+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+```

+|Delegated (personal Microsoft account) | Not supported. |

+If successful, this method returns a `200 OK` response code and a Boolean value that specifies the publishing state of the content type.

+The following is an example of a request.

+The following is an example of the response.

+ "ids": [

+ "84b80893-8749-40a3-97b7-68513b600544",

+ "5d6059b6-368d-45f8-91e1-8e07d485f1d0",

+ "0b944de3-e0fc-4774-a49a-b135213725ef",

+ "b75a5ab2-fe55-4463-bd31-d21ad555c6e0"

+ ],

+ "types": [

+ "user",

+ "group",

+ "device"

+ ]

+ "id": "5d6059b6-368d-45f8-91e1-8e07d485f1d0",

+ },

+ {

+ "@odata.type": "#microsoft.graph.group",

+ "id": "0b944de3-e0fc-4774-a49a-b135213725ef",

+ "description": "Pineview School Staff",

+ "groupTypes": [

+ "Unified"

+ ]

+ },

+ {

+ "@odata.type": "#microsoft.graph.device",

+ "id": "b75a5ab2-fe55-4463-bd31-d21ad555c6e0",

+ "dipslayName": "e8ba4e98c000002",

+ "deviceId": "4c299165-6e8f-4b45-a5ba-c5d250a707ff"

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+```msgraph-interactive

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+```msgraph-interactive

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+ Title: "Get alert"

+description: "Retrieve the properties and relationships of an security alert object."

+ms.localizationpriority: medium

+# Get alert

+Namespace: microsoft.graph.security

+Get the properties and relationships of an [alert](../resources/security-alert.md) in an organization based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2/{alertId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [alert](../resources/security-alert.md) object in the response body.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637578995287051192_756343937"],

+ "name": "get_security_alert"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/alerts_v2/da637578995287051192_756343937

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.alert"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637578995287051192_756343937",

+ "providerAlertId": "da637578995287051192_756343937",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637578995287051192_756343937?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+}

+```

+ Title: "Update alert"

+description: "Update the properties of an alert object."

+ms.localizationpriority: medium

+# Update alert

+Namespace: microsoft.graph

+Update the properties of an [alert](../resources/security-alert.md) object in an organization based on the specified alert **id** property.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/alerts_v2/{alertId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|status|microsoft.graph.security.alertStatus|The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.|

+|classification|microsoft.graph.security.alertClassification|Specifies the classification of the alert. Possible values are: `unknown`, `falsePositive`, `truePositive`, `benignPositive`, `unknownFutureValue`.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the alert. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated [alert](../resources/security-alert.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["da637551227677560813_-961444813"],

+ "name": "update_alert_v2"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/security/alerts_v2/da637551227677560813_-961444813

+Content-Type: application/json

+Content-length: 2450

+{

+ "assignedTo": "secAdmin@contoso.onmicrosoft.com",

+ "classification": "truePositive",

+ "determination": "malware",

+ "status": "inProgress"

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.alert",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "inProgress",

+ "severity": "low",

+ "classification": "truePositive",

+ "determination": "malware",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": "secAdmin@contoso.onmicrosoft.com",

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": []

+}

+```

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+ "@odata.type": "#microsoft.graph.security.emailUrlThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.emailThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.emailUrlThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.emailUrlThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.emailUrlThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.emailContentThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.emailContentThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.emailThreatSubmissionPolicy",

+ "@odata.type": "#microsoft.graph.security.fileThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.fileThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.fileContentThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.fileThreatSubmission",

+ Title: "Get incident"

+description: "Retrieve the properties and relationships of an incident object."

+ms.localizationpriority: medium

+# Get incident

+Namespace: microsoft.graph.security

+Retrieve the properties and relationships of an [incident](../resources/security-incident.md) object.

+Attacks are typically inflicted on different types of entities, such as devices, users, and mailboxes, resulting in multiple [alert](../resources/security-alert.md) objects. Microsoft 365 Defender correlates alerts with the same attack techniques or the same attacker into an **incident**.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents/{incidentId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and an [incident](../resources/security-incident.md) object in the response body.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2972395"],

+ "name": "get_incident"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/incidents/2972395

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident"

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "@odata.type": "#microsoft.graph.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "tags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+}

+```

+ Title: "Update incident"

+description: "Update the properties of an incident object."

+ms.localizationpriority: medium

+# Update incident

+Namespace: microsoft.graph.security

+Update the properties of an [incident](../resources/security-incident.md) object.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+PATCH /security/incidents/{incidentId}

+```

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+|Content-Type|application/json. Required.|

+## Request body

+|Property|Type|Description|

+|:|:|:|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.|

+|classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|status|microsoft.graph.security.incidentStatus|The status of the incident. Possible values are: `active`, `resolved`, `redirected`, `unknownFutureValue`.|

+|tags|String collection|Array of custom tags associated with an incident.|

+## Response

+If successful, this method returns a `200 OK` response code and an updated [incident](../resources/security-incident.md) object in the response body.

+## Examples

+### Request

+The following is an example of a request.

+<!-- {

+ "blockType": "request",

+ "sampleKeys": ["2972395"],

+ "name": "update_incident"

+}

+-->

+``` http

+PATCH https://graph.microsoft.com/beta/security/incidents/2972395

+Content-Type: application/json

+{

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "tags": [

+ "Demo"

+ ]

+}

+```

+### Response

+The following is an example of the response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "@odata.type": "microsoft.graph.security.incident",

+ "truncated": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "@odata.type": "#microsoft.graph.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "tags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+}

+```

+ Title: "List alerts_v2"

+description: "Get a list of the security alert objects and their properties."

+ms.localizationpriority: medium

+# List alerts_v2

+Namespace: microsoft.graph.security

+Get a list of [alert](../resources/security-alert.md) resources that have been created to track suspicious activities in an organization.

+This operation lets you filter and sort through alerts to create an informed cyber security response. It exposes a collection of alerts that were flagged in your network, within the time range you specified in your environment retention policy. The most recent alerts are displayed at the top of the list.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityAlert.Read.All, SecurityAlert.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2

+```

+## Optional query parameters

+This method supports the following OData query parameters to help customize the response: `$count`, `$filter`, `$skip`, `$top`.

+The following properties support `$filter` : **assignedTo**, **classification**, **determination**, **createdDateTime**, **lastUpdateDateTime**, **severity**, **serviceSource** and **status**.

+Use `@odata.nextLink` for pagination.

+The following are examples of their use:

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/alerts_v2?$filter={property}+eq+'{property-value}'

+GET /security/alerts_V2?$top=100&$skip=200

+```

+For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [alert](../resources/security-alert.md) objects in the response body.

+## Examples

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "security_list_alerts"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/alerts_v2

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.alert",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+ }

+ ]

+}

+```

+ Title: "List incidents"

+description: "Get a list of the incident objects and their properties."

+ms.localizationpriority: medium

+# List incidents

+Namespace: microsoft.graph.security

+Get a list of [incident](../resources/security-incident.md) objects that Microsoft 365 Defender has created to track attacks in an organization.

+Attacks are typically inflicted on different types of entities, such as devices, users, and mailboxes, resulting in multiple [alert](../resources/security-alert.md) objects. Microsoft 365 Defender correlates alerts with the same attack techniques or the same attacker into an **incident**.

+This operation allows you to filter and sort through incidents to create an informed cyber security response. It exposes a collection of incidents that were flagged in your network, within the time range you specified in your environment retention policy. The most recent incidents are displayed at the top of the list.

+## Permissions

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Permissions](/graph/permissions-reference).

+|Permission type|Permissions (from least to most privileged)|

+|:|:|

+|Delegated (work or school account)|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+|Delegated (personal Microsoft account)|Not supported.|

+|Application|SecurityIncident.Read.All, SecurityIncident.ReadWrite.All|

+## HTTP request

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents

+```

+## Optional query parameters

+This method supports the following OData query parameters to help customize the response: `$count`, `$filter`, `$skip`, `$top`, `$expand`.

+The following properties support `$filter` : **assignedTo**, **classification**, **createdDateTime**, **determination**, **lastUpdateDateTime**, **severity**, and **status**.

+Use `@odata.nextLink` for pagination.

+The following are examples of their use:

+<!-- {

+ "blockType": "ignored"

+}

+-->

+``` http

+GET /security/incidents?$count=true

+GET /security/incidents?$filter={property}+eq+'{property-value}'

+GET /security/incidents?$top=10

+```

+For general information, see [OData query parameters](/graph/query-parameters).

+## Request headers

+|Name|Description|

+|:|:|

+|Authorization|Bearer {token}. Required.|

+## Request body

+Do not supply a request body for this method.

+## Response

+If successful, this method returns a `200 OK` response code and a collection of [incident](../resources/security-incident.md) objects in the response body.

+## Examples

+### Example 1: List all incidents

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "list_incident"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/incidents

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "TruePositive",

+ "determination": "MultiStagedAttack",

+ "status": "Active",

+ "severity": "Medium",

+ "tags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ]

+ }

+ ]

+}

+```

+### Example 2: List all incidents with their alerts.

+### Request

+<!-- {

+ "blockType": "request",

+ "name": "list_incident"

+}

+-->

+``` http

+GET https://graph.microsoft.com/beta/security/incidents?$expand=alerts

+```

+### Response

+>**Note:** The response object shown here might be shortened for readability.

+<!-- {

+ "blockType": "response",

+ "truncated": true,

+ "@odata.type": "microsoft.graph.security.incident",

+ "isCollection": true

+}

+-->

+``` http

+HTTP/1.1 200 OK

+Content-Type: application/json

+{

+ "value": [

+ {

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "2972395",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47",

+ "redirectIncidentId": null,

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources",

+ "createdDateTime": "2021-08-13T08:43:35.5533333Z",

+ "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z",

+ "assignedTo": "KaiC@contoso.onmicrosoft.com",

+ "classification": "truePositive",

+ "determination": "multiStagedAttack",

+ "status": "active",

+ "severity": "medium",

+ "tags": [

+ "Demo"

+ ],

+ "comments": [

+ {

+ "comment": "Demo incident",

+ "createdBy": "DavidS@contoso.onmicrosoft.com",

+ "createdTime": "2021-09-30T12:07:37.2756993Z"

+ }

+ ],

+ "alerts": [

+ {

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "da637551227677560813_-961444813",

+ "providerAlertId": "da637551227677560813_-961444813",

+ "incidentId": "28282",

+ "status": "new",

+ "severity": "low",

+ "classification": "unknown",

+ "determination": "unknown",

+ "serviceSource": "microsoftDefenderForEndpoint",

+ "detectionSource": "antivirus",

+ "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",

+ "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "title": "Suspicious execution of hidden file",

+ "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",

+ "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.",

+ "category": "DefenseEvasion",

+ "assignedTo": null,

+ "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",

+ "actorDisplayName": null,

+ "threatDisplayName": null,

+ "threatFamilyName": null,

+ "mitreTechniques": [

+ "T1564.001"

+ ],

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",

+ "resolvedDateTime": null,

+ "firstActivityDateTime": "2021-04-26T07:45:50.116Z",

+ "lastActivityDateTime": "2021-05-02T07:56:58.222Z",

+ "comments": [],

+ "evidence": [

+ {

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "azureAdDeviceId": null,

+ "deviceDnsName": "tempDns",

+ "osPlatform": "Windows10",

+ "osBuild": 22424,

+ "version": "Other",

+ "healthStatus": "active",

+ "riskScore": "medium",

+ "rbacGroupId": 75,

+ "rbacGroupName": "UnassignedGroup",

+ "onboardingStatus": "onboarded",

+ "defenderAvStatus": "unknown",

+ "loggedOnUsers": [],

+ "roles": [

+ "compromised"

+ ],

+ "tags": [

+ "Test Machine"

+ ],

+ "vmMetadata": {

+ "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78",

+ "cloudProvider": "azure",

+ "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests",

+ "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161"

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "fileDetails": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "processId": 4780,

+ "parentProcessId": 668,

+ "processCommandLine": "\"MsSense.exe\"",

+ "processCreationDateTime": "2021-08-12T12:43:19.0772577Z",

+ "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z",

+ "detectionStatus": "detected",

+ "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db",

+ "roles": [],

+ "tags": [],

+ "imageFile": {

+ "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a",

+ "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec",

+ "fileName": "MsSense.exe",

+ "filePath": "C:\\Program Files\\temp",

+ "fileSize": 6136392,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "parentProcessImageFile": {

+ "sha1": null,

+ "sha256": null,

+ "fileName": "services.exe",

+ "filePath": "C:\\Windows\\System32",

+ "fileSize": 731744,

+ "filePublisher": "Microsoft Corporation",

+ "signer": null,

+ "issuer": null

+ },

+ "userAccount": {

+ "accountName": "SYSTEM",

+ "domainName": "NT AUTHORITY",

+ "userSid": "S-1-5-18",

+ "azureAdUserId": null,

+ "userPrincipalName": null

+ }

+ },

+ {

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "2021-04-27T12:19:27.7211305Z",

+ "verdict": "unknown",

+ "remediationStatus": "none",

+ "remediationStatusDetails": null,

+ "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER",

+ "registryHive": "HKEY_LOCAL_MACHINE",

+ "roles": [],

+ "tags": [],

+ }

+ ]

+ }

+ ]

+ }

+ ]

+}

+```

+ "@odata.type": "#microsoft.graph.security.urlThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.urlThreatSubmission",

+ "@odata.type": "#microsoft.graph.security.urlThreatSubmission",

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+description: "Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified."

+This resource corresponds to the first generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft or a partner security solution has identified.

+This type of alerts federates calling of supported Azure and Microsoft 365 Defender security providers listed in [Use the Microsoft Graph security API](security-api-overview.md#legacy-alerts). It aggregates common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions.

+To learn more, see the sample queries in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+description: "Microsoft Graph security subnamespace enumeration values"

+### detectionStatus values

+| Member

+|:--

+| detected

+| blocked

+| prevented

+| unknownFutureValue

+ Title: "alert resource type"

+description: "Represents potential security issues within a customer's tenant that Microsoft 365 Defender have identified."

+ms.localizationpriority: medium

+# alert resource type

+Namespace: microsoft.graph.security

+This resource corresponds to the latest generation of alerts in the Microsoft Graph security API, representing potential security issues within a customer's tenant that Microsoft 365 Defender, or a security provider integrated with Microsoft 365 Defender, has identified.

+When detecting a threat, a security provider creates an alert in the system. Microsoft 365 Defender pulls this alert data from the security provider, and consumes the alert data to return valuable clues in an [alert](security-alert.md) resource about any related attack, impacted assets, and associated [evidence](security-alertevidence.md). It automatically correlates other alerts with the same attack techniques or the same attacker into an [incident](security-incident.md) to provide a broader context of an attack. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[List alerts_v2](../api/security-list-alerts_v2.md)|[microsoft.graph.security.alert](security-alert.md) collection|Get a list of [alert](../resources/security-alert.md) resources that have been created to track suspicious activities in an organization.|

+|[Get alert](../api/security-alert-get.md)|[microsoft.graph.security.alert](security-alert.md)|Get the properties of an [alert](../resources/security-alert.md) object in an organization based on the specified alert **id** property.|

+|[Update alert](../api/security-alert-update.md)|[microsoft.graph.security.alert](../resources/security-alert.md)|Update the properties of an [alert](../resources/security-alert.md) object in an organization based on the specified alert **id** property.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|actorDisplayName|String|The adversary or activity group that is associated with this alert.|

+|alertWebUrl|String|URL for the alert page in the Microsoft 365 Defender portal.|

+|assignedTo|String|Owner of the **alert**, or null if no owner is assigned.|

+|category|String|The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.|

+|classification|[microsoft.graph.security.alertClassification](#alertclassification-values)|Specifies whether the alert represents a true threat. Possible values are: `unknown`, `falsePositive`, `truePositive`, `benignPositive`, `unknownFutureValue`.|

+|comments|[microsoft.graph.security.alertComment](security-alertComment.md) collection|Array of comments created by the Security Operations (SecOps) team during the alert management process.|

+|createdDateTime|DateTimeOffset|Time when Microsoft 365 Defender created the alert.|

+|description|String|String value describing each alert.|

+|detectionSource|[microsoft.graph.security.detectionSource](#detectionsource-values)|Detection technology or sensor that identified the notable component or activity.|

+|detectorId|String|The ID of the detector that triggered the alert.|

+|determination|[microsoft.graph.security.alertDetermination](#alertdetermination-values)|Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|evidence|[microsoft.graph.security.alertEvidence](security-alertEvidence.md) collection|Collection of evidence related to the alert.|

+|firstActivityDateTime|DateTimeOffset|The earliest activity associated with the alert.|

+|id|String|Unique identifier to represent the **alert** resource.|

+|incidentId|String|Unique identifier to represent the [incident](security-incident.md) this **alert** resource is associated with.|

+|incidentWebUrl|String|URL for the incident page in the Microsoft 365 Defender portal.|

+|lastActivityDateTime|DateTimeOffset|The oldest activity associated with the alert.|

+|lastUpdateDateTime|DateTimeOffset|Time when the alert was last updated at Microsoft 365 Defender.|

+|mitreTechniques|Collection(Edm.String)|The attack techniques, as aligned with the MITRE ATT&CK framework.|

+|providerAlertId|String|The ID of the alert as it appears in the security provider product that generated the alert.|

+|recommendedActions|String|Recommended response and remediation actions to take in the event this alert was generated.|

+|resolvedDateTime|DateTimeOffset|Time when the alert was resolved.|

+|serviceSource|[microsoft.graph.security.serviceSource](#servicesource-values)|The service or product that created this alert. Possible values are: `microsoftDefenderForEndpoint`, `microsoftDefenderForIdentity`, `microsoftCloudAppSecurity`, `microsoftDefenderForOffice365`, `microsoft365Defender`, `aadIdentityProtection`, `appGovernance`, `dataLossPrevention`.|

+|severity|[microsoft.graph.security.alertSeverity](#alertseverity-values)|Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: `unknown`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.|

+|status|[microsoft.graph.security.alertStatus](#alertstatus-values)|The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.|

+|tenantId|String|The Azure Active Directory tenant the alert was created in.|

+|threatDisplayName|String|The threat associated with this alert.|

+|threatFamilyName|String|Threat family associated with this alert.|

+|title|String|Brief identifying string value describing the alert.|

+### alertClassification values

+| Member | Description |

+| :-| :- |

+| unknown | The alert isn't classified yet. |

+| falsePositive | The alert is a false positive and didn't detect malicious activity. |

+| truePositive | The alert is true positive and detected malicious activity. |

+| informationalExpectedActivity | The alert is benign positive and detected potentially malicious activity by a trusted/internal user, for example, security testing. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### alertDetermination values

+| Member | Description |

+| :--| : |

+| unknown | No determination value was set yet. |

+| apt | A true positive alert that detected an advanced persistent threat. |

+| malware | A true positive alert that detected malicious software. |

+| securityPersonnel | A true positive alert that detected valid suspicious activity that was performed by someone on the customer's security team. |

+| securityTesting | The alert detected valid suspicious activity that was performed as part of a known security testing. |

+| unwantedSoftware | The alert detected unwanted software. |

+| multiStagedAttack | A true positive alert that detected multiple kill-chain attack stages. |

+| compromisedAccount | A true positive alert that detected that the intended user's credentials were compromised or stolen. |

+| phishing | A true positive alert that detected a phishing email. |

+| maliciousUserActivity | A true positive alert that detected that the logged-on user performs malicious activities. |

+| notMalicious | A false alert, no suspicious activity. |

+| notEnoughDataToValidate | A false alert, without enough information to prove otherwise. |

+| confirmedActivity | The alert caught a true suspicious activity that is considered OK because it is a known user activity. |

+| lineOfBusinessApplication | The alert caught a true suspicious activity that is considered OK because it is a known and confirmed internal application. |

+| other | Other determination. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### alertSeverity values

+| Member | Description |

+| :--| : |

+| unknown | Unknown severity. |

+| informational | Alerts that may not be actionable or considered harmful to the network but can drive organizational security awareness on potential security issues. |

+| low | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands and clearing logs, that often don't indicate an advanced threat that targets the organization. It can also come from an isolated security tool that is tested by a user in your organization. |

+| medium | Alerts generated from detections and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be due to internal security testing, they are valid detections and require investigation as they may be a part of an advanced attack. |

+| high | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on assets. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### alertStatus values

+| Member | Description |

+| :-| :- |

+| unknown | Unknown status. |

+| new | New alert. |

+| inProgress | The alert is in mitigation progress. |

+| resolved | The alert is in resolved state. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### serviceSource values

+| Value | Description |

+| :-| :-|

+| unknown | Unknown service source. |

+| microsoftDefenderForEndpoint | Microsoft Defender for Endpoint. |

+| microsoftDefenderForIdentity | Microsoft Defender for Identity. |

+| microsoftDefenderForCloudApps| Microsoft Defender for Cloud Apps. |

+| microsoftDefenderForOffice365| Microsoft Defender For Office365. |

+| microsoft365Defender | Microsoft 365 Defender. |

+| microsoftAppGovernance | Microsoft app governance. |

+| microsoftDataLossPrevention | Microsoft Purview Data Loss Prevention. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use.|

+### detectionSource values

+| Value | Description |

+| :-| :-|

+| unknown | Unknown detection source. |

+| microsoftDefenderForEndpoint | Microsoft Defender For Endpoint. |

+| antivirus | Antivirus software. |

+| smartScreen | Microsoft Defender SmartScreen. |

+| customTi | Custom threat intelligence. |

+| microsoftDefenderForOffice365 | Microsoft Defender for Office 365. |

+| automatedInvestigation | Automated investigation. |

+| microsoftThreatExperts | Microsoft Threat Experts. |

+| customDetection | Custom detection. |

+| microsoftDefenderForIdentity | Microsoft Defender for Identity. |

+| cloudAppSecurity | Cloud app security. |

+| microsoft365Defender | Microsoft 365 Defender. |

+| azureAdIdentityProtection | Azure Active Directory Identity Protection. |

+| manual | Manual detection. |

+| microsoftDataLossPrevention | Microsoft Purview Data Loss Prevention. |

+| appGovernancePolicy | App governance policy. |

+| appGovernanceDetection | App governance detection. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.security.alert",

+ "baseType": "microsoft.graph.entity",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.alert",

+ "id": "String (identifier)",

+ "providerAlertId": "String",

+ "incidentId": "String",

+ "status": "String",

+ "severity": "String",

+ "classification": "String",

+ "determination": "String",

+ "serviceSource": "String",

+ "detectionSource": "String",

+ "detectorId": "String",

+ "tenantId": "String",

+ "title": "String",

+ "description": "String",

+ "recommendedActions": "String",

+ "category": "String",

+ "assignedTo": "String",

+ "alertWebUrl": "String",

+ "incidentWebUrl": "String",

+ "actorDisplayName": "String",

+ "threatDisplayName": "String",

+ "threatFamilyName": "String",

+ "mitreTechniques": [

+ "String"

+ ],

+ "createdDateTime": "String (timestamp)",

+ "lastUpdateDateTime": "String (timestamp)",

+ "resolvedDateTime": "String (timestamp)",

+ "firstActivityDateTime": "String (timestamp)",

+ "lastActivityDateTime": "String (timestamp)",

+ "comments": [

+ {

+ "@odata.type": "microsoft.graph.security.alertComment"

+ }

+ ],

+ "evidence": [

+ {

+ "@odata.type": "microsoft.graph.security.alertEvidence"

+ }

+ ]

+}

+```

+<!--

+{

+ "type": "#page.annotation",

+ "namespace": "microsoft.graph.security"

+}

+-->

+ Title: "alertComment resource type"

+description: "An analyst-generated comment that is associated with an alert or incident."

+ms.localizationpriority: medium

+# alertComment resource type

+Namespace: microsoft.graph.security

+An analyst-generated comment that is associated with an alert or incident.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|comment|String|The comment text.|

+|createdByDisplayName|String|The person or app name that submitted the comment.|

+|createdDateTime|DateTimeOffset|The time when the comment was submitted.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.alertComment"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.alertComment",

+ "comment": "String",

+ "createdByDisplayName": "String",

+ "createdDateTime": "String (timestamp)"

+}

+```

+ Title: "alertEvidence resource type"

+description: "Each alert contains a list of related evidence."

+ms.localizationpriority: medium

+# alertEvidence resource type

+Namespace: microsoft.graph.security

+Evidence related to an [alert](security-alert.md).

+This is the base type of [analyzedMessageEvidence](security-analyzedmessageevidence.md), [cloudApplicationEvidence](security-cloudapplicationevidence.md), [deviceEvidence](security-deviceevidence.md), [fileEvidence](security-fileevidence.md), [ipEvidence](security-ipEvidence.md), [mailboxEvidence](security-mailboxevidence.md), [mailClusterEvidence](security-mailclusterevidence.md), [oauthApplicationEvidence](security-oauthapplicationevidence.md), [processEvidence](security-processevidence.md), [registryKeyEvidence](security-registrykeyevidence.md), [registryValueEvidence](security-registryvalueevidence.md), [securityGroupEvidence](security-securitygroupevidence.md), [urlEvidence](security-urlevidence.md), and [userEvidence](security-userevidence.md).

+This alert evidence base type and its derived evidence types provide a means to organize and track rich data about each artifact involved in an **alert**. For example, an **alert** about an attacker's IP address logging into a cloud service using a compromised user account can track the following evidence:

+- [IP evidence](security-ipevidence.md) with the roles of `attacker` and `source`, remediation status of `running`, and verdict of `malicious`.

+- [Cloud application evidence](security-cloudapplicationevidence.md) with a role of `contextual`.

+- [Mailbox evidence](security-mailboxevidence.md) for the hacked user account with a role of `compromised`.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|createdDateTime|DateTimeOffset|The time the evidence was created and added to the alert.|

+|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](#evidenceremediationstatus-values)|Status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `active`, `pendingApproval`, `declined`, `notRemediated`, `running`, `unknownFutureValue`.|

+|remediationStatusDetails|String|Details about the remediation status.|

+|roles|[microsoft.graph.security.evidenceRole](#evidencerole-values) collection|The role/s that an evidence entity represents in an alert, e.g., an IP address that is associated with an attacker will have the evidence role "Attacker".|

+|tags|String collection|Array of custom tags associated with an evidence instance, for example to denote a group of devices, high value assets, etc.|

+|verdict|[microsoft.graph.security.evidenceVerdict](#evidenceverdict-values)|The decision reached by automated investigation. The possible values are: `unknown`, `suspicious`, `malicious`, `noThreatsFound`, `unknownFutureValue`.|

+### detectionSource values

+| Value | Description |

+| :-| :--|

+| detected | A product of the threat that executed was detected. |

+| blocked | the threat was remediated at run time. |

+| prevented | the threat was prevented from occurring (running, downloading, etc,).|

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceRemediationStatus values

+| Member | Description |

+| :--| : |

+| none | No threats were found. |

+| remediated | Remediation action has completed successfully. |

+| prevented | The threat was prevented from executing. |

+| blocked | The threat was blocked while executing. |

+| active | Live response session is currently active. |

+| pendingApproval | Remediation action is pending manual approval. |

+| declined | Remediation action was not approved by analyst.|

+| notRemediated | Remediation action failed to remediate threat. |

+| running | Remediation action is currently running. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceRole values

+| Member | Description |

+| :--| :- |

+| unknown | The evidence role is unknown. |

+| contextual | An entity that arose likely benign but was reported as a side effect of an attacker's action, e.g. the benign services.exe process was used to start a malicious service.|

+| scanned | An entity identified as a target of discovery scanning or reconnaissance actions, e.g. a port scanner was used to scan a network. |

+| source | The entity the activity originated from, e.g. device, user, IP address, etc. |

+| destination | The entity the activity was sent to, e.g. device, user, IP address, etc. |

+| created | The entity was created as a result of the actions of an attacker, e.g. a user account was created. |

+| added | The entity was added as a result of the actions of an attacker, e.g. a user account was added to a permissions group. |

+| compromised | The entity was compromised and is under the control of an attacker, e.g. a user account was compromised and used to log into a cloud service. |

+| edited | The entity was edited or changed by an attacker, e.g. the registry key for a service was edited to point to the location of a new malicious payload. |

+| attacked | The entity was attacked, e.g. a device was targeted in a DDoS attack. |

+| attacker | The entity represents the attacker, e.g. the attacker`s IP address observed logging into a cloud service using a compromised user account. |

+| commandAndControl | The entity is being used for command and control, e.g. a C2 (command and control) domain used by malware. |

+| loaded | The entity was loaded by a process under the control of an attacker, e.g. a Dll was loaded into an attacker-controlled process. |

+| suspicious | The entity is suspected of being malicious or controlled by an attacker but has not been incriminated. |

+| policyViolator | The entity is a violator of a customer defined policy. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceRemediationStatus values

+| Member | Description |

+| :--| : |

+| unknown | No verdict was determined for the evidence. |

+| suspicious | Recommended remediation actions awaiting approval.|

+| malicious | The evidence was determined to be malicious. |

+| clean | No threat was detected - the evidence is benign. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+### evidenceVerdict values

+| Member | Description |

+| :--| : |

+| unknown | No verdict was determined for the evidence.|

+| suspicious | |

+| malicious | The evidence was determined to be malicious. |

+| noThreatsFound | No threat was detected - the evidence is benign. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.alertEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.alertEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ]

+}

+```

+ Title: "analyzedMessageEvidence resource type"

+description: "An email, or analyzed message, that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# analyzedMessageEvidence resource type

+Namespace: microsoft.graph.security

+An email, or analyzed message, that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|antiSpamDirection|String|Direction of the email relative to your network. The possible values are: `Inbound`, `Outbound` or `Intraorg`.|

+|attachmentsCount|Int64|Number of attachments in the email.|

+|deliveryAction|String|Delivery action of the email. The possible values are: `Delivered`, `DeliveredAsSpam`, `Junked`, `Blocked`, or `Replaced`.|

+|deliveryLocation|String|Location where the email was delivered. The possible values are: `Inbox`, `External`, `JunkFolder`, `Quarantine`, `Failed`, `Dropped`, `DeletedFolder` or `Forwarded`.|

+|internetMessageId|String|Public-facing identifier for the email that is set by the sending email system.|

+|language|String|Detected language of the email content.|

+|networkMessageId|String|Unique identifier for the email, generated by Microsoft 365.|

+|p1Sender|[microsoft.graph.security.emailSender](../resources/security-emailsender.md)|The P1 sender.|

+|p2Sender|[microsoft.graph.security.emailSender](../resources/security-emailsender.md)|The P2 sender.|

+|receivedDateTime|DateTimeOffset|Date and time when the email was received.|

+|recipientEmailAddress|String|Email address of the recipient, or email address of the recipient after distribution list expansion.|

+|senderIp|String|IP address of the last detected mail server that relayed the message.|

+|subject|String|Subject of the email.|

+|threatDetectionMethods|String collection|Collection of methods used to detect malware, phishing, or other threats found in the email.|

+|threats|String collection|Collection of detection names for malware or other threats found.|

+|urlCount|Int64|Number of embedded URLs in the email.|

+|urls|String collection|Collection of the URLs contained in this email.|

+|urn|String|Uniform resource name (URN) of the automated investigation where the cluster was identified.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.analyzedMessageEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.analyzedMessageEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "networkMessageId": "String",

+ "internetMessageId": "String",

+ "subject": "String",

+ "language": "String",

+ "senderIp": "String",

+ "recipientEmailAddress": "String",

+ "antiSpamDirection": "String",

+ "deliveryAction": "String",

+ "deliveryLocation": "String",

+ "urn": "String",

+ "threats": [

+ "String"

+ ],

+ "threatDetectionMethods": [

+ "String"

+ ],

+ "urls": [

+ "String"

+ ],

+ "urlCount": "Integer",

+ "attachmentsCount": "Integer",

+ "receivedDateTime": "String (timestamp)",

+ "p1Sender": {

+ "@odata.type": "microsoft.graph.security.emailSender"

+ },

+ "p2Sender": {

+ "@odata.type": "microsoft.graph.security.emailSender"

+ }

+}

+```

+ Title: "Use the Microsoft Graph security API"

+# Use the Microsoft Graph security API

+The Microsoft Graph security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph security API federates queries to all onboarded security providers and aggregates responses. Use the Microsoft Graph security API to build applications that:

+- Consolidate and correlate security alerts from multiple sources.

+- Pull and investigate all incidents and alerts from services that are part of or integrated with Microsoft 365 Defender.

+- Unlock contextual data to inform investigations.

+- Automate security tasks, business processes, workflows, and reporting.

+- Send threat indicators to Microsoft products for customized detections.

+- Invoke actions to in response to new threats.

+- Provide visibility into security data to enable proactive risk management.

+The Microsoft Graph security API provides key features as described in the following sections.

+Take immediate action to defend against threats using the [securityAction](securityaction.md) entity. When a security analyst discovers a new indicator, such as a malicious file, URL, domain, or IP address, protection can be instantly enabled in your Microsoft security solutions. Invoke an action for a specific provider, see all actions taken, and cancel an action if needed. Try security actions with [Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) (formerly Microsoft Defender ATP) to block malicious activity on your Windows endpoints using properties seen in alerts or identified during investigations.

+Alerts are suspicious activities in a customer's tenant that Microsoft or partner security providers have identified and flagged for action. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is alerts from multiple security providers for multiple entities in the tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming.

+The beta version of the security API offers two types of alerts that aggregate other alerts from security providers and make analyzing attacks and determining response easier:

+- [Alerts and incidents](#alerts-and-incidents-preview) (preview) - these are the latest generation of alerts in the Microsoft Graph security API. They are represented by the [alert](security-alert.md) resource and its collection, [incident](security-incident.md) resource, defined in the `microsoft.graph.security` namespace.

+- [Legacy alerts](#legacy-alerts) - these are the first generation of alerts in the Microsoft Graph security API. They are represented by the [alert](alert.md) resource defined in the `microsoft.graph` namespace.

+### Alerts and incidents (preview)

+These [alert](security-alert.md) resources first pull alert data from security provider services, that are either part of or integrated with [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide). Then they consume the data to return rich, valuable clues about a completed or ongoing attack, the impacted assets, and associated [evidence](security-alertevidence.md). In addition, they automatically correlate other alerts with the same attack techniques or the same attacker into an [incident](security-incident.md) to provide a broader context of an attack. They recommend response and remediation actions, offering consistent actionability across all the different providers. The rich content makes it easier for analysts to collectively investigate and respond to threats.

+Alerts from the following security providers are available via these rich alerts and incidents:

+- [Azure Active Directory Identity Protection](/azure/active-directory/identity-protection/overview-identity-protection)

+- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender?view=o365-worldwide)

+- [Microsoft Defender for Cloud Apps](/cloud-app-security/monitor-alerts)

+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide)

+- [Microsoft Defender for Identity](/defender-for-identity/alerts-overview)

+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/overview?view=o365-worldwide)

+- [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp?view=o365-worldwide)

+### Legacy alerts

+These [alert](alert.md) resources federate calling of supported Azure and Microsoft 365 Defender security providers. They aggregate common alert data among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions. They enable applications to correlate alerts and context to improve threat protection and response.

+With the alert update capability, you can sync the status of specific alerts across different security products and services that are integrated with the Microsoft Graph security API by updating your **alert** entity.

+Alerts from the following security providers are available via this legacy **alert** resource. Support for GET alerts, PATCH alerts, and subscribe (via webhooks) is indicated in the following table.

+|[Azure Information Protection](/azure/information-protection/faqs#i-see-azure-information-protection-is-listed-as-a-security-provider-for-microsoft-graph-securityhow-does-this-work-and-what-alerts-will-i-receive) **(preview)**| <p align="center">&#x2713;</p> | <p align="center">[File issue](https://github.com/microsoftgraph/security-api-solutions/issues/new) *</p> | <p align="center">&#x2713;</p> |

+|[Azure Security Center](/azure/security-center/security-center-alerts-type)| <p align="center">&#x2713;</p> | <p align="center">&#x2713;</p> | <p align="center">&#x2713;</p> |

+|Microsoft 365 <ul><li> [Default](/office365/securitycompliance/alert-policies#default-alert-policies)</li> <li>[Cloud App Security](/office365/securitycompliance/anomaly-detection-policies-in-ocas)</li><li>Custom Alert</li></ul> | <p align="center">&#x2713;</p> | <p align="center"> [File issue](https://github.com/microsoftgraph/security-api-solutions/issues/new) </p> | <p align="center"> [File issue](https://github.com/microsoftgraph/security-api-solutions/issues/new) </p> |

+|[Microsoft Sentinel](/azure/sentinel/quickstart-get-visibility) (formerly Azure Sentinel)| <p align="center">&#x2713;</p> | <p align="center">Not supported in Microsoft Sentinel </p> | <p align="center">&#x2713;</p> |

+> **Note:** New providers are continuously onboarding to the Microsoft Graph security ecosystem. To request new providers or for extended support from existing providers, [file an issue in the Microsoft Graph security GitHub repo](https://github.com/microsoftgraph/security-api-solutions/issues/new).

+\* File issue: Alert status gets updated across Microsoft Graph security API integrated applications but not reflected in the providerΓÇÖs management experience.

+\*\* Microsoft Defender for Endpoint requires additional [user roles](/windows/security/threat-protection/microsoft-defender-atp/user-roles) to those required by the Microsoft Graph security API. Only the users in both Microsoft Defender for Endpoint and Microsoft Graph security API roles can have access to the Microsoft Defender for Endpoint data. Because application-only authentication is not limited by this, we recommend that you use an application-only authentication token.

+## Incidents (preview)

+An [incident](security-incident.md) is a collection of correlated  [alerts](security-alert.md) and associated data that make up the story of an attack. Incident management is part of Microsoft 365 Defender, and is available in the Microsoft 365 Defender portal (https://security.microsoft.com/).

+Microsoft 365 services and apps create  alerts  when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple  alerts for multiple entities in your tenant.

+Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an [incident](security-incident.md).

+Grouping related alerts into an incident gives you a comprehensive view of an attack. For example, you can see:

+- Where the attack started.

+- What tactics were used.

+- How far the attack has gone into your tenant.

+- The scope of the attack, such as how many devices, users, and mailboxes were impacted.

+- All of the data associated with the attack.

+TheΓÇ» [incident](security-incident.md) resource and its APIs allow you to sort through incidents to create an informed cyber security response. It exposes a collection of incidents, with their relatedΓÇ» [alerts](security-alert.md), that were flagged in your network, within the time range you specified in your environment retention policy.

+[Microsoft Secure Score](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Office-365-Secure-Score-is-now-Microsoft-Secure-Score/ba-p/182358) is a security analytics solution that gives you visibility into your security portfolio and how to improve it. With a single score, you can better understand what you have done to reduce your risk in Microsoft solutions. You can also compare your score with other organizations and see how your score has been trending over time. The [secureScore](securescores.md) and [secureScoreControlProfile](securescorecontrolprofiles.md) entities help you balance your organization's security and productivity needs while enabling the appropriate mix of security features. You can also project what your score would be after you adopt security features.

+The [tiIndicators](tiindicator.md) entity allows customers to feed threat indicators to Microsoft security solutions to enable block and alert actions on malicious activity or allow, which suppresses actions for indicators determined not to be relevant to an organization. When sending indicators, both the Microsoft solution that will utilize the indicator and the action to be taken on that indicator are specified.

+Threat indicators sent via the Microsoft Graph security API are available today in the following products:

+The following are some of the most popular requests for working with the Microsoft Graph security API.

+| **Use cases** | **REST operations** | **Try it in Graph Explorer** |

+| **Alerts and incidents (preview)**|||

+| List alerts | [List alerts](../api/security-list-alerts_v2.md) | [https://graph.microsoft.com/beta/security/alerts_v2](https://developer.microsoft.com/graph/graph-explorer?request=security/alerts_v2&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |

+| Update alert | [Update alert](../api/security-alert-update.md) | [https://graph.microsoft.com/beta/security/alerts/{id}](https://developer.microsoft.com/graph/graph-explorer?request=security/alerts/{id}&method=PATCH&version=beta&GraphUrl=https://graph.microsoft.com) |

+| List incidents | [List incidents](../api/security-list-incidents.md) | [https://graph.microsoft.com/beta/security/incidents](https://developer.microsoft.com/graph/graph-explorer?request=security/incidents&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |

+| List incidents with alerts| [List incidents](../api/security-list-incidents.md) | [https://graph.microsoft.com/beta/security/incidents?$expand=alerts](https://developer.microsoft.com/graph/graph-explorer?request=security/incidents?$expand=alerts&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |

+| Update incident | [Update incident](../api/security-incident-update.md) | [https://graph.microsoft.com/beta/security/incidents/{id}](https://developer.microsoft.com/graph/graph-explorer?request=security/incidents/{id}&method=PATCH&version=beta&GraphUrl=https://graph.microsoft.com) |

+| **Legacy alerts**|||

+| List alerts | [List alerts](../api/alert-list.md) | [https://graph.microsoft.com/beta/security/alerts](https://developer.microsoft.com/graph/graph-explorer?request=security/alerts&method=GET&version=beta&GraphUrl=https://graph.microsoft.com) |

+| Update alerts | [Update alert](../api/alert-update.md) </br> [Update multiple alerts](../api/alert-updatealerts.md) | [https://graph.microsoft.com/beta/security/alerts/{alert-id}](https://developer.microsoft.com/graph/graph-explorer?request=security/alerts/{alert-id}&method=PATCH&version=beta&GraphUrl=https://graph.microsoft.com) </br> [https://graph.microsoft.com/beta/security/alerts/updateAlerts](https://developer.microsoft.com/graph/graph-explorer?request=security/alerts/updateAlerts&method=POST&version=beta&GraphUrl=https://graph.microsoft.com) |

+You can use Microsoft Graph [webhooks](/graph/webhooks) to subscribe to and receive notifications about updates to Microsoft Graph security API entities.

+The Microsoft Graph security API can open up new ways for you to engage with different security solutions from Microsoft and partners. Follow these steps to get started:

+[Code and contribute](https://github.com/microsoftgraph/security-api-solutions/blob/master/CONTRIBUTING.md) to these Microsoft Graph security API samples:

+Explore other options to connect with the Microsoft Graph security API:

+- [Microsoft Graph security connectors for Logic Apps, Flow and Power Apps](/azure/connectors/connectors-integrate-security-operations-create-api-microsoft-graph-security)

+ Title: "cloudApplicationEvidence resource type"

+description: "A cloud application that is reported in the alert."

+ms.localizationpriority: medium

+# cloudApplicationEvidence resource type

+Namespace: microsoft.graph.security

+A cloud application that is reported in the alert.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|appId|Int64|Unique identifier of the application.|

+|displayName|String|Name of the application.|

+|instanceId|Int64|Identifier of the instance of the Software as a Service (SaaS) application.|

+|instanceName|String|Name of the instance of the SaaS application.|

+|saasAppId|Int64|The identifier of the SaaS application.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.cloudApplicationEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.cloudApplicationEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "appId": "Integer",

+ "displayName": "String",

+ "instanceId": "Integer",

+ "instanceName": "String",

+ "saasAppId": "Integer"

+}

+```

+ Title: "deviceEvidence resource type"

+description: "A device that is reported in the alert."

+ms.localizationpriority: medium

+# deviceEvidence resource type

+Namespace: microsoft.graph.security

+A device that is reported in the alert.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|azureAdDeviceId|String|A unique identifier assigned to a device by Azure Active Directory (Azure AD) when device is Azure AD-joined.|

+|defenderAvStatus|[microsoft.graph.security.defenderAvStatus](#defenderavstatus-values)|State of the Defender AntiMalware engine. The possible values are: `notReporting`, `disabled`, `notUpdated`, `updated`, `unknown`, `notSupported`, `unknownFutureValue`.|

+|deviceDnsName|String|The fully qualified domain name (FQDN) for the device.|

+|firstSeenDateTime|DateTimeOffset|The date and time when the device was first seen.|

+|healthStatus|[microsoft.graph.security.deviceHealthStatus](#devicehealthstatus-values)|The health state of the device.The possible values are: `active`, `inactive`, `impairedCommunication`, `noSensorData`, `noSensorDataImpairedCommunication`, `unknown`, `unknownFutureValue`.|

+|loggedOnUsers|[microsoft.graph.security.loggedOnUser](../resources/security-loggedonuser.md) collection|Users that were logged on the machine during the time of the alert.|

+|mdeDeviceId|String|A unique identifier assigned to a device by Microsoft Defender for Endpoint.|

+|onboardingStatus|[microsoft.graph.security.onboardingStatus](#onboardingstatus-values)|The status of the machine onboarding to Microsoft Defender for Endpoint.The possible values are: `insufficientInfo`, `onboarded`, `canBeOnboarded`, `unsupported`, `unknownFutureValue`.|

+|osBuild|Int64|The build version for the operating system the device is running.|

+|osPlatform|String|The operating system platform the device is running.|

+|rbacGroupId|Int32|The ID of the role-based access control (RBAC) device group.|

+|rbacGroupName|String|The name of the RBAC device group.|

+|riskScore|[microsoft.graph.security.deviceRiskScore](#deviceriskscore-values)|Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: `none`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.|

+|version|String|The version of the operating system platform.|

+|vmMetadata|[microsoft.graph.security.vmMetadata](../resources/security-vmmetadata.md)|Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running.|

+### defenderAvStatus values

+| Member | Description |

+| :--| : |

+| notReporting | Defender AntiMalware engine is not reporting. |

+| disabled | Defender AntiMalware engine has been disabled. |

+| notUpdated | Defender AntiMalware engine is not up to date. |

+| updated | Defender AntiMalware engine is up to date. |

+| unknown | State of Defender AntiMalware engine is unknown. |

+| notSupported | Defender AntiMalware engine is not supported on this platform.|

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |

+### deviceHealthStatus values

+| Member | Description |

+| :--| : |

+| active | Device is active and reporting to all channels. |

+| inactive | Device is not reporting to any channel. |

+| impairedCommunication | Device is not connected to the CnC. |

+| noSensorData | Device is not sending telemetry. |

+| noSensorDataImpairedCommunication | Device is not connected to the CnC and not sending telemetry. |

+| unknown | Device state is unknown |

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |

+### deviceRiskScore values

+| Member | Description |

+| :--| : |

+| none | There are no alerts related to this device. |

+| informational | Device only has 'informational' level alerts. |

+| low | Device only has 'low' or 'informational' alerts. |

+| medium | Device has 'medium' or lower severity alerts. |

+| high | Device has 'high' severity alerts and is at risk. |

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |

+### onboardingStatus values

+| Member | Description |

+| :--| : |

+| unknown | Unknown onboarding status |

+| insufficientInfo | Onboarding status cannot be determined. |

+| onboarded | Device is onboarded to service. |

+| canBeOnboarded | Device is eligible to be onboarded to service. |

+| unsupported | Device is not supported by service. |

+| unknownFutureValue | unknownFutureValue for evolvable enums pattern.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.deviceEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.deviceEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "firstSeenDateTime": "String (timestamp)",

+ "mdeDeviceId": "String",

+ "azureAdDeviceId": "String",

+ "deviceDnsName": "String",

+ "osPlatform": "String",

+ "osBuild": "Integer",

+ "version": "String",

+ "rbacGroupId": "Integer",

+ "rbacGroupName": "String",

+ "healthStatus": "String",

+ "riskScore": "String",

+ "onboardingStatus": "String",

+ "defenderAvStatus": "String",

+ "vmMetadata": {

+ "@odata.type": "microsoft.graph.security.vmMetadata"

+ },

+ "loggedOnUsers": [

+ {

+ "@odata.type": "microsoft.graph.security.loggedOnUser"

+ }

+ ]

+}

+```

+ Title: "emailSender resource type"

+description: "Email sender common properties."

+ms.localizationpriority: medium

+# emailSender resource type

+Namespace: microsoft.graph.security

+Email sender common properties.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the sender.|

+|domainName|String|Sender domain.|

+|emailAddress|String|Sender email address.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.emailSender"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.emailSender",

+ "emailAddress": "String",

+ "displayName": "String",

+ "domainName": "String"

+}

+```

+ Title: "fileDetails resource type"

+description: "File common properties."

+ms.localizationpriority: medium

+# fileDetails resource type

+Namespace: microsoft.graph.security

+File common properties.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|fileName|String|The name of the file.|

+|filePath|String|The file path (location) of the file instance. |

+|filePublisher|String|The publisher of the file.|

+|fileSize|Int64|The size of the file in bytes.|

+|issuer|String|The certificate authority (CA) that issued the certificate.|

+|sha1|String|The Sha1 cryptographic hash of the file content.|

+|sha256|String|The Sha256 cryptographic hash of the file content.|

+|signer|String|The signer of the signed file.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.fileDetails"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.fileDetails",

+ "sha1": "String",

+ "sha256": "String",

+ "fileName": "String",

+ "filePath": "String",

+ "fileSize": "Integer",

+ "filePublisher": "String",

+ "signer": "String",

+ "issuer": "String"

+}

+```

+ Title: "fileEvidence resource type"

+description: "A file that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# fileEvidence resource type

+Namespace: microsoft.graph.security

+A file that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|detectionStatus|microsoft.graph.security.detectionStatus|The status of the detection.The possible values are: `detected`, `blocked`, `prevented`, `unknownFutureValue`.|

+|fileDetails|[microsoft.graph.security.fileDetails](../resources/security-filedetails.md)|The file details.|

+|mdeDeviceId|String|A unique identifier assigned to a device by Microsoft Defender for Endpoint.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.fileEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.fileEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "fileDetails": {

+ "@odata.type": "microsoft.graph.security.fileDetails"

+ },

+ "detectionStatus": "String",

+ "mdeDeviceId": "String"

+}

+```

+ Title: "incident resource type"

+description: "An incident in Microsoft 365 Defender is a collection of correlated alerts and associated metadata that reflects the story of an attack."

+ms.localizationpriority: medium

+# incident resource type

+Namespace: microsoft.graph.security

+An incident in Microsoft 365 Defender is a collection of correlated [alert](../resources/security-alert.md) instances and associated metadata that reflects the story of an attack in a tenant.

+Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.

+Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.

+## Methods

+|Method|Return type|Description|

+|:|:|:|

+|[List incidents](../api/security-list-incidents.md)|[microsoft.graph.security.incident](../resources/security-incident.md) collection|Get a list of [incident](../resources/security-incident.md) objects that Microsoft 365 Defender has created to track attacks in an organization.|

+|[Get incident](../api/security-incident-get.md)|[microsoft.graph.security.incident](../resources/security-incident.md)|Read the properties and relationships of an [incident](../resources/security-incident.md) object.|

+|[Update incident](../api/security-incident-update.md)|[microsoft.graph.security.incident](../resources/security-incident.md)|Update the properties of an [incident](../resources/security-incident.md) object.|

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|id|String|Unique identifier to represent the incident.|

+|displayName|String|The incident name.|

+|assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.|

+|classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|

+|comments|[microsoft.graph.security.alertComment](security-alertcomment.md) collection|Array of comments created by the Security Operations (SecOps) team when the incident is managed.|

+|createdDateTime|DateTimeOffset|Time when the incident was first created.|

+|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|

+|tenantId|String|The Azure Active Directory tenant in which the alert was created.|

+|incidentWebUrl|String|The URL for the incident page in the Microsoft 365 Defender portal.|

+|lastUpdateDateTime|DateTimeOffset|Time when the incident was last updated.|

+|redirectIncidentId|String|Only populated in case an incident is grouped together with another incident, as part of the logic that processes incidents. In such a case, the **status** property is `redirected`. |

+|severity|alertSeverity|Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: `unknown`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.|

+|status|[microsoft.graph.security.incidentStatus](#incidentstatus-values)|The status of the incident. Possible values are: `active`, `resolved`, `redirected`, `unknownFutureValue`.|

+|tags|String collection|Array of custom tags associated with an incident.|

+### incidentStatus values

+| Member | Description |

+| :-| :-- |

+| active | The incident is in active state. |

+| resolved | The incident is in resolved state. |

+| redirected | The incident was merged with another incident. The target incident ID appears in the **redirectIncidentId** property. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use. |

+## Relationships

+|Relationship|Type|Description|

+|:|:|:|

+|alerts|[microsoft.graph.security.alert](security-alert.md) collection|The list of related alerts. Supports `$expand`.|

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "keyProperty": "id",

+ "@odata.type": "microsoft.graph.security.incident",

+ "baseType": "microsoft.graph.entity",

+ "openType": false

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.incident",

+ "id": "String (identifier)",

+ "incidentWebUrl": "String",

+ "tenantId": "String",

+ "redirectIncidentId": "String",

+ "displayName": "String",

+ "createdDateTime": "String (timestamp)",

+ "lastUpdateDateTime": "String (timestamp)",

+ "assignedTo": "String",

+ "classification": "String",

+ "determination": "String",

+ "status": "String",

+ "severity": "String",

+ "tags": [

+ "String"

+ ],

+ "comments": [

+ {

+ "@odata.type": "microsoft.graph.security.alertComment"

+ }

+ ]

+}

+```

+<!--

+{

+ "type": "#page.annotation",

+ "namespace": "microsoft.graph.security"

+}

+-->

+ Title: "ipEvidence resource type"

+description: "An IP Address that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# ipEvidence resource type

+Namespace: microsoft.graph.security

+An IP Address that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|ipAddress|String|The value of the IP Address, can be either in V4 address or V6 address format.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.ipEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.ipEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "ipAddress": "String"

+}

+```

+ Title: "loggedOnUser resource type"

+description: "User that was loggen on the machine during the time of the alert."

+ms.localizationpriority: medium

+# loggedOnUser resource type

+Namespace: microsoft.graph.security

+User that was loggen on the machine during the time of the alert.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|accountName|String|User account name of the logged-on user.|

+|domainName|String|User account domain of the logged-on user.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.loggedOnUser"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.loggedOnUser",

+ "accountName": "String",

+ "domainName": "String"

+}

+```

+ Title: "mailboxEvidence resource type"

+description: "A mailbox that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# mailboxEvidence resource type

+Namespace: microsoft.graph.security

+A mailbox that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name associated with the mailbox.|

+|primaryAddress|String|The primary email address of the mailbox.|

+|userAccount|[microsoft.graph.security.userAccount](../resources/security-useraccount.md)|The user account of the mailbox.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.mailboxEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.mailboxEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "primaryAddress": "String",

+ "displayName": "String",

+ "userAccount": {

+ "@odata.type": "microsoft.graph.security.userAccount"

+ }

+}

+```

+ Title: "mailClusterEvidence resource type"

+description: "A mail cluster that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# mailClusterEvidence resource type

+Namespace: microsoft.graph.security

+A group or cluster of emails that is created or identified based on a machine learning or AI model in relation to a malicious email that is reported in the alert as evidence.

+The mail cluster is suspicious and the emails may be malicious and if so are expected to be remediated.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|clusterBy|String|The clustering logic of the emails inside the cluster.|

+|clusterByValue|String|The value utilized to cluster the similar emails.|

+|emailCount|Int64|Count of emails in the email cluster.|

+|networkMessageIds|String collection|Unique identifiers for the emails in the cluster, generated by Microsoft 365.|

+|query|String|The query used to identify the email cluster.|

+|urn|String|Uniform resource name (URN) of the automated investigation where the cluster was identified.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.mailClusterEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.mailClusterEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "clusterBy": "String",

+ "clusterByValue": "String",

+ "query": "String",

+ "urn": "String",

+ "emailCount": "Integer",

+ "networkMessageIds": [

+ "String"

+ ]

+}

+```

+ Title: "oauthApplicationEvidence resource type"

+description: "An OAuth application that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# oauthApplicationEvidence resource type

+Namespace: microsoft.graph.security

+An OAuth application that is reported in the alert.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|appId|String|Unique identifier of the application.|

+|displayName|String|Name of the application.|

+|objectId|String|The unique identifier of the application object in Azure AD.|

+|publisher|String|The name of the application publisher.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.oauthApplicationEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.oauthApplicationEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "appId": "String",

+ "displayName": "String",

+ "objectId": "String",

+ "publisher": "String"

+}

+```

+ Title: "processEvidence resource type"

+description: "A process that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# processEvidence resource type

+Namespace: microsoft.graph.security

+A process that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|detectionStatus|microsoft.graph.security.detectionStatus|The status of the detection.The possible values are: `detected`, `blocked`, `prevented`, `unknownFutureValue`.|

+|imageFile|[microsoft.graph.security.fileDetails](../resources/security-filedetails.md)|Image file details.|

+|mdeDeviceId|String|A unique identifier assigned to a device by Microsoft Defender for Endpoint.|

+|parentProcessCreationDateTime|DateTimeOffset|Date and time when the parent of the process was created.|

+|parentProcessId|Int64|Process ID (PID) of the parent process that spawned the process.|

+|parentProcessImageFile|[microsoft.graph.security.fileDetails](../resources/security-filedetails.md)|Parent process image file details.|

+|processCommandLine|String|Command line used to create the new process.|

+|processCreationDateTime|DateTimeOffset|Date and time the process was created.|

+|processId|Int64|Process ID (PID) of the newly created process.|

+|userAccount|[microsoft.graph.security.userAccount](../resources/security-useraccount.md)|User details of the user that ran the process.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.processEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.processEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "processId": "Integer",

+ "parentProcessId": "Integer",

+ "processCommandLine": "String",

+ "processCreationDateTime": "String (timestamp)",

+ "parentProcessCreationDateTime": "String (timestamp)",

+ "detectionStatus": "String",

+ "mdeDeviceId": "String",

+ "imageFile": {

+ "@odata.type": "microsoft.graph.security.fileDetails"

+ },

+ "parentProcessImageFile": {

+ "@odata.type": "microsoft.graph.security.fileDetails"

+ },

+ "userAccount": {

+ "@odata.type": "microsoft.graph.security.userAccount"

+ }

+}

+```

+ Title: "registryKeyEvidence resource type"

+description: "A registry key that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# registryKeyEvidence resource type

+Namespace: microsoft.graph.security

+A registry key that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|registryHive|String|Registry hive of the key that the recorded action was applied to.|

+|registryKey|String|Registry key that the recorded action was applied to.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.registryKeyEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.registryKeyEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "registryKey": "String",

+ "registryHive": "String"

+}

+```

+ Title: "registryValueEvidence resource type"

+description: "A registry value that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# registryValueEvidence resource type

+Namespace: microsoft.graph.security

+A registry value that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|registryHive|String|Registry hive of the key that the recorded action was applied to.|

+|registryKey|String|Registry key that the recorded action was applied to.|

+|registryValue|String|Data of the registry value that the recorded action was applied to.|

+|registryValueName|String|Name of the registry value that the recorded action was applied to.|

+|registryValueType|String|Data type, such as binary or string, of the registry value that the recorded action was applied to.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.registryValueEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.registryValueEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "registryKey": "String",

+ "registryHive": "String",

+ "registryValue": "String",

+ "registryValueName": "String",

+ "registryValueType": "String"

+}

+```

+ Title: "securityGroupEvidence resource type"

+description: "A security group that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# securityGroupEvidence resource type

+Namespace: microsoft.graph.security

+A security group that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|displayName|String|The name of the security group.|

+|securityGroupId|String|Unique identifier of the security group.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.securityGroupEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.securityGroupEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "securityGroupId": "String",

+ "displayName": "String"

+}

+```

+ Title: "urlEvidence resource type"

+description: "A url that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# urlEvidence resource type

+Namespace: microsoft.graph.security

+A URL that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|url|String|The Unique Resource Locator (URL).|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.urlEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.urlEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "url": "String"

+}

+```

+ Title: "userAccount resource type"

+description: "User account common properties."

+ms.localizationpriority: medium

+# userAccount resource type

+Namespace: microsoft.graph.security

+User account common properties.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|accountName|String|The user account's displayed name.|

+|azureAdUserId|String|The user object identifier in Azure AD.|

+|domainName|String|The name of the Active Directory domain of which the user is a member.|

+|userPrincipalName|String|The user principal name of the account in Azure AD.|

+|userSid|String|The local security identifier of the user account.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.userAccount"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.userAccount",

+ "accountName": "String",

+ "domainName": "String",

+ "userSid": "String",

+ "azureAdUserId": "String",

+ "userPrincipalName": "String"

+}

+```

+ Title: "userEvidence resource type"

+description: "A user that is reported in the alert as evidence."

+ms.localizationpriority: medium

+# userEvidence resource type

+Namespace: microsoft.graph.security

+A user that is reported in the alert as evidence.

+Inherits from [alertEvidence](../resources/security-alertevidence.md).

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|userAccount|[microsoft.graph.security.userAccount](../resources/security-useraccount.md)|The user account details.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.userEvidence"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.userEvidence",

+ "createdDateTime": "String (timestamp)",

+ "verdict": "String",

+ "remediationStatus": "String",

+ "remediationStatusDetails": "String",

+ "roles": [

+ "String"

+ ],

+ "tags": [

+ "String"

+ ],

+ "userAccount": {

+ "@odata.type": "microsoft.graph.security.userAccount"

+ }

+}

+```

+ Title: "vmMetadata resource type"

+description: "Metadata of the Virtual Machine (VM) Microsoft Defender for Endpoint is running on."

+ms.localizationpriority: medium

+# vmMetadata resource type

+Namespace: microsoft.graph.security

+Metadata of the virtual machine (VM) Microsoft Defender for Endpoint is running on.

+## Properties

+|Property|Type|Description|

+|:|:|:|

+|cloudProvider|[microsoft.graph.security.vmCloudProvider](#vmcloudprovider-values)|The cloud provider hosting the virtual machine. The possible values are: `unknown`, `azure`, `unknownFutureValue`.|

+|resourceId|String|Unique identifier of the Azure resource.|

+|subscriptionId|String|Unique identifier of the Azure subscription the customer tenant belongs to.|

+|vmId|String|Unique identifier of the virtual machine instance.|

+### vmCloudProvider values

+| Member | Description |

+| :--| : |

+| unknown | Unknown provider. |

+| azure | The virtual machine is hosted in the Microsoft Azure cloud. |

+| unknownFutureValue | Evolvable enumeration sentinel value. Do not use.|

+## Relationships

+None.

+## JSON representation

+The following is a JSON representation of the resource.

+<!-- {

+ "blockType": "resource",

+ "@odata.type": "microsoft.graph.security.vmMetadata"

+}

+-->

+``` json

+{

+ "@odata.type": "#microsoft.graph.security.vmMetadata",

+ "vmId": "String",

+ "cloudProvider": "String",

+ "resourceId": "String",

+ "subscriptionId": "String"

+}

+```

+|alerts |[alert](../resources/alert.md) collection|Notifications for suspicious or potential security issues in a customerΓÇÖs tenant.|

+|alerts_v2 | [microsoft.graph.security.alert](security-alert.md) collection | A collection of alerts in Microsoft 365 Defender.|

+|incidents | [microsoft.graph.security.incident](security-incident.md) collection | A collection of incidents in Microsoft 365 Defender, each of which is a set of correlated alerts and associated metadata that reflects the story of an attack.|

+|secureScores | [secureScore](securescores.md) collection | Measurements of tenantsΓÇÖ security posture to help protect them from threats. |

+|securityactions|[securityAction](../resources/securityaction.md) collection|Actions that respond to alerts to block malicious activities.|

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+```

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+|Delegated (personal Microsoft account) | Not supported. |

+If successful, this method returns a `200 OK` response code and a Boolean value that specifies the publishing status of the content type.

+The following is an example of a request.

+The following is an example of the response.

+ "ids": [

+ "84b80893-8749-40a3-97b7-68513b600544",

+ "5d6059b6-368d-45f8-91e1-8e07d485f1d0",

+ "0b944de3-e0fc-4774-a49a-b135213725ef",

+ "b75a5ab2-fe55-4463-bd31-d21ad555c6e0"

+ ],

+ "types": [

+ "user",

+ "group",

+ "device"

+ ]

+ "id": "5d6059b6-368d-45f8-91e1-8e07d485f1d0",

+ },

+ {

+ "@odata.type": "#microsoft.graph.group",

+ "id": "0b944de3-e0fc-4774-a49a-b135213725ef",

+ "description": "Pineview School Staff",

+ "groupTypes": [

+ "Unified"

+ ]

+ },

+ {

+ "@odata.type": "#microsoft.graph.device",

+ "id": "b75a5ab2-fe55-4463-bd31-d21ad555c6e0",

+ "dipslayName": "e8ba4e98c000002",

+ "deviceId": "4c299165-6e8f-4b45-a5ba-c5d250a707ff"

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+}-->

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [PowerShell](#tab/powershell)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+# [HTTP](#tab/http)

+# [C#](#tab/csharp)

+# [JavaScript](#tab/javascript)

+# [Java](#tab/java)

+# [Go](#tab/go)

+# [PowerShell](#tab/powershell)

+# [PHP](#tab/php)

+Represents potential security issues within a customer's tenant that Microsoft or partner security solutions have identified. Use alerts to unify and streamline security issue management across all integrated solutions.

+Alerts can be retrieved from different security providers listed in [Use the Microsoft Graph security API](security-api-overview.md). To learn more, see the sample queries in [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).

+ Title: "Use the Microsoft Graph security API"

+description: "The Microsoft Graph security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners."

+# Use the Microsoft Graph security API

+The Microsoft Graph security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph security API federates queries to all onboarded security providers and aggregates responses. Use the Microsoft Graph security API to build applications that:

+- Consolidate and correlate security alerts from multiple sources.

+- Unlock contextual data to inform investigations.

+- Automate security tasks, business processes, workflows, and reporting.

+- Send threat indicators to Microsoft products for customized detections.

+- Invoke actions to in response to new threats.

+- Provide visibility into security data to enable proactive risk management.

+The Microsoft Graph security API provides key features as described in the following sections.

+Alerts are potential security issues within a customer's tenant that Microsoft or partner security providers have identified and flagged for action or notification.

+The v1.0 version of the security API offers the [alert](alert.md) resource which federates calling of supported Azure and Microsoft 365 Defender security providers. This **alert** resource aggregates alert data thatΓÇÖs common among the different domains to allow applications to unify and streamline management of security issues across all integrated solutions. This enables applications to correlate alerts and context to improve threat protection and response.

+With the alert update capability, you can sync the status of specific alerts across different security products and services that are integrated with the Microsoft Graph security API by updating your **alert** entity.

+Alerts from the following providers are available via this **alert** resource. Support for GET alerts, PATCH alerts, and subscribe (via webhooks) is indicated in the following table.

+|[Azure Information Protection](/azure/information-protection/faqs#i-see-azure-information-protection-is-listed-as-a-security-provider-for-microsoft-graph-securityhow-does-this-work-and-what-alerts-will-i-receive) **(preview)**| <p align="center">&#x2713;</p> | <p align="center">[File issue](https://github.com/microsoftgraph/security-api-solutions/issues/new) *</p> | <p align="center">&#x2713;</p> |

+|Microsoft 365 <ul><li> [Default](/office365/securitycompliance/alert-policies#default-alert-policies)</li> <li>[Cloud App Security](/office365/securitycompliance/anomaly-detection-policies-in-ocas)</li><li>Custom Alert</li></ul> | <p align="center">&#x2713;</p> | <p align="center"> [File issue](https://github.com/microsoftgraph/security-api-solutions/issues/new) </p> | <p align="center"> [File issue](https://github.com/microsoftgraph/security-api-solutions/issues/new) </p> |

+|[Microsoft Sentinel](/azure/sentinel/quickstart-get-visibility) (formerly Azure Sentinel)| <p align="center">&#x2713;</p> | <p align="center">Not supported in Microsoft Sentinel </p> | <p align="center">&#x2713;</p> |

+> **Note:** New providers are continuously onboarding to the Microsoft Graph security ecosystem. To request new providers or for extended support from existing providers, [file an issue in the Microsoft Graph security GitHub repo](https://github.com/microsoftgraph/security-api-solutions/issues/new).

+\* File issue: Alert status gets updated across Microsoft Graph security API integrated applications but not reflected in the providerΓÇÖs management experience.

+\*\* Microsoft Defender for Endpoint requires additional [user roles](/windows/security/threat-protection/microsoft-defender-atp/user-roles) to those required by the Microsoft Graph security API. Only the users in both Microsoft Defender for Endpoint and Microsoft Graph security API roles can have access to the Microsoft Defender for Endpoint data. Because application-only authentication is not limited by this, we recommend that you use an application-only authentication token.

+[Microsoft Secure Score](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/A-new-home-and-an-all-new-look-for-Microsoft-Secure-Score/ba-p/529641) is a security analytics solution that gives you visibility into your security portfolio and how to improve it. With a single score, you can better understand what you have done to reduce your risk in Microsoft solutions. You can also compare your score with other organizations and see how your score has been trending over time. The Microsoft Graph security [secureScore](securescore.md) and [secureScoreControlProfile](securescorecontrolprofile.md) entities help you balance your organization's security and productivity needs while enabling the appropriate mix of security features. You can also project what your score would be after you adopt security features.

+The following are some of the most popular requests for working with the Microsoft Graph security API:

+You can use Microsoft Graph [webhooks](/graph/webhooks) to subscribe to and receive notifications about updates to Microsoft Graph security entities.

+Code and contribute to these Microsoft Graph security API samples:

+The Microsoft Graph security API can open up new ways for you to engage with different security solutions from Microsoft and partners. Follow these steps to get started:

+[Code and contribute](https://github.com/microsoftgraph/security-api-solutions/blob/master/CONTRIBUTING.md) to these Microsoft Graph security API samples:

+Explore other options to connect with the Microsoft Graph security API:

+- [Microsoft Graph security connectors for Logic Apps, Flow and Power Apps](/azure/connectors/connectors-integrate-security-operations-create-api-microsoft-graph-security)

+|preferredTokenSigningKeyThumbprint|String|Reserved for internal use only. Do not write or otherwise rely on this property. May be removed in future versions.|

+ "preferredTokenSigningKeyThumbprint": "String",