Show / Hide Table of Contents

SecurityEvents.Read.All

Allows the app to read your organization’s security events on behalf of the signed-in user.

Graph Methods

Type: A = Application Permission, D = Delegate Permission

Ver Type Method
V1 A,D GET /security/alerts
V1 A,D GET /security/alerts?$filter={property} eq '{property-value}'
V1 A,D GET /security/alerts?$filter={property} eq '{property-value}' and {property} eq '{property-value}'
Beta A,D GET /security/alerts?$filter={property} eq '{property-value}'&{property} eq '{property-value}'
V1 A,D GET /security/alerts?$filter={property} eq '{property-value}'&$top=5
V1 A,D GET /security/alerts?$top=1
V1 A,D GET /security/alerts/{alert_id}
Beta A,D GET /security/alerts/{id}
Beta A,D GET /security/attackSimulation/simulationAutomations
Beta A,D GET /security/attackSimulation/simulationAutomations/{simulationAutomationId}/runs
Beta A,D GET /security/attackSimulation/simulations
Beta A,D GET /security/attackSimulation/simulations/{id}/report/overview
Beta A,D GET /security/attackSimulation/simulations/{id}/report/simulationUsers
V1 A,D GET /security/secureScoreControlProfiles
V1 A,D GET /security/secureScoreControlProfiles?$filter={property} eq '{property-value}'
V1 A,D GET /security/secureScoreControlProfiles?$top=1
V1 A,D GET /security/securescorecontrolprofiles/{id}
V1 A,D GET /security/secureScores
V1 A,D GET /security/secureScores?$filter={property} eq '{property-value}'
V1 A,D GET /security/secureScores?$top=1
V1 A,D GET /security/secureScores?$top=1&$skip=7
V1 A,D GET /security/secureScores/{id}

Delegate Permission

Id 64733abd-851e-478a-bffb-e47a14b18235
Consent Type Admin
Display String Read your organization’s security events
Description Allows the app to read your organization’s security events on behalf of the signed-in user.

Application Permission

Id bf394140-e372-4bf9-a898-299cfc7564e5
Display String Read your organization’s security events
Description Allows the app to read your organization’s security events without a signed-in user.

Resources

alert

Property Type Description
activityGroupName String Name or alias of the activity group (attacker) this alert is attributed to.
assignedTo String Name of the analyst the alert is assigned to for triage, investigation, or remediation (supports update).
azureSubscriptionId String Azure subscription ID, present if this alert is related to an Azure resource.
azureTenantId String Azure Active Directory tenant ID. Required.
category String Category of the alert (for example, credentialTheft, ransomware, etc.).
closedDateTime DateTimeOffset Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z (supports update).
cloudAppStates cloudAppSecurityState collection Security-related stateful information generated by the provider about the cloud application/s related to this alert.
comments String collection Customer-provided comments on alert (for customer alert management) (supports update).
confidence Int32 Confidence of the detection logic (percentage between 1-100).
createdDateTime DateTimeOffset Time at which the alert was created by the alert provider. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.
description String Alert description.
detectionIds String collection Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record).
eventDateTime DateTimeOffset Time at which the event(s) that served as the trigger(s) to generate the alert occurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.
feedback alertFeedback Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive. (supports update)
fileStates fileSecurityState collection Security-related stateful information generated by the provider about the file(s) related to this alert.
hostStates hostSecurityState collection Security-related stateful information generated by the provider about the host(s) related to this alert.
id String Provider-generated GUID/unique identifier. Read-only. Required.
incidentIds String collection IDs of incidents related to current alert.
lastModifiedDateTime DateTimeOffset Time at which the alert entity was last modified. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.
malwareStates malwareState collection Threat Intelligence pertaining to malware related to this alert.
networkConnections networkConnection collection Security-related stateful information generated by the provider about the network connection(s) related to this alert.
processes process collection Security-related stateful information generated by the provider about the process or processes related to this alert.
recommendedActions String collection Vendor/provider recommended action(s) to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host).
registryKeyStates registryKeyState collection Security-related stateful information generated by the provider about the registry keys related to this alert.
securityResources securityResource collection Resources related to current alert. For example, for some alerts this can have the Azure Resource value.
severity alertSeverity Alert severity - set by vendor/provider. Possible values are: unknown, informational, low, medium, high. Required.
sourceMaterials String collection Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search, etc.
status alertStatus Alert lifecycle status (stage). Possible values are: unknown, newAlert, inProgress, resolved. (supports update). Required.
tags String collection User-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.) (supports update).
title String Alert title. Required.
triggers alertTrigger collection Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation.
userStates userSecurityState collection Security-related stateful information generated by the provider about the user accounts related to this alert.
vendorInformation securityVendorInformation Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker). Required.
vulnerabilityStates vulnerabilityState collection Threat intelligence pertaining to one or more vulnerabilities related to this alert.

secureScore

Property Type Description
id String Provider-generated GUID/unique identifier. Read-only. Required.
azureTenantId String GUID string for tenant ID.
activeUserCount Int32 Active user count of the given tenant.
createdDateTime DateTimeOffset The date when the entity is created.
currentScore Double Tenant current attained score on specified date.
enabledServices String collection Microsoft-provided services for the tenant (for example, Exchange online, Skype, Sharepoint).
licensedUserCount Int32 Licensed user count of the given tenant.
maxScore Double Tenant maximum possible score on specified date.
averageComparativeScores averageComparativeScore collection Average score by different scopes (for example, average by industry, average by seating) and control category (Identity, Data, Device, Apps, Infrastructure) within the scope.
controlScores controlScore collection Contains tenant scores for a set of controls.
vendorInformation securityVendorInformation Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=SecureScore). Required.

secureScoreControlProfile

secureScoreControlProfile

secureScore

Property Type Description
azureTenantId String GUID string for tenant ID.
createdDateTime DateTimeOffset The date when the entity is created.
id String Combination of azureTenantId_createdDateTime.
licensedUserCount Int32 Licensed user count of the given tenant.
activeUserCount Int32 Active user count of the given tenant.
currentScore Double Tenant current attained score on specified date.
maxScore Double Tenant maximum possible score on specified date.
enabledServices String collection Microsoft-provided services for the tenant (for example, Exchange online, Skype, Sharepoint).
averageComparativeScores averageComparativeScore collection Average score by different scopes (for example, average by industry, average by seating) and control category (Identity, Data, Device, Apps, Infrastructure) within the scope.
controlScores controlScore collection Contains tenant scores for a set of controls.

security-error-codes

simulation

Property Type Description
attackTechnique simulationAttackTechnique The social engineering technique used in the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, credentialHarvesting, attachmentMalware, driveByUrl, linkInAttachment, linkToMalwareFile, unknownFutureValue. For more information on the types of social engineering attack techniques, see simulations.
attackType simulationAttackType Attack type of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, social, cloud, endpoint, unknownFutureValue.
automationId String Unique identifier for the attack simulation automation.
completionDateTime DateTimeOffset Date and time of completion of the attack simulation and training campaign. Supports $filter and $orderby.
createdBy emailIdentity Identity of the user who created the attack simulation and training campaign.
createdDateTime DateTimeOffset Date and time of creation of the attack simulation and training campaign.
description String Description of the attack simulation and training campaign.
displayName String Display name of the attack simulation and training campaign. Supports $filter and $orderby.
id String Unique identifier for the attack simulation and training campaign.
isAutomated Boolean Flag representing if the attack simulation and training campaign was created from a simulation automation flow. Supports $filter and $orderby.
lastModifiedBy emailIdentity Identity of the user who most recently modified the attack simulation and training campaign.
lastModifiedDateTime DateTimeOffset Date and time of the most recent modification of the attack simulation and training campaign.
launchDateTime DateTimeOffset Date and time of the launch/start of the attack simulation and training campaign. Supports $filter and $orderby.
payloadDeliveryPlatform payloadDeliveryPlatform Method of delivery of the phishing payload used in the attack simulation and training campaign. Possible values are: unknown, sms, email, teams, unknownFutureValue.
report simulationReport Report of the attack simulation and training campaign.
status simulationStatus Status of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, draft, running, scheduled, succeeded, failed, cancelled, excluded, unknownFutureValue.

simulationAutomation

Property Type Description
createdBy emailIdentity Identity of the user who created the attack simulation automation.
createdDateTime DateTimeOffset Date and time when the attack simulation automation was created.
description String Description of the attack simulation automation.
displayName String Display name of the attack simulation automation. Supports $filter and $orderby.
id String Unique identifier for the attack simulation automation.
lastModifiedBy emailIdentity Identity of the user who most recently modified the attack simulation automation.
lastModifiedDateTime DateTimeOffset Date and time when the attack simulation automation was most recently modified.
lastRunDateTime DateTimeOffset Date and time of the latest run of the attack simulation automation.
nextRunDateTime DateTimeOffset Date and time of the upcoming run of the attack simulation automation.
status simulationAutomationStatus Status of the attack simulation automation. Supports $filter and $orderby. The possible values are: unknown, draft, notRunning, running, completed, unknownFutureValue.

simulationAutomationRun

Property Type Description
endDateTime DateTimeOffset Date and time when the run ends in an attack simulation automation.
id String Unique identifier for the run of an attack simulation automation.
simulationId String Unique identifier for the attack simulation campaign initiated in the attack simulation automation run.
startDateTime DateTimeOffset Date and time when the run starts in an attack simulation automation.
status simulationAutomationRunStatus Status of the run of an attack simulation automation. The possible values are: unknown, running, succeeded, failed, skipped, unknownFutureValue.

simulationReportOverview

Property Type Description
recommendedActions recommendedAction collection List of recommended actions for a tenant to improve its security posture based on the attack simulation and training campaign attack type.
resolvedTargetsCount Int32 Number of valid users in the attack simulation and training campaign.
simulationEventsContent simulationEventsContent Summary of simulation events in the attack simulation and training campaign.
trainingEventsContent trainingEventsContent Summary of assigned trainings in the attack simulation and training campaign.

userSimulationDetails

Property Type Description
assignedTrainingsCount Int32 Number of trainings assigned to a user in an attack simulation and training campaign.
completedTrainingsCount Int32 Number of trainings completed by a user in an attack simulation and training campaign.
compromisedDateTime DateTimeOffset Date and time of the compromising online action by a user in an attack simulation and training campaign.
inProgressTrainingsCount Int32 Number of trainings in progress by a user in an attack simulation and training campaign.
isCompromised Boolean Flag representing if user was compromised in an attack simulation and training campaign.
reportedPhishDateTime DateTimeOffset Date and time when user reported delivered payload as phish in the attack simulation and training campaign.
simulationEvents userSimulationEventInfo collection List of simulation events of a user in the attack simulation and training campaign.
simulationUser attackSimulationUser User in an attack simulation and training campaign.
trainingEvents userTrainingEventInfo collection List of training events of a user in the attack simulation and training campaign.
In This Article
Back to top Created by merill | Submit feedback