CustomDetection.ReadWrite.All
Allows the app to read and write custom detection rules on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
CustomDetection.ReadWrite.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | e0fd9c8d-a12e-4cc9-9827-20c8c3cd6fb8 | c34088fb-0649-4714-af0b-bcbfec155897 |
| DisplayText | Read and write all custom detection rules | Read and write custom detection rules |
| Description | Allows the app to read and write custom detection rules without a signed-in user. | Allows the app to read and write custom detection rules on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods |
|---|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands |
|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: enums
Graph reference: alert
| Property | Type | Description |
|---|---|---|
| actorDisplayName | String | The adversary or activity group that is associated with this alert. |
| additionalData | microsoft.graph.security.dictionary | A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here. |
| alertPolicyId | String | The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy. |
| alertWebUrl | String | URL for the Microsoft 365 Defender portal alert page. |
| assignedTo | String | Owner of the alert, or null if no owner is assigned. |
| category | String | The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. |
| classification | microsoft.graph.security.alertClassification | Specifies whether the alert represents a true threat. Possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue. |
| comments | microsoft.graph.security.alertComment collection | Array of comments created by the Security Operations (SecOps) team during the alert management process. |
| createdDateTime | DateTimeOffset | Time when Microsoft 365 Defender created the alert. |
| customDetails | microsoft.graph.security.dictionary | User defined custom fields with string values. |
| description | String | String value describing each alert. |
| detectionSource | microsoft.graph.security.detectionSource | Detection technology or sensor that identified the notable component or activity. Possible values are: unknown, microsoftDefenderForEndpoint, antivirus, smartScreen, customTi, microsoftDefenderForOffice365, automatedInvestigation, microsoftThreatExperts, customDetection, microsoftDefenderForIdentity, cloudAppSecurity, microsoft365Defender, azureAdIdentityProtection, manual, microsoftDataLossPrevention, appGovernancePolicy, appGovernanceDetection, unknownFutureValue, microsoftDefenderForCloud, microsoftDefenderForIoT, microsoftDefenderForServers, microsoftDefenderForStorage, microsoftDefenderForDNS, microsoftDefenderForDatabases, microsoftDefenderForContainers, microsoftDefenderForNetwork, microsoftDefenderForAppService, microsoftDefenderForKeyVault, microsoftDefenderForResourceManager, microsoftDefenderForApiManagement, microsoftSentinel, nrtAlerts, scheduledAlerts, microsoftDefenderThreatIntelligenceAnalytics, builtInMl, microsoftThreatIntelligence, microsoftDefenderForAIServices, securityCopilot. Use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: microsoftDefenderForCloud, microsoftDefenderForIoT, microsoftDefenderForServers, microsoftDefenderForStorage, microsoftDefenderForDNS, microsoftDefenderForDatabases, microsoftDefenderForContainers, microsoftDefenderForNetwork, microsoftDefenderForAppService, microsoftDefenderForKeyVault, microsoftDefenderForResourceManager, microsoftDefenderForApiManagement, microsoftSentinel, nrtAlerts, scheduledAlerts, microsoftDefenderThreatIntelligenceAnalytics, builtInMl, microsoftThreatIntelligence, microsoftDefenderForAIServices, securityCopilot. |
| detectorId | String | The ID of the detector that triggered the alert. |
| determination | microsoft.graph.security.alertDetermination | Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedAccount, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue. |
| evidence | microsoft.graph.security.alertEvidence collection | Collection of evidence related to the alert. |
| firstActivityDateTime | DateTimeOffset | The earliest activity associated with the alert. |
| id | String | Unique identifier to represent the alert resource. |
| incidentId | String | Unique identifier to represent the incident this alert resource is associated with. |
| incidentWebUrl | String | URL for the incident page in the Microsoft 365 Defender portal. |
| investigationState | microsoft.graph.security.investigationState | Information on the current status of the investigation. Possible values are: unknown, terminated, successfullyRemediated, benign, failed, partiallyRemediated, running, pendingApproval, pendingResource, queued, innerFailure, preexistingAlert, unsupportedOs, unsupportedAlertType, suppressedAlert, partiallyInvestigated, terminatedByUser, terminatedBySystem, unknownFutureValue. |
| lastActivityDateTime | DateTimeOffset | The oldest activity associated with the alert. |
| lastUpdateDateTime | DateTimeOffset | Time when the alert was last updated at Microsoft 365 Defender. |
| mitreTechniques | Collection(Edm.String) | The attack techniques, as aligned with the MITRE ATT&CK framework. |
| productName | String | The name of the product which published this alert. |
| providerAlertId | String | The ID of the alert as it appears in the security provider product that generated the alert. |
| recommendedActions | String | Recommended response and remediation actions to take in the event this alert was generated. |
| resolvedDateTime | DateTimeOffset | Time when the alert was resolved. |
| serviceSource | microsoft.graph.security.serviceSource | The service or product that created this alert. Possible values are: unknown, microsoftDefenderForEndpoint, microsoftDefenderForIdentity, microsoftDefenderForCloudApps, microsoftDefenderForOffice365, microsoft365Defender, azureAdIdentityProtection, microsoftAppGovernance, dataLossPrevention, unknownFutureValue, microsoftDefenderForCloud, microsoftSentinel, microsoftThreatIntelligence. Use the Prefer: include-unknown-enum-members request header to get the following values in this evolvable enum: microsoftDefenderForCloud, microsoftSentinel, microsoftThreatIntelligence. |
| severity | microsoft.graph.security.alertSeverity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue. |
| status | microsoft.graph.security.alertStatus | The status of the alert. Possible values are: new, inProgress, resolved, unknownFutureValue. |
| tenantId | String | The Microsoft Entra tenant the alert was created in. |
| threatDisplayName | String | The threat associated with this alert. |
| threatFamilyName | String | Threat family associated with this alert. |
| title | String | Brief identifying string value describing the alert. |
| systemTags | String collection | The system tags associated with the alert. |
Graph reference: detectionRule
| Property | Type | Description |
|---|---|---|
| createdBy | String | Name of the user or application that created the rule. Inherited from microsoft.graph.security.protectionRule. |
| createdDateTime | DateTimeOffset | Timestamp of rule creation. Inherited from microsoft.graph.security.protectionRule. |
| detectionAction | microsoft.graph.security.detectionAction | Complex type representing the actions taken when a detection is made by this rule. |
| displayName | String | Name of the rule. Inherited from microsoft.graph.security.protectionRule. |
| id | String | Unique identifier to represent the rule. Inherited from microsoft.graph.entity. |
| isEnabled | Boolean | Indicates whether rule is turned on for the tenant. Inherited from microsoft.graph.security.protectionRule. |
| lastModifiedBy | String | Name of user or application who last updated the rule. Inherited from microsoft.graph.security.protectionRule. |
| lastModifiedDateTime | DateTimeOffset | Timestamp of when the rule was last updated. Inherited from microsoft.graph.security.protectionRule. |
| detectorId | String | The ID of the detector that triggered the alert. Also see the 'detectorId' field in microsoft.graph.security.alert. |
| lastRunDetails | microsoft.graph.security.runDetails | Complex type holding details about the last run of this rule. |
| queryCondition | microsoft.graph.security.queryCondition | Complex type holding data about the advanced hunting query of this rule. |
| schedule | microsoft.graph.security.ruleSchedule | Complex type holding data about the triggering schedule of this rule. |
Graph reference: impactedAsset
Graph reference: organizationalScope
| Property | Type | Description |
|---|---|---|
| scopeNames | String collection | List of groups to which the custom detection rule applies. |
| scopeType | microsoft.graph.security.scopeType | The type of the organizational scope. The possible values are: deviceGroup, unknownFutureValue. |
Graph reference: responseAction