Skip to content

Commit 8fb3dd5

Browse files
authored
Merge pull request #26406 from microsoftgraph/users/t-hareldamti/add-custom-details
Users/t hareldamti/add property to security alert
2 parents dfb9b13 + 4deeda4 commit 8fb3dd5

File tree

6 files changed

+145
-2
lines changed

6 files changed

+145
-2
lines changed

api-reference/beta/api/security-alert-update.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -47,6 +47,7 @@ PATCH /security/alerts_v2/{alertId}
4747
|:---|:---|:---|
4848
|status|microsoft.graph.security.alertStatus|The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.|
4949
|classification|microsoft.graph.security.alertClassification|Specifies the classification of the alert. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|
50+
|customDetails|microsoft.graph.security.dictionary| User defined custom fields with string values. |
5051
|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the alert. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|
5152
|assignedTo|String|Owner of the incident, or null if no owner is assigned.|
5253

@@ -76,7 +77,8 @@ Content-length: 2450
7677
"assignedTo": "secAdmin@contoso.com",
7778
"classification": "truePositive",
7879
"determination": "malware",
79-
"status": "inProgress"
80+
"status": "inProgress",
81+
"CustomDetails": {"newKey":"newValue"}
8082
}
8183
```
8284

@@ -161,6 +163,7 @@ Content-type: application/json
161163
"lastActivityDateTime": "2021-05-02T07:56:58.222Z",
162164
"comments": [],
163165
"evidence": [],
164-
"systemTags" : []
166+
"systemTags" : [],
167+
"customDetails": {"newKey":"newValue"}
165168
}
166169
```

api-reference/beta/resources/security-alert.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,7 @@ Security providers create an alert in the system when they detect a threat. Micr
4040
|classification|[microsoft.graph.security.alertClassification](#alertclassification-values)| Specifies whether the alert represents a true threat. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|
4141
|comments|[microsoft.graph.security.alertComment](security-alertComment.md) collection| Array of comments created by the Security Operations (SecOps) team during the alert management process.|
4242
|createdDateTime|DateTimeOffset| Time when Microsoft 365 Defender created the alert.|
43+
|customDetails|microsoft.graph.security.dictionary| User defined custom fields with string values. |
4344
|description|String| String value describing each alert.|
4445
|detectionSource|[microsoft.graph.security.detectionSource](#detectionsource-values)| Detection technology or sensor that identified the notable component or activity. Possible values are: `unknown`, `microsoftDefenderForEndpoint`, `antivirus`, `smartScreen`, `customTi`, `microsoftDefenderForOffice365`, `automatedInvestigation`, `microsoftThreatExperts`, `customDetection`, `microsoftDefenderForIdentity`, `cloudAppSecurity`, `microsoft365Defender`, `azureAdIdentityProtection`, `manual`, `microsoftDataLossPrevention`, `appGovernancePolicy`, `appGovernanceDetection`, `unknownFutureValue`, `microsoftDefenderForCloud`, `microsoftDefenderForIoT`, `microsoftDefenderForServers`, `microsoftDefenderForStorage`, `microsoftDefenderForDNS`, `microsoftDefenderForDatabases`, `microsoftDefenderForContainers`, `microsoftDefenderForNetwork`, `microsoftDefenderForAppService`, `microsoftDefenderForKeyVault`, `microsoftDefenderForResourceManager`, `microsoftDefenderForApiManagement`, `microsoftSentinel`, `nrtAlerts`, `scheduledAlerts`, `microsoftDefenderThreatIntelligenceAnalytics`, `builtInMl`. Use the `Prefer: include-unknown-enum-members` request header to get the following value(s) in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `microsoftDefenderForCloud`, `microsoftDefenderForIoT`, `microsoftDefenderForServers`, `microsoftDefenderForStorage`, `microsoftDefenderForDNS`, `microsoftDefenderForDatabases`, `microsoftDefenderForContainers`, `microsoftDefenderForNetwork`, `microsoftDefenderForAppService`, `microsoftDefenderForKeyVault`, `microsoftDefenderForResourceManager`, `microsoftDefenderForApiManagement`, `microsoftSentinel`, `nrtAlerts`, `scheduledAlerts`, `microsoftDefenderThreatIntelligenceAnalytics`, `builtInMl`.|
4546
|detectorId|String| The ID of the detector that triggered the alert.|
@@ -241,6 +242,9 @@ The following JSON representation shows the resource type.
241242
],
242243
"additionalData": {
243244
"@odata.type": "microsoft.graph.security.dictionary"
245+
},
246+
"customDetails": {
247+
"@odata.type": "microsoft.graph.security.dictionary"
244248
}
245249
}
246250
```

api-reference/v1.0/api/security-alert-update.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@ PATCH /security/alerts_v2/{alertId}
4545
|:---|:---|:---|
4646
|status|microsoft.graph.security.alertStatus|The status of the alert. Possible values are: `new`, `inProgress`, `resolved`, `unknownFutureValue`.|
4747
|classification|microsoft.graph.security.alertClassification|Specifies the classification of the alert. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|
48+
|customDetails|microsoft.graph.security.dictionary| User defined custom fields with string values. |
4849
|determination|microsoft.graph.security.alertDetermination|Specifies the determination of the alert. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.|
4950
|assignedTo|String|Owner of the incident, or `null` if no owner is assigned.|
5051

api-reference/v1.0/resources/security-alert.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ When a security provider detects a threat, it creates an alert in the system. Mi
3838
|classification|[microsoft.graph.security.alertClassification](#alertclassification-values)| Specifies whether the alert represents a true threat. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|
3939
|comments|[microsoft.graph.security.alertComment](security-alertComment.md) collection| Array of comments created by the Security Operations (SecOps) team during the alert management process.|
4040
|createdDateTime|DateTimeOffset| Time when Microsoft 365 Defender created the alert.|
41+
|customDetails|microsoft.graph.security.dictionary| User defined custom fields with string values. |
4142
|description|String| String value describing each alert.|
4243
|detectionSource|[microsoft.graph.security.detectionSource](#detectionsource-values)| Detection technology or sensor that identified the notable component or activity. Possible values are: `unknown`, `microsoftDefenderForEndpoint`, `antivirus`, `smartScreen`, `customTi`, `microsoftDefenderForOffice365`, `automatedInvestigation`, `microsoftThreatExperts`, `customDetection`, `microsoftDefenderForIdentity`, `cloudAppSecurity`, `microsoft365Defender`, `azureAdIdentityProtection`, `manual`, `microsoftDataLossPrevention`, `appGovernancePolicy`, `appGovernanceDetection`, `unknownFutureValue`, `microsoftDefenderForCloud`, `microsoftDefenderForIoT`, `microsoftDefenderForServers`, `microsoftDefenderForStorage`, `microsoftDefenderForDNS`, `microsoftDefenderForDatabases`, `microsoftDefenderForContainers`, `microsoftDefenderForNetwork`, `microsoftDefenderForAppService`, `microsoftDefenderForKeyVault`, `microsoftDefenderForResourceManager`, `microsoftDefenderForApiManagement`, `microsoftSentinel`, `nrtAlerts`, `scheduledAlerts`, `microsoftDefenderThreatIntelligenceAnalytics`, `builtInMl`. Use the `Prefer: include-unknown-enum-members` request header to get the following value(s) in this [evolvable enum](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations): `microsoftDefenderForCloud`, `microsoftDefenderForIoT`, `microsoftDefenderForServers`, `microsoftDefenderForStorage`, `microsoftDefenderForDNS`, `microsoftDefenderForDatabases`, `microsoftDefenderForContainers`, `microsoftDefenderForNetwork`, `microsoftDefenderForAppService`, `microsoftDefenderForKeyVault`, `microsoftDefenderForResourceManager`, `microsoftDefenderForApiManagement`, `microsoftSentinel`, `nrtAlerts`, `scheduledAlerts`, `microsoftDefenderThreatIntelligenceAnalytics`, `builtInMl`.|
4344
|detectorId|String| The ID of the detector that triggered the alert.|
@@ -238,6 +239,9 @@ The following JSON representation shows the resource type.
238239
],
239240
"additionalData": {
240241
"@odata.type": "microsoft.graph.security.dictionary"
242+
},
243+
"customDetails": {
244+
"@odata.type": "microsoft.graph.security.dictionary"
241245
}
242246
}
243247
```

changelog/Microsoft.M365.Defender.json

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2669,6 +2669,42 @@
26692669
"CreatedDateTime": "2025-03-26T20:20:31.9078919Z",
26702670
"WorkloadArea": "Security",
26712671
"SubArea": ""
2672+
},
2673+
{
2674+
"ChangeList": [
2675+
{
2676+
"Id": "0b42926b-ca34-4b46-8ece-7d2ebc57d92c",
2677+
"ApiChange": "Property",
2678+
"ChangedApiName": "customDetails",
2679+
"ChangeType": "Addition",
2680+
"Description": "Added the **customDetails** property to the [alert](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-beta) resource.",
2681+
"Target": "alert"
2682+
}
2683+
],
2684+
"Id": "0b42926b-ca34-4b46-8ece-7d2ebc57d92c",
2685+
"Cloud": "Review",
2686+
"Version": "beta",
2687+
"CreatedDateTime": "2025-05-21T03:30:26.499353Z",
2688+
"WorkloadArea": "Security",
2689+
"SubArea": ""
2690+
},
2691+
{
2692+
"ChangeList": [
2693+
{
2694+
"Id": "00bffed3-c1fc-46a7-bdf5-e62c5a7bd69f",
2695+
"ApiChange": "Property",
2696+
"ChangedApiName": "customDetails",
2697+
"ChangeType": "Addition",
2698+
"Description": "Added the **customDetails** property to the [alert](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) resource.",
2699+
"Target": "alert"
2700+
}
2701+
],
2702+
"Id": "00bffed3-c1fc-46a7-bdf5-e62c5a7bd69f",
2703+
"Cloud": "Review",
2704+
"Version": "v1.0",
2705+
"CreatedDateTime": "2025-05-21T03:30:26.4995892Z",
2706+
"WorkloadArea": "Security",
2707+
"SubArea": ""
26722708
}
26732709
]
26742710
}

0 commit comments

Comments
 (0)