CustomDetection.ReadWrite.All

Allows the app to read and write custom detection rules on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the CustomDetection.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	e0fd9c8d-a12e-4cc9-9827-20c8c3cd6fb8	c34088fb-0649-4714-af0b-bcbfec155897
DisplayText	Read and write all custom detection rules	Read and write custom detection rules
Description	Allows the app to read and write custom detection rules without a signed-in user.	Allows the app to read and write custom detection rules on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /security/rules/detectionRules/{ruleId}
	GET /security/rules/detectionRules
	GET /security/rules/detectionRules/{ruleId}
	PATCH /security/rules/detectionRules/{ruleId}
	POST /security/rules/detectionRules

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaSecurityRuleDetectionRule
	New-MgBetaSecurityRuleDetectionRule
	Remove-MgBetaSecurityRuleDetectionRule
	Update-MgBetaSecurityRuleDetectionRule

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: enums

Graph reference: alert

Property	Type	Description
actorDisplayName	String	The adversary or activity group that is associated with this alert.
additionalData	microsoft.graph.security.dictionary	A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here.
alertPolicyId	String	The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy.
alertWebUrl	String	URL for the Microsoft 365 Defender portal alert page.
assignedTo	String	Owner of the alert, or null if no owner is assigned.
category	String	The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.
classification	microsoft.graph.security.alertClassification	Specifies whether the alert represents a true threat. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.
comments	microsoft.graph.security.alertComment collection	Array of comments created by the Security Operations (SecOps) team during the alert management process.
createdDateTime	DateTimeOffset	Time when Microsoft 365 Defender created the alert.
description	String	String value describing each alert.
detectionSource	microsoft.graph.security.detectionSource	Detection technology or sensor that identified the notable component or activity. Possible values are: `unknown`, `microsoftDefenderForEndpoint`, `antivirus`, `smartScreen`, `customTi`, `microsoftDefenderForOffice365`, `automatedInvestigation`, `microsoftThreatExperts`, `customDetection`, `microsoftDefenderForIdentity`, `cloudAppSecurity`, `microsoft365Defender`, `azureAdIdentityProtection`, `manual`, `microsoftDataLossPrevention`, `appGovernancePolicy`, `appGovernanceDetection`, `unknownFutureValue`, `microsoftDefenderForCloud`, `microsoftDefenderForIoT`, `microsoftDefenderForServers`, `microsoftDefenderForStorage`, `microsoftDefenderForDNS`, `microsoftDefenderForDatabases`, `microsoftDefenderForContainers`, `microsoftDefenderForNetwork`, `microsoftDefenderForAppService`, `microsoftDefenderForKeyVault`, `microsoftDefenderForResourceManager`, `microsoftDefenderForApiManagement`, `microsoftSentinel`, `nrtAlerts`, `scheduledAlerts`, `microsoftDefenderThreatIntelligenceAnalytics`, `builtInMl`. You must use the `Prefer: include-unknown-enum-members` request header to get the following value(s) in this evolvable enum: `microsoftDefenderForCloud`, `microsoftDefenderForIoT`, `microsoftDefenderForServers`, `microsoftDefenderForStorage`, `microsoftDefenderForDNS`, `microsoftDefenderForDatabases`, `microsoftDefenderForContainers`, `microsoftDefenderForNetwork`, `microsoftDefenderForAppService`, `microsoftDefenderForKeyVault`, `microsoftDefenderForResourceManager`, `microsoftDefenderForApiManagement`, `microsoftSentinel`, `nrtAlerts`, `scheduledAlerts`, `microsoftDefenderThreatIntelligenceAnalytics`, `builtInMl`.
detectorId	String	The ID of the detector that triggered the alert.
determination	microsoft.graph.security.alertDetermination	Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedAccount`, `phishing`, `maliciousUserActivity`, `notMalicious`, `notEnoughDataToValidate`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.
evidence	microsoft.graph.security.alertEvidence collection	Collection of evidence related to the alert.
firstActivityDateTime	DateTimeOffset	The earliest activity associated with the alert.
id	String	Unique identifier to represent the alert resource.
incidentId	String	Unique identifier to represent the incident this alert resource is associated with.
incidentWebUrl	String	URL for the incident page in the Microsoft 365 Defender portal.
lastActivityDateTime	DateTimeOffset	The oldest activity associated with the alert.
lastUpdateDateTime	DateTimeOffset	Time when the alert was last updated at Microsoft 365 Defender.
mitreTechniques	Collection(Edm.String)	The attack techniques, as aligned with the MITRE ATT&CK framework.
productName	String	The name of the product which published this alert.
providerAlertId	String	The ID of the alert as it appears in the security provider product that generated the alert.
recommendedActions	String	Recommended response and remediation actions to take in the event this alert was generated.
resolvedDateTime	DateTimeOffset	Time when the alert was resolved.
serviceSource	microsoft.graph.security.serviceSource	The service or product that created this alert. Possible values are: `unknown`, `microsoftDefenderForEndpoint`, `microsoftDefenderForIdentity`, `microsoftDefenderForCloudApps`, `microsoftDefenderForOffice365`, `microsoft365Defender`, `azureAdIdentityProtection`, `microsoftAppGovernance`, `dataLossPrevention`, `unknownFutureValue`, `microsoftDefenderForCloud`, `microsoftSentinel`. You must use the `Prefer: include-unknown-enum-members` request header to get the following value(s) in this evolvable enum: `microsoftDefenderForCloud`, `microsoftSentinel`.
severity	microsoft.graph.security.alertSeverity	Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: `unknown`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.
status	microsoft.graph.security.alertStatus	The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.
tenantId	String	The Microsoft Entra tenant the alert was created in.
threatDisplayName	String	The threat associated with this alert.
threatFamilyName	String	Threat family associated with this alert.
title	String	Brief identifying string value describing the alert.
systemTags	String collection	The system tags associated with the alert.

Graph reference: detectionRule

Property	Type	Description
createdBy	String	Name of the user or application that created the rule. Inherited from microsoft.graph.security.protectionRule.
createdDateTime	DateTimeOffset	Timestamp of rule creation. Inherited from microsoft.graph.security.protectionRule.
detectionAction	microsoft.graph.security.detectionAction	Complex type representing the actions taken when a detection is made by this rule.
displayName	String	Name of the rule. Inherited from microsoft.graph.security.protectionRule.
id	String	Unique identifier to represent the rule. Inherited from microsoft.graph.entity.
isEnabled	Boolean	Indicates whether rule is turned on for the tenant. Inherited from microsoft.graph.security.protectionRule.
lastModifiedBy	String	Name of user or application who last updated the rule. Inherited from microsoft.graph.security.protectionRule.
lastModifiedDateTime	DateTimeOffset	Timestamp of when the rule was last updated. Inherited from microsoft.graph.security.protectionRule.
detectorId	String	The ID of the detector that triggered the alert. Also see the 'detectorId' field in microsoft.graph.security.alert.
lastRunDetails	microsoft.graph.security.runDetails	Complex type holding details about the last run of this rule.
queryCondition	microsoft.graph.security.queryCondition	Complex type holding data about the advanced hunting query of this rule.
schedule	microsoft.graph.security.ruleSchedule	Complex type holding data about the triggering schedule of this rule.

Graph reference: organizationalScope

Property	Type	Description
scopeNames	String collection	List of groups to which the custom detection rule applies.
scopeType	microsoft.graph.security.scopeType	The type of the organizational scope. The possible values are: `deviceGroup`, `unknownFutureValue`.

Table of Contents

CustomDetection.ReadWrite.All

Graph Methods

Resources