SecurityEvents.Read.All
Allows the app to read your organization’s security events on behalf of the signed-in user.
Graph Methods
Type: A = Application Permission, D = Delegate Permission
Delegate Permission
| Id | 64733abd-851e-478a-bffb-e47a14b18235 |
| Consent Type | Admin |
| Display String | Read your organization’s security events |
| Description | Allows the app to read your organization’s security events on behalf of the signed-in user. |
Application Permission
| Id | bf394140-e372-4bf9-a898-299cfc7564e5 |
| Display String | Read your organization’s security events |
| Description | Allows the app to read your organization’s security events without a signed-in user. |
Resources
alert
| Property | Type | Description |
|---|---|---|
| activityGroupName | String | Name or alias of the activity group (attacker) this alert is attributed to. |
| assignedTo | String | Name of the analyst the alert is assigned to for triage, investigation, or remediation (supports update). |
| azureSubscriptionId | String | Azure subscription ID, present if this alert is related to an Azure resource. |
| azureTenantId | String | Azure Active Directory tenant ID. Required. |
| category | String | Category of the alert (for example, credentialTheft, ransomware, etc.). |
| closedDateTime | DateTimeOffset | Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z (supports update). |
| cloudAppStates | cloudAppSecurityState collection | Security-related stateful information generated by the provider about the cloud application/s related to this alert. |
| comments | String collection | Customer-provided comments on alert (for customer alert management) (supports update). |
| confidence | Int32 | Confidence of the detection logic (percentage between 1-100). |
| createdDateTime | DateTimeOffset | Time at which the alert was created by the alert provider. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required. |
| description | String | Alert description. |
| detectionIds | String collection | Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record). |
| eventDateTime | DateTimeOffset | Time at which the event(s) that served as the trigger(s) to generate the alert occurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required. |
| feedback | alertFeedback | Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive. (supports update) |
| fileStates | fileSecurityState collection | Security-related stateful information generated by the provider about the file(s) related to this alert. |
| hostStates | hostSecurityState collection | Security-related stateful information generated by the provider about the host(s) related to this alert. |
| id | String | Provider-generated GUID/unique identifier. Read-only. Required. |
| incidentIds | String collection | IDs of incidents related to current alert. |
| lastModifiedDateTime | DateTimeOffset | Time at which the alert entity was last modified. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| malwareStates | malwareState collection | Threat Intelligence pertaining to malware related to this alert. |
| networkConnections | networkConnection collection | Security-related stateful information generated by the provider about the network connection(s) related to this alert. |
| processes | process collection | Security-related stateful information generated by the provider about the process or processes related to this alert. |
| recommendedActions | String collection | Vendor/provider recommended action(s) to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host). |
| registryKeyStates | registryKeyState collection | Security-related stateful information generated by the provider about the registry keys related to this alert. |
| securityResources | securityResource collection | Resources related to current alert. For example, for some alerts this can have the Azure Resource value. |
| severity | alertSeverity | Alert severity - set by vendor/provider. Possible values are: unknown, informational, low, medium, high. Required. |
| sourceMaterials | String collection | Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search, etc. |
| status | alertStatus | Alert lifecycle status (stage). Possible values are: unknown, newAlert, inProgress, resolved. (supports update). Required. |
| tags | String collection | User-definable labels that can be applied to an alert and can serve as filter conditions (for example "HVA", "SAW", etc.) (supports update). |
| title | String | Alert title. Required. |
| triggers | alertTrigger collection | Security-related information about the specific properties that triggered the alert (properties appearing in the alert). Alerts might contain information about multiple users, hosts, files, ip addresses. This field indicates which properties triggered the alert generation. |
| userStates | userSecurityState collection | Security-related stateful information generated by the provider about the user accounts related to this alert. |
| vendorInformation | securityVendorInformation | Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker). Required. |
| vulnerabilityStates | vulnerabilityState collection | Threat intelligence pertaining to one or more vulnerabilities related to this alert. |
secureScore
| Property | Type | Description |
|---|---|---|
| id | String | Provider-generated GUID/unique identifier. Read-only. Required. |
| azureTenantId | String | GUID string for tenant ID. |
| activeUserCount | Int32 | Active user count of the given tenant. |
| createdDateTime | DateTimeOffset | The date when the entity is created. |
| currentScore | Double | Tenant current attained score on specified date. |
| enabledServices | String collection | Microsoft-provided services for the tenant (for example, Exchange online, Skype, Sharepoint). |
| licensedUserCount | Int32 | Licensed user count of the given tenant. |
| maxScore | Double | Tenant maximum possible score on specified date. |
| averageComparativeScores | averageComparativeScore collection | Average score by different scopes (for example, average by industry, average by seating) and control category (Identity, Data, Device, Apps, Infrastructure) within the scope. |
| controlScores | controlScore collection | Contains tenant scores for a set of controls. |
| vendorInformation | securityVendorInformation | Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=SecureScore). Required. |
secureScoreControlProfile
secureScoreControlProfile
secureScore
| Property | Type | Description |
|---|---|---|
| azureTenantId | String | GUID string for tenant ID. |
| createdDateTime | DateTimeOffset | The date when the entity is created. |
| id | String | Combination of azureTenantId_createdDateTime. |
| licensedUserCount | Int32 | Licensed user count of the given tenant. |
| activeUserCount | Int32 | Active user count of the given tenant. |
| currentScore | Double | Tenant current attained score on specified date. |
| maxScore | Double | Tenant maximum possible score on specified date. |
| enabledServices | String collection | Microsoft-provided services for the tenant (for example, Exchange online, Skype, Sharepoint). |
| averageComparativeScores | averageComparativeScore collection | Average score by different scopes (for example, average by industry, average by seating) and control category (Identity, Data, Device, Apps, Infrastructure) within the scope. |
| controlScores | controlScore collection | Contains tenant scores for a set of controls. |
security-error-codes
simulation
| Property | Type | Description |
|---|---|---|
| attackTechnique | simulationAttackTechnique | The social engineering technique used in the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, credentialHarvesting, attachmentMalware, driveByUrl, linkInAttachment, linkToMalwareFile, unknownFutureValue. For more information on the types of social engineering attack techniques, see simulations. |
| attackType | simulationAttackType | Attack type of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, social, cloud, endpoint, unknownFutureValue. |
| automationId | String | Unique identifier for the attack simulation automation. |
| completionDateTime | DateTimeOffset | Date and time of completion of the attack simulation and training campaign. Supports $filter and $orderby. |
| createdBy | emailIdentity | Identity of the user who created the attack simulation and training campaign. |
| createdDateTime | DateTimeOffset | Date and time of creation of the attack simulation and training campaign. |
| description | String | Description of the attack simulation and training campaign. |
| displayName | String | Display name of the attack simulation and training campaign. Supports $filter and $orderby. |
| id | String | Unique identifier for the attack simulation and training campaign. |
| isAutomated | Boolean | Flag representing if the attack simulation and training campaign was created from a simulation automation flow. Supports $filter and $orderby. |
| lastModifiedBy | emailIdentity | Identity of the user who most recently modified the attack simulation and training campaign. |
| lastModifiedDateTime | DateTimeOffset | Date and time of the most recent modification of the attack simulation and training campaign. |
| launchDateTime | DateTimeOffset | Date and time of the launch/start of the attack simulation and training campaign. Supports $filter and $orderby. |
| payloadDeliveryPlatform | payloadDeliveryPlatform | Method of delivery of the phishing payload used in the attack simulation and training campaign. Possible values are: unknown, sms, email, teams, unknownFutureValue. |
| report | simulationReport | Report of the attack simulation and training campaign. |
| status | simulationStatus | Status of the attack simulation and training campaign. Supports $filter and $orderby. Possible values are: unknown, draft, running, scheduled, succeeded, failed, cancelled, excluded, unknownFutureValue. |
simulationAutomation
| Property | Type | Description |
|---|---|---|
| createdBy | emailIdentity | Identity of the user who created the attack simulation automation. |
| createdDateTime | DateTimeOffset | Date and time when the attack simulation automation was created. |
| description | String | Description of the attack simulation automation. |
| displayName | String | Display name of the attack simulation automation. Supports $filter and $orderby. |
| id | String | Unique identifier for the attack simulation automation. |
| lastModifiedBy | emailIdentity | Identity of the user who most recently modified the attack simulation automation. |
| lastModifiedDateTime | DateTimeOffset | Date and time when the attack simulation automation was most recently modified. |
| lastRunDateTime | DateTimeOffset | Date and time of the latest run of the attack simulation automation. |
| nextRunDateTime | DateTimeOffset | Date and time of the upcoming run of the attack simulation automation. |
| status | simulationAutomationStatus | Status of the attack simulation automation. Supports $filter and $orderby. The possible values are: unknown, draft, notRunning, running, completed, unknownFutureValue. |
simulationAutomationRun
| Property | Type | Description |
|---|---|---|
| endDateTime | DateTimeOffset | Date and time when the run ends in an attack simulation automation. |
| id | String | Unique identifier for the run of an attack simulation automation. |
| simulationId | String | Unique identifier for the attack simulation campaign initiated in the attack simulation automation run. |
| startDateTime | DateTimeOffset | Date and time when the run starts in an attack simulation automation. |
| status | simulationAutomationRunStatus | Status of the run of an attack simulation automation. The possible values are: unknown, running, succeeded, failed, skipped, unknownFutureValue. |
simulationReportOverview
| Property | Type | Description |
|---|---|---|
| recommendedActions | recommendedAction collection | List of recommended actions for a tenant to improve its security posture based on the attack simulation and training campaign attack type. |
| resolvedTargetsCount | Int32 | Number of valid users in the attack simulation and training campaign. |
| simulationEventsContent | simulationEventsContent | Summary of simulation events in the attack simulation and training campaign. |
| trainingEventsContent | trainingEventsContent | Summary of assigned trainings in the attack simulation and training campaign. |
userSimulationDetails
| Property | Type | Description |
|---|---|---|
| assignedTrainingsCount | Int32 | Number of trainings assigned to a user in an attack simulation and training campaign. |
| completedTrainingsCount | Int32 | Number of trainings completed by a user in an attack simulation and training campaign. |
| compromisedDateTime | DateTimeOffset | Date and time of the compromising online action by a user in an attack simulation and training campaign. |
| inProgressTrainingsCount | Int32 | Number of trainings in progress by a user in an attack simulation and training campaign. |
| isCompromised | Boolean | Flag representing if user was compromised in an attack simulation and training campaign. |
| reportedPhishDateTime | DateTimeOffset | Date and time when user reported delivered payload as phish in the attack simulation and training campaign. |
| simulationEvents | userSimulationEventInfo collection | List of simulation events of a user in the attack simulation and training campaign. |
| simulationUser | attackSimulationUser | User in an attack simulation and training campaign. |
| trainingEvents | userTrainingEventInfo collection | List of training events of a user in the attack simulation and training campaign. |