Device is active and reporting to all channels. |

+| inactive | Device is not reporting to any channel. |

+| impairedCommunication | Device is not connected to the CnC. |

+| noSensorData | Device is not sending telemetry. |

+| noSensorDataImpairedCommunication | Device is not connected to the CnC and not sending telemetry. |

+| unknown | Device state is unknown |

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |

+### deviceRiskScore values

+| Member | Description |

+| :--| : |

+| none | There are no alerts related to this device. |

+| informational | Device only has 'informational' level alerts. |

+| low | Device only has 'low' or 'informational' alerts. |

+| medium | Device has 'medium' or lower severity alerts. |

+| high | Device has 'high' severity alerts and is at risk. |

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |

+### onboardingStatus values

+| Member | Description |

+| :--| : |

+| unknown | Unknown onboarding status |

+| insufficientInfo | Onboarding status cannot be determined. |

+| onboarded | Device is onboarded to service. |

+| canBeOnboarded | Device is eligible to be onboarded to service. |

+| unsupported | Device is not supported by service. |

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.deviceEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "firstSeenDateTime": "String (timestamp)",

+ "mdeDeviceId": "String",

+ "azureAdDeviceId": "String",

+ "deviceDnsName": "String",

+ "osPlatform": "String",

+ "osBuild": "Integer",

+ "version": "String",

+ "rbacGroupId": "Integer",

+ "rbacGroupName": "String",

+ "healthStatus": "String",

+ "riskScore": "String",

+ "onboardingStatus": "String",

+ "defenderAvStatus": "String",

+ "vmMetadata": {

+ "@odata.type": "microsoft.graph.security.vmMetadata"

+ },

+ "loggedOnUsers": [

+ {

+ "@odata.type": "microsoft.graph.security.loggedOnUser"

+ }

+ ]

+}

+```

+ Title: "emailSender resource type"

+description: "Email sender common properties."

+ms.localizationpriority: medium

+# emailSender resource type

+Namespace: microsoft.graph.security

+Email sender common properties.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the sender.|

+|domainName|String|Sender domain.|

+|emailAddress|String|Sender email address.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.emailSender"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.emailSender",

+ "emailAddress": "String",

+ "displayName": "String",

+ "domainName": "String"

+}

+```

+ Title: "fileDetails resource type"

+description: "File common properties."

+ms.localizationpriority: medium

+# fileDetails resource type

+Namespace: microsoft.graph.security

+File common properties.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|fileName|String|The name of the file.|

+|filePath|String|The file path (location) of the file instance. |

+|filePublisher|String|The publisher of the file.|

+|fileSize|Int64|The size of the file in bytes.|

+|issuer|String|The certificate authority (CA) that issued the certificate.|

+|sha1|String|The Sha1 cryptographic hash of the file content.|

+|sha256|String|The Sha256 cryptographic hash of the file content.|

+|signer|String|The signer of the signed file.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.fileDetails"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.fileDetails",

+ "sha1": "String",

+ "sha256": "String",

+ "fileName": "String",

+ "filePath": "String",

+ "fileSize": "Integer",

+ "filePublisher": "String",

+ "signer": "String",

+ "issuer": "String"

+}

+```

+ Title: "fileEvidence resource type"

+description: "A file that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# fileEvidence resource type

+Namespace: microsoft.graph.security

+A file that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|detectionStatus|microsoft.graph.security.detectionStatus|The status of the detection.The possible values are: `detected`, `blocked`, `prevented`, `unknownFutureValue`.|

+|fileDetails|[microsoft.graph.security.fileDetails](../resources/security-filedetails.md)|The file details.|

+|mdeDeviceId|String|A unique identifier assigned to a device by Microsoft Defender for Endpoint.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.fileEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "fileDetails": {

+ "@odata.type": "microsoft.graph.security.fileDetails"

+ },

+ "detectionStatus": "String",

+ "mdeDeviceId": "String"

+}

+```

+ Title: "huntingQueryResults resource type"

+description: "The results of the hunting query API"

+ms.localizationpriority: medium

+# huntingQueryResults resource type

+Namespace: microsoft.graph.security

+The results of running a [query for advanced hunting](../api/security-security-runhuntingquery.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|schema|[microsoft.graph.security.singlePropertySchema](../resources/security-singlepropertyschema.md) collection|The schema for the response.|

+|results|[microsoft.graph.security.huntingRowResult](../resources/security-huntingrowresult.md) collection|The results of the hunting query.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.huntingQueryResults"

+}

+-->

+``` json

+{

+ "schema": [{"@odata.type": "microsoft.graph.security.singlePropertySchema"}],

+ "results": [{"@odata.type": "microsoft.graph.security.huntingRowResult"}]

+}

+```

+ Title: "huntingRowResult resource type"

+description: "One row results of hunting query API"

+ms.localizationpriority: medium

+# huntingRowResult resource type

+Namespace: microsoft.graph.security

+Represents a row of the [results](../resources/security-huntingqueryresults.md) from running an [advanced hunting query](../api/security-security-runhuntingquery.md).

+The content of the results is depended on the submitted KQL query, see [KQL quick reference](/azure/data-explorer/kql-quick-reference).

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.huntingRowResult",

+ "openType": true

+}

+-->

+``` json

+{

+}

+```

+ Title: "incident resource type"

+description: "An incident in Microsoft 365 Defender is a collection of correlated alerts and associated metadata that reflects the story of an attack."

+ms.localizationpriority: medium

+# incident resource type

+Namespace: microsoft.graph.security

+An incident in Microsoft 365 Defender is a collection of correlated [alert](../resources/security-alert.md) instances and associated metadata that reflects the story of an attack in a tenant.

+Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

+Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[List incidents](../api/security-list-incidents.md)|[microsoft.graph.security.incident](../resources/security-incident.md) collection|Get a list of [incident](../resources/security-incident.md) objects that Microsoft 365 Defender has created to track attacks in an organization.|

+|[Get incident](../api/security-incident-get.md)|[microsoft.graph.security.incident](../resources/security-incident.md)|Read the properties and relationships of an [incident](../resources/security-incident.md) object.|

+|[Update incident](../api/security-incident-update.md)|[microsoft.graph.security.incident](../resources/security-incident.md)|Update the properties of an [incident](../resources/security-incident.md) object.|

+|[Create comment for incident](../api/security-incident-post-comments.md)| [alertComment](../resources/security-alertcomment.md) | Create a comment for an existing [incident](../resources/security-incident.md) based on the specified incident **id** property.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|id|String|Unique identifier to represent the incident.|

+|displayName|String|The incident name.|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.|

+|classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|

+|comments|[microsoft.graph.security.alertComment](security-alertcomment.md) collection|Array of comments created by the Security Operations (SecOps) team when the incident is managed.|

+|createdDateTime|DateTimeOffset|Time when the incident was first created.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|tenantId|String|The Azure Active Directory tenant in which the alert was created.|

+|incidentWebUrl|String|The URL for the incident page in the Microsoft 365 Defender portal.|

+|lastUpdateDateTime|DateTimeOffset|Time when the incident was last updated.|

+|redirectIncidentId|String|Only populated in case an incident is grouped together with another incident, as part of the logic that processes incidents. In such a case, the **status** property is `redirected`. |

+|severity|alertSeverity|Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: `unknown`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.|

+|status|[microsoft.graph.security.incidentStatus](#incidentstatus-values)|The status of the incident. Possible values are: `active`, `resolved`, `redirected`, `unknownFutureValue`.|

+|customTags|String collection|Array of custom tags associated with an incident.|

+### incidentStatus values

+| Member | Description |

+| :-| :-- |

+| active | The incident is in active state. |

+| resolved | The incident is in resolved state. |

+| redirected | The incident was merged with another incident. The target incident ID appears in the **redirectIncidentId** property. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|alerts|[microsoft.graph.security.alert](security-alert.md) collection|The list of related alerts. Supports `$expand`.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.security.incident",

+ "baseType": "microsoft.graph.entity",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "String (identifier)",

+ "incidentWebUrl": "String",

+ "tenantId": "String",

+ "redirectIncidentId": "String",

+ "displayName": "String",

+ "createdDateTime": "String (timestamp)",

+ "lastUpdateDateTime": "String (timestamp)",

+ "assignedTo": "String",

+ "classification": "String",

+ "determination": "String",

+ "status": "String",

+ "severity": "String",

+ "customTags": [

+ "String"

+ ],

+ "comments": [

+ {

+ "@odata.type": "microsoft.graph.security.alertComment"

+ }

+ ]

+}

+```

+<!--

+{

+ "type": "#page.annotation",

+ "namespace": "microsoft.graph.security"

+}

+-->

+ Title: "ipEvidence resource type"

+description: "An IP Address that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# ipEvidence resource type

+Namespace: microsoft.graph.security

+An IP Address that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|ipAddress|String|The value of the IP Address, can be either in V4 address or V6 address format.|

+|countryLetterCode|String|The two-letter country code according to ISO 3166 format, for example: `US`, `UK`, `CA`, etc..).|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.ipEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.ipEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "ipAddress": "String",

+ "countryLetterCode": "String"

+}

+```

+ Title: "loggedOnUser resource type"

+description: "User that was loggen on the machine during the time of the alert."

+ms.localizationpriority: medium

+# loggedOnUser resource type

+Namespace: microsoft.graph.security

+User that was loggen on the machine during the time of the alert.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|accountName|String|User account name of the logged-on user.|

+|domainName|String|User account domain of the logged-on user.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.loggedOnUser"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.loggedOnUser",

+ "accountName": "String",

+ "domainName": "String"

+}

+```

+ Title: "mailboxEvidence resource type"

+description: "A mailbox that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# mailboxEvidence resource type

+Namespace: microsoft.graph.security

+A mailbox that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name associated with the mailbox.|

+|primaryAddress|String|The primary email address of the mailbox.|

+|userAccount|[microsoft.graph.security.userAccount](../resources/security-useraccount.md)|The user account of the mailbox.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.mailboxEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.mailboxEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "primaryAddress": "String",

+ "displayName": "String",

+ "userAccount": {

+ "@odata.type": "microsoft.graph.security.userAccount"

+ }

+}

+```

+ Title: "mailClusterEvidence resource type"

+description: "A mail cluster that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# mailClusterEvidence resource type

+Namespace: microsoft.graph.security

+A group or cluster of emails that is created or identified based on a machine learning or AI model in relation to a malicious email that is reported in the alert as evidence.

+The mail cluster is suspicious and the emails may be malicious and if so are expected to be remediated.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|clusterBy|String|The clustering logic of the emails inside the cluster.|

+|clusterByValue|String|The value utilized to cluster the similar emails.|

+|emailCount|Int64|Count of emails in the email cluster.|

+|networkMessageIds|String collection|Unique identifiers for the emails in the cluster, generated by Microsoft 365.|

+|query|String|The query used to identify the email cluster.|

+|urn|String|Uniform resource name (URN) of the automated investigation where the cluster was identified.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.mailClusterEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.mailClusterEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "clusterBy": "String",

+ "clusterByValue": "String",

+ "query": "String",

+ "urn": "String",

+ "emailCount": "Integer",

+ "networkMessageIds": [

+ "String"

+ ]

+}

+```

+ Title: "oauthApplicationEvidence resource type"

+description: "An OAuth application that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# oauthApplicationEvidence resource type

+Namespace: microsoft.graph.security

+An OAuth application that is reported in the alert.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|appId|String|Unique identifier of the application.|

+|displayName|String|Name of the application.|

+|objectId|String|The unique identifier of the application object in Azure AD.|

+|publisher|String|The name of the application publisher.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.oauthApplicationEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.oauthApplicationEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "appId": "String",

+ "displayName": "String",

+ "objectId": "String",

+ "publisher": "String"

+}

+```

+ Title: "processEvidence resource type"

+description: "A process that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# processEvidence resource type

+Namespace: microsoft.graph.security

+A process that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|detectionStatus|microsoft.graph.security.detectionStatus|The status of the detection.The possible values are: `detected`, `blocked`, `prevented`, `unknownFutureValue`.|

+|imageFile|[microsoft.graph.security.fileDetails](../resources/security-filedetails.md)|Image file details.|

+|mdeDeviceId|String|A unique identifier assigned to a device by Microsoft Defender for Endpoint.|

+|parentProcessCreationDateTime|DateTimeOffset|Date and time when the parent of the process was created.|

+|parentProcessId|Int64|Process ID (PID) of the parent process that spawned the process.|

+|parentProcessImageFile|[microsoft.graph.security.fileDetails](../resources/security-filedetails.md)|Parent process image file details.|

+|processCommandLine|String|Command line used to create the new process.|

+|processCreationDateTime|DateTimeOffset|Date and time the process was created.|

+|processId|Int64|Process ID (PID) of the newly created process.|

+|userAccount|[microsoft.graph.security.userAccount](../resources/security-useraccount.md)|User details of the user that ran the process.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.processEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "processId": "Integer",

+ "parentProcessId": "Integer",

+ "processCommandLine": "String",

+ "processCreationDateTime": "String (timestamp)",

+ "parentProcessCreationDateTime": "String (timestamp)",

+ "detectionStatus": "String",

+ "mdeDeviceId": "String",

+ "imageFile": {

+ "@odata.type": "microsoft.graph.security.fileDetails"

+ },

+ "parentProcessImageFile": {

+ "@odata.type": "microsoft.graph.security.fileDetails"

+ },

+ "userAccount": {

+ "@odata.type": "microsoft.graph.security.userAccount"

+ }

+}

+```

+ Title: "registryKeyEvidence resource type"

+description: "A registry key that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# registryKeyEvidence resource type

+Namespace: microsoft.graph.security

+A registry key that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|registryHive|String|Registry hive of the key that the recorded action was applied to.|

+|registryKey|String|Registry key that the recorded action was applied to.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.registryKeyEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "registryKey": "String",

+ "registryHive": "String"

+}

+```

+ Title: "registryValueEvidence resource type"

+description: "A registry value that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# registryValueEvidence resource type

+Namespace: microsoft.graph.security

+A registry value that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|registryHive|String|Registry hive of the key that the recorded action was applied to.|

+|registryKey|String|Registry key that the recorded action was applied to.|

+|registryValue|String|Data of the registry value that the recorded action was applied to.|

+|registryValueName|String|Name of the registry value that the recorded action was applied to.|

+|registryValueType|String|Data type, such as binary or string, of the registry value that the recorded action was applied to.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.registryValueEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.registryValueEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "registryKey": "String",

+ "registryHive": "String",

+ "registryValue": "String",

+ "registryValueName": "String",

+ "registryValueType": "String"

+}

+```

+ Title: "securityGroupEvidence resource type"

+description: "A security group that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# securityGroupEvidence resource type

+Namespace: microsoft.graph.security

+A security group that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the security group.|

+|securityGroupId|String|Unique identifier of the security group.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.securityGroupEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.securityGroupEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "securityGroupId": "String",

+ "displayName": "String"

+}

+```

+ Title: "singlePropertySchema resource type"

+description: "The schema of one property from the results of hunting query API"

+ms.localizationpriority: medium

+# singlePropertySchema resource type

+Namespace: microsoft.graph.security

+The schema of one property in the results of running an [advanced hunting query](../api/security-security-runhuntingquery.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|name|String|The name of the property.|

+|type|String|The type of the property.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.singlePropertySchema"

+}

+-->

+``` json

+{

+ "Name": "Timestamp",

+ "Type": "DateTime"

+}

+```

+ Title: "urlEvidence resource type"

+description: "A url that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# urlEvidence resource type

+Namespace: microsoft.graph.security

+A URL that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|url|String|The Unique Resource Locator (URL).|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.urlEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.urlEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "url": "String"

+}

+```

+ Title: "userAccount resource type"

+description: "User account common properties."

+ms.localizationpriority: medium

+# userAccount resource type

+Namespace: microsoft.graph.security

+User account common properties.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|accountName|String|The user account's displayed name.|

+|azureAdUserId|String|The user object identifier in Azure AD.|

+|domainName|String|The name of the Active Directory domain of which the user is a member.|

+|userPrincipalName|String|The user principal name of the account in Azure AD.|

+|userSid|String|The local security identifier of the user account.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.userAccount"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.userAccount",

+ "accountName": "String",

+ "domainName": "String",

+ "userSid": "String",

+ "azureAdUserId": "String",

+ "userPrincipalName": "String"

+}

+```

+ Title: "userEvidence resource type"

+description: "A user that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# userEvidence resource type

+Namespace: microsoft.graph.security

+A user that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|userAccount|[microsoft.graph.security.userAccount](../resources/security-useraccount.md)|The user account details.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.userEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.userEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "userAccount": {

+ "@odata.type": "microsoft.graph.security.userAccount"

+ }

+}

+```

+ Title: "vmMetadata resource type"

+description: "Metadata of the Virtual Machine (VM) Microsoft Defender for Endpoint is running on."

+ms.localizationpriority: medium

+# vmMetadata resource type

+Namespace: microsoft.graph.security

+Metadata of the virtual machine (VM) Microsoft Defender for Endpoint is running on.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|cloudProvider|[microsoft.graph.security.vmCloudProvider](#vmcloudprovider-values)|The cloud provider hosting the virtual machine. The possible values are: `unknown`, `azure`, `unknownFutureValue`.|

+|resourceId|String|Unique identifier of the Azure resource.|

+|subscriptionId|String|Unique identifier of the Azure subscription the customer tenant belongs to.|

+|vmId|String|Unique identifier of the virtual machine instance.|

+### vmCloudProvider values

+| Member | Description |

+| :--| : |

+| unknown | Unknown provider. |

+| azure | The virtual machine is hosted in the Microsoft Azure cloud. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.vmMetadata"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.vmMetadata",

+ "vmId": "String",

+ "cloudProvider": "String",

+ "resourceId": "String",

+ "subscriptionId": "String"

+}

+```

+|[runHuntingQuery](../api/security-security-runhuntingquery.md)|[microsoft.graph.security.huntingQueryResults](../resources/security-huntingqueryresults.md)|Queries a specified set of event, activity, or entity data supported by Microsoft 365 Defender to proactively look for specific threats in your environment.|

+|alerts_v2 | [microsoft.graph.security.alert](security-alert.md) collection | A collection of alerts in Microsoft 365 Defender.|

+|incidents | [microsoft.graph.security.incident](security-incident.md) collection | A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack.|

+| Property | Type | Description |

+||||

+| applicationId | String | Optional. Identifier of the application used to create the subscription. Read-only. |

+| changeType | String | Required. Indicates the type of change in the subscribed resource that will raise a change notification. The supported values are: `created`, `updated`, `deleted`. Multiple values can be combined using a comma-separated list. <br><br>**Note:** <li> Drive root item and list change notifications support only the `updated` changeType. <li>[User](../resources/user.md) and [group](../resources/user.md) change notifications support `updated` and `deleted` changeType. Use `updated` to receive notifications when user or group is created, updated or soft deleted. Use `deleted` to receive notifications when user or group is permanently deleted. |

+| clientState | String | Optional. Specifies the value of the `clientState` property sent by the service in each change notification. The maximum length is 128 characters. The client can check that the change notification came from the service by comparing the value of the `clientState` property sent with the subscription with the value of the `clientState` property received with each change notification. |

+| creatorId | String | Optional. Identifier of the user or service principal that created the subscription. If the app used delegated permissions to create the subscription, this field contains the id of the signed-in user the app called on behalf of. If the app used application permissions, this field contains the id of the service principal corresponding to the app. Read-only. |

+| encryptionCertificate | String | Optional. A base64-encoded representation of a certificate with a public key used to encrypt resource data in change notifications. Optional but required when **includeResourceData** is `true`. |

+| encryptionCertificateId | String | Optional. A custom app-provided identifier to help identify the certificate needed to decrypt resource data. |

+| expirationDateTime | DateTimeOffset | Required. Specifies the date and time when the webhook subscription expires. The time is in UTC, and can be an amount of time from subscription creation that varies for the resource subscribed to. For the maximum supported subscription length of time, see [the table below](#maximum-length-of-subscription-per-resource-type). |

+| id | String | Optional. Unique identifier for the subscription. Read-only. |

+| includeResourceData | Boolean | Optional. When set to `true`, change notifications [include resource data](/graph/webhooks-with-resource-data) (such as content of a chat message). |

+| latestSupportedTlsVersion | String | Optional. Specifies the latest version of Transport Layer Security (TLS) that the notification endpoint, specified by **notificationUrl**, supports. The possible values are: `v1_0`, `v1_1`, `v1_2`, `v1_3`. </br></br>For subscribers whose notification endpoint supports a version lower than the currently recommended version (TLS 1.2), specifying this property by a set [timeline](https://developer.microsoft.com/graph/blogs/microsoft-graph-subscriptions-deprecating-tls-1-0-and-1-1/) allows them to temporarily use their deprecated version of TLS before completing their upgrade to TLS 1.2. For these subscribers, not setting this property per the timeline would result in subscription operations failing. </br></br>For subscribers whose notification endpoint already supports TLS 1.2, setting this property is optional. In such cases, Microsoft Graph defaults the property to `v1_2`. |

+| lifecycleNotificationUrl | String | Optional. The URL of the endpoint that receives lifecycle notifications, including `subscriptionRemoved`, `reauthorizationRequired`, and `missed` notifications. This URL must make use of the HTTPS protocol. |

+| notificationQueryOptions | String | Optional. OData query options for specifying value for the targeting resource. Clients receive notifications when resource reaches the state matching the query options provided here. With this new property in the subscription creation payload along with all existing properties, Webhooks will deliver notifications whenever a resource reaches the desired state mentioned in the notificationQueryOptions property. For example, when the print job is completed or when a print job resource `isFetchable` property value becomes `true` etc. <br/><br/> Supported only for Universal Print Service. For more information, see [Subscribe to change notifications from cloud printing APIs using Microsoft Graph](/graph/universal-print-webhook-notifications). |

+| notificationUrl | String | Required. The URL of the endpoint that will receive the change notifications. This URL must make use of the HTTPS protocol. |

+| notificationUrlAppId | String | Optional. The app ID that the subscription service can use to generate the validation token. This allows the client to validate the authenticity of the notification received. |

+| resource | String | Required. Specifies the resource that will be monitored for changes. Do not include the base URL (`https://graph.microsoft.com/v1.0/`). See the possible resource path [values](webhooks.md) for each supported resource. |

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+- [subscription resource type](./subscription.md)

+- [Training module: Use change notifications and track changes with Microsoft Graph](/training/modules/msgraph-changenotifications-trackchanges)

+- [Lifecycle notifications](/graph/webhooks-lifecycle.md)

+<!-- Links -->

+[todoTask]: ./todotask.md

+|includeTargets|[authenticationMethodTarget](../resources/authenticationmethodtarget.md) collection|A collection of groups that are enabled to use the authentication method.|

+ - name: Subscribed SKU

+ href: resources/subscribedsku.md

+ items:

+ - name: List subscribedSkus

+ href: api/subscribedsku-list.md

+ - name: Get subscribedSku

+ href: api/subscribedsku-get.md

+ - name: Advanced hunting

+ items:

+ - name: Run hunting query

+ href: api/security-security-runhuntingquery.md

+ - name: Hunting query results

+ href: resources/security-huntingqueryresults.md

+ - name: Hunting row result

+ href: resources/security-huntingrowresult.md

+ - name: Single property schema

+ href: resources/security-singlepropertyschema.md

+ - name: Alerts and incidents

+ items:

+ - name: Alert

+ items:

+ - name: Alert

+ href: resources/security-alert.md

+ - name: List alerts

+ href: api/security-list-alerts_v2.md

+ - name: Get alert

+ href: api/security-alert-get.md

+ - name: Update alert

+ href: api/security-alert-update.md

+ - name: Create comment for alert

+ href: api/security-alert-post-comments.md

+ - name: Alert evidence

+ items:

+ - name: Alert evidence

+ href: resources/security-alertevidence.md

+ - name: Analyzed message evidence

+ href: resources/security-analyzedMessageEvidence.md

+ - name: Cloud application evidence

+ href: resources/security-cloudApplicationEvidence.md

+ - name: Device evidence

+ href: resources/security-deviceEvidence.md

+ - name: File evidence

+ href: resources/security-fileEvidence.md

+ - name: IP evidence

+ href: resources/security-ipEvidence.md

+ - name: Mailbox evidence

+ href: resources/security-mailboxEvidence.md

+ - name: Mail cluster evidence

+ href: resources/security-mailClusterEvidence.md

+ - name: OAuth application evidence

+ href: resources/security-oauthApplicationEvidence.md

+ - name: Process evidence

+ href: resources/security-processEvidence.md

+ - name: Registry key evidence

+ href: resources/security-registryKeyEvidence.md

+ - name: Registry value evidence

+ href: resources/security-registryValueEvidence.md

+ - name: Security group evidence

+ href: resources/security-securityGroupEvidence.md

+ - name: URL evidence

+ href: resources/security-urlEvidence.md

+ - name: User evidence

+ href: resources/security-userEvidence.md

+ - name: Incident

+ items:

+ - name: Incident

+ href: resources/security-incident.md

+ - name: List incidents

+ href: api/security-list-incidents.md

+ - name: Get incident

+ href: api/security-incident-get.md

+ - name: Update incident

+ href: api/security-incident-update.md

+ - name: Create comment for incident

+ href: api/security-incident-post-comments.md

+ - name: Legacy alert

+ items:

+ - name: Alert

+ href: resources/alert.md

+ - name: List alerts

+ href: api/alert-list.md

+ - name: Get alert

+ href: api/alert-get.md

+ - name: Update alert

+ href: api/alert-update.md