| actorDisplayName |
String |
The adversary or activity group that is associated with this alert. |
| alertWebUrl |
String |
URL for the alert page in the Microsoft 365 Defender portal. |
| assignedTo |
String |
Owner of the alert, or null if no owner is assigned. |
| category |
String |
The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. |
| classification |
microsoft.graph.security.alertClassification |
Specifies whether the alert represents a true threat. Possible values are: unknown, falsePositive, truePositive, benignPositive, unknownFutureValue. |
| comments |
microsoft.graph.security.alertComment collection |
Array of comments created by the Security Operations (SecOps) team during the alert management process. |
| createdDateTime |
DateTimeOffset |
Time when Microsoft 365 Defender created the alert. |
| description |
String |
String value describing each alert. |
| detectionSource |
microsoft.graph.security.detectionSource |
Detection technology or sensor that identified the notable component or activity. |
| detectorId |
String |
The ID of the detector that triggered the alert. |
| determination |
microsoft.graph.security.alertDetermination |
Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. Possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue. |
| evidence |
microsoft.graph.security.alertEvidence collection |
Collection of evidence related to the alert. |
| firstActivityDateTime |
DateTimeOffset |
The earliest activity associated with the alert. |
| id |
String |
Unique identifier to represent the alert resource. |
| incidentId |
String |
Unique identifier to represent the incident this alert resource is associated with. |
| incidentWebUrl |
String |
URL for the incident page in the Microsoft 365 Defender portal. |
| lastActivityDateTime |
DateTimeOffset |
The oldest activity associated with the alert. |
| lastUpdateDateTime |
DateTimeOffset |
Time when the alert was last updated at Microsoft 365 Defender. |
| mitreTechniques |
Collection(Edm.String) |
The attack techniques, as aligned with the MITRE ATT&CK framework. |
| providerAlertId |
String |
The ID of the alert as it appears in the security provider product that generated the alert. |
| recommendedActions |
String |
Recommended response and remediation actions to take in the event this alert was generated. |
| resolvedDateTime |
DateTimeOffset |
Time when the alert was resolved. |
| serviceSource |
microsoft.graph.security.serviceSource |
The service or product that created this alert. Possible values are: microsoftDefenderForEndpoint, microsoftDefenderForIdentity, microsoftCloudAppSecurity, microsoftDefenderForOffice365, microsoft365Defender, aadIdentityProtection, appGovernance, dataLossPrevention. |
| severity |
microsoft.graph.security.alertSeverity |
Indicates the possible impact on assets. The higher the severity the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: unknown, informational, low, medium, high, unknownFutureValue. |
| status |
microsoft.graph.security.alertStatus |
The status of the alert. Possible values are: new, inProgress, resolved, unknownFutureValue. |
| tenantId |
String |
The Azure Active Directory tenant the alert was created in. |
| threatDisplayName |
String |
The threat associated with this alert. |
| threatFamilyName |
String |
Threat family associated with this alert. |
| title |
String |
Brief identifying string value describing the alert. |