CustomDetection.ReadWrite.All
Allows the app to read and write custom detection rules on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
CustomDetection.ReadWrite.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | e0fd9c8d-a12e-4cc9-9827-20c8c3cd6fb8 | c34088fb-0649-4714-af0b-bcbfec155897 |
| DisplayText | Read and write all custom detection rules | Read and write custom detection rules |
| Description | Allows the app to read and write custom detection rules without a signed-in user. | Allows the app to read and write custom detection rules on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods |
|---|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands |
|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
Graph reference: enums-security
Graph reference: alert
| Property | Type | Description |
|---|---|---|
| actorDisplayName | String | The adversary or activity group that is associated with this alert. |
| additionalData | microsoft.graph.security.dictionary | A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here. |
| alertPolicyId | String | The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy. |
| alertWebUrl | String | URL for the Microsoft 365 Defender portal alert page. |
| assignedTo | String | Owner of the alert, or null if no owner is assigned. |
| categories | String collection | The attack kill-chain categories that the alert belongs to. Aligned with the MITRE ATT&CK framework. |
| classification | microsoft.graph.security.alertClassification | Specifies whether the alert represents a true threat. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue. |
| comments | microsoft.graph.security.alertComment collection | Array of comments created by the Security Operations (SecOps) team during the alert management process. |
| createdDateTime | DateTimeOffset | Time when Microsoft 365 Defender created the alert. |
| customDetails | microsoft.graph.security.dictionary | User defined custom fields with string values. |
| description | String | String value describing each alert. |
| detectionSource | microsoft.graph.security.detectionSource | Detection technology or sensor that identified the notable component or activity. |
| detectorId | String | The ID of the detector that triggered the alert. |
| determination | microsoft.graph.security.alertDetermination | Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedAccount, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue. |
| evidence | microsoft.graph.security.alertEvidence collection | Collection of evidence related to the alert. |
| firstActivityDateTime | DateTimeOffset | The earliest activity associated with the alert. |
| id | String | Unique identifier to represent the alert resource. |
| incidentId | String | Unique identifier to represent the incident this alert resource is associated with. |
| incidentWebUrl | String | URL for the incident page in the Microsoft 365 Defender portal. |
| investigationState | microsoft.graph.security.investigationState | Information on the current status of the investigation. The possible values are: unknown, terminated, successfullyRemediated, benign, failed, partiallyRemediated, running, pendingApproval, pendingResource, queued, innerFailure, preexistingAlert, unsupportedOs, unsupportedAlertType, suppressedAlert, partiallyInvestigated, terminatedByUser, terminatedBySystem, unknownFutureValue. |
| lastActivityDateTime | DateTimeOffset | The oldest activity associated with the alert. |
| lastUpdateDateTime | DateTimeOffset | Time when the alert was last updated at Microsoft 365 Defender. |
| mitreTechniques | String collection | The attack techniques, as aligned with the MITRE ATT&CK framework. |
| productName | String | The name of the product which published this alert. |
| providerAlertId | String | The ID of the alert as it appears in the security provider product that generated the alert. |
| recommendedActions | String | Recommended response and remediation actions to take in the event this alert was generated. |
| resolvedDateTime | DateTimeOffset | Time when the alert was resolved. |
| serviceSource | microsoft.graph.security.serviceSource | The service or product that created this alert. For more information, see serviceSource values. |
| severity | microsoft.graph.security.alertSeverity | Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. The possible values are: unknown, informational, low, medium, high, unknownFutureValue. |
| status | microsoft.graph.security.alertStatus | The status of the alert. For more information, see alertStatus values. |
| tenantId | String | The Microsoft Entra tenant the alert was created in. |
| threatDisplayName | String | The threat associated with this alert. |
| threatFamilyName | String | Threat family associated with this alert. |
| title | String | Brief identifying string value describing the alert. |
| systemTags | String collection | The system tags associated with the alert. |
| category (deprecated) | String | The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. This property is in the process of being deprecated. Use the **c |
Graph reference: detectionAction
| Property | Type | Description |
|---|---|---|
| alertTemplate | microsoft.graph.security.alertTemplate | The template that defines the alert that is generated when this rule detects a match, including alert metadata (severity, title, description), entity mappings, custom details, and MITRE tactics. |
| automatedActions | microsoft.graph.security.automatedActionSet | The set of automated actions to run against entities that match the detection. Replaces the deprecated responseActions property. |
| organizationalScope | microsoft.graph.security.organizationalScope | The set of groups (for example, device groups) to which the parent custom detection rule applies. |
| responseActions (deprecated) | microsoft.graph.security.responseAction collection | Actions taken on impacted assets as set in the custom detection rule. **D |
Graph reference: detectionRule
| Property | Type | Description |
|---|---|---|
| createdBy | String | Name of the user or application that created the rule. Read-only. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains). |
| createdDateTime | DateTimeOffset | Timestamp of rule creation. Read-only. Supports $filter (eq, ne, not, le, ge, lt, gt) and $orderby. |
| description | String | A user-supplied description of the detection rule. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains). |
| displayName | String | The display name of the rule. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains) and $orderby. |
| id | String | Unique identifier of the rule. Inherited from entity. Supports $filter (eq, ne, not, in) and $orderby. |
| lastModifiedBy | String | Name of the user or application that last updated the rule. Read-only. Supports $filter (eq, ne, not, in, startsWith, endsWith, contains). |
| lastModifiedDateTime | DateTimeOffset | Timestamp of when the rule was last updated. Read-only. Supports $filter (eq, ne, not, le, ge, lt, gt) and $orderby. |
| queryCondition | microsoft.graph.security.queryCondition | The advanced hunting query that defines the detection logic of this rule. Supports $filter on queryCondition/queryText (String) with eq, ne, not, in, startsWith, endsWith, contains. |
| schedule | microsoft.graph.security.ruleSchedule | The triggering schedule of this rule. Supports $filter on schedule/frequency (Duration) with eq, ne, not, le, ge, lt, gt. Supports $orderby on schedule/frequency and schedule/nextRunDateTime. |
| status | microsoft.graph.security.detectionRuleStatus | The current run status of the rule. The possible values are: enabled, disabled, autoDisabled, unknownFutureValue. Supports $filter (eq, ne, not, in) and $orderby. |
| detectorId (deprecated) | String | Internal detector identifier. Deprecated. This property will be removed from this resource on 2026-10-01. |
| isEnabled (deprecated) | Boolean | Indicates whether the rule is turned on for the tenant. Supports $filter (eq, ne, not). Deprecated. Use status instead. This property will be removed from this resource on 2026-10-01. |
| detectionAction | microsoft.graph.security.detectionAction | The actions taken when a detection is made by this rule, including the alert that is created and any automated response actions. Supports $filter on the following nested alertTemplate properties:eq, ne, not, in, startsWith, endsWith, contains.eq, ne, not, in. |
| lastRunDetails (deprecated) | microsoft.graph.security.runDetails | Runtime execution details for the most recent rule run. Supports $filter on the following nested properties: |
Graph reference: queryCondition
| Property | Type | Description |
|---|---|---|
| queryText | String | Contents of the query. |
| lastModifiedDateTime (deprecated) | DateTimeOffset | Timestamp of when the query in the custom detection rule was last updated. **D |
Graph reference: ruleSchedule
| Property | Type | Description |
|---|---|---|
| frequency | Duration | The recurring time interval at which the rule runs (ISO 8601 duration, for example P1D for daily, PT1H for hourly). |
| nextRunDateTime (deprecated) | DateTimeOffset | Timestamp of the custom detection rule's next scheduled run. Deprecated. This property will be removed from this resource on 2026-10-01. |
| period (deprecated) | String | How often the detection rule is set to run. The allowed values are: 0, 1H, 3H, 12H, or 24H. 0 signifies the rule is run continuously. **D |