Microsoft Graph · Schema
alertEvidence
Azure ADCollaborationContactsDocumentsEmailGraphIdentityMicrosoftOffice 365PresentationsProductivitySpreadsheetsT1Tasks
Properties
| Name | Type | Description |
|---|---|---|
| createdDateTime | string | The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight U |
| detailedRoles | array | Detailed description of the entity role/s in an alert. Values are free-form. |
| remediationStatus | object | |
| remediationStatusDetails | string | Details about the remediation status. |
| roles | array | The role/s that an evidence entity represents in an alert, for example, an IP address that is associated with an attacker has the evidence role Attacker. |
| tags | array | Array of custom tags associated with an evidence instance, for example, to denote a group of devices, high-value assets, etc. |
| verdict | object | |
| @odata.type | string |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/microsoft.graph.security.alertEvidence",
"title": "alertEvidence",
"required": [
"@odata.type"
],
"type": "object",
"properties": {
"createdDateTime": {
"pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$",
"type": "string",
"description": "The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z.",
"format": "date-time"
},
"detailedRoles": {
"type": "array",
"items": {
"type": "string",
"nullable": true
},
"description": "Detailed description of the entity role/s in an alert. Values are free-form."
},
"remediationStatus": {
"$ref": "#/components/schemas/microsoft.graph.security.evidenceRemediationStatus"
},
"remediationStatusDetails": {
"type": "string",
"description": "Details about the remediation status.",
"nullable": true
},
"roles": {
"type": "array",
"items": {
"$ref": "#/components/schemas/microsoft.graph.security.evidenceRole"
},
"description": "The role/s that an evidence entity represents in an alert, for example, an IP address that is associated with an attacker has the evidence role Attacker."
},
"tags": {
"type": "array",
"items": {
"type": "string",
"nullable": true
},
"description": "Array of custom tags associated with an evidence instance, for example, to denote a group of devices, high-value assets, etc."
},
"verdict": {
"$ref": "#/components/schemas/microsoft.graph.security.evidenceVerdict"
},
"@odata.type": {
"type": "string"
}
},
"discriminator": {
"propertyName": "@odata.type",
"mapping": {
"#microsoft.graph.security.aiAgentEvidence": "#/components/schemas/microsoft.graph.security.aiAgentEvidence",
"#microsoft.graph.security.amazonResourceEvidence": "#/components/schemas/microsoft.graph.security.amazonResourceEvidence",
"#microsoft.graph.security.analyzedMessageEvidence": "#/components/schemas/microsoft.graph.security.analyzedMessageEvidence",
"#microsoft.graph.security.azureResourceEvidence": "#/components/schemas/microsoft.graph.security.azureResourceEvidence",
"#microsoft.graph.security.blobContainerEvidence": "#/components/schemas/microsoft.graph.security.blobContainerEvidence",
"#microsoft.graph.security.blobEvidence": "#/components/schemas/microsoft.graph.security.blobEvidence",
"#microsoft.graph.security.cloudApplicationEvidence": "#/components/schemas/microsoft.graph.security.cloudApplicationEvidence",
"#microsoft.graph.security.cloudLogonRequestEvidence": "#/components/schemas/microsoft.graph.security.cloudLogonRequestEvidence",
"#microsoft.graph.security.cloudLogonSessionEvidence": "#/components/schemas/microsoft.graph.security.cloudLogonSessionEvidence",
"#microsoft.graph.security.containerEvidence": "#/components/schemas/microsoft.graph.security.containerEvidence",
"#microsoft.graph.security.containerImageEvidence": "#/components/schemas/microsoft.graph.security.containerImageEvidence",
"#microsoft.graph.security.containerRegistryEvidence": "#/components/schemas/microsoft.graph.security.containerRegistryEvidence",
"#microsoft.graph.security.deviceEvidence": "#/components/schemas/microsoft.graph.security.deviceEvidence",
"#microsoft.graph.security.dnsEvidence": "#/components/schemas/microsoft.graph.security.dnsEvidence",
"#microsoft.graph.security.fileEvidence": "#/components/schemas/microsoft.graph.security.fileEvidence",
"#microsoft.graph.security.fileHashEvidence": "#/components/schemas/microsoft.graph.security.fileHashEvidence",
"#microsoft.graph.security.gitHubOrganizationEvidence": "#/components/schemas/microsoft.graph.security.gitHubOrganizationEvidence",
"#microsoft.graph.security.gitHubRepoEvidence": "#/components/schemas/microsoft.graph.security.gitHubRepoEvidence",
"#microsoft.graph.security.gitHubUserEvidence": "#/components/schemas/microsoft.graph.security.gitHubUserEvidence",
"#microsoft.graph.security.googleCloudResourceEvidence": "#/components/schemas/microsoft.graph.security.googleCloudResourceEvidence",
"#microsoft.graph.security.hostLogonSessionEvidence": "#/components/schemas/microsoft.graph.security.hostLogonSessionEvidence",
"#microsoft.graph.security.ioTDeviceEvidence": "#/components/schemas/microsoft.graph.security.ioTDeviceEvidence",
"#microsoft.graph.security.ipEvidence": "#/components/schemas/microsoft.graph.security.ipEvidence",
"#microsoft.graph.security.kubernetesClusterEvidence": "#/components/schemas/microsoft.graph.security.kubernetesClusterEvidence",
"#microsoft.graph.security.kubernetesControllerEvidence": "#/components/schemas/microsoft.graph.security.kubernetesControllerEvidence",
"#microsoft.graph.security.kubernetesNamespaceEvidence": "#/components/schemas/microsoft.graph.security.kubernetesNamespaceEvidence",
"#microsoft.graph.security.kubernetesPodEvidence": "#/components/schemas/microsoft.graph.security.kubernetesPodEvidence",
"#microsoft.graph.security.kubernetesSecretEvidence": "#/components/schemas/microsoft.graph.security.kubernetesSecretEvidence",
"#microsoft.graph.security.kubernetesServiceAccountEvidence": "#/components/schemas/microsoft.graph.security.kubernetesServiceAccountEvidence",
"#microsoft.graph.security.kubernetesServiceEvidence": "#/components/schemas/microsoft.graph.security.kubernetesServiceEvidence",
"#microsoft.graph.security.mailboxConfigurationEvidence": "#/components/schemas/microsoft.graph.security.mailboxConfigurationEvidence",
"#microsoft.graph.security.mailboxEvidence": "#/components/schemas/microsoft.graph.security.mailboxEvidence",
"#microsoft.graph.security.mailClusterEvidence": "#/components/schemas/microsoft.graph.security.mailClusterEvidence",
"#microsoft.graph.security.malwareEvidence": "#/components/schemas/microsoft.graph.security.malwareEvidence",
"#microsoft.graph.security.networkConnectionEvidence": "#/components/schemas/microsoft.graph.security.networkConnectionEvidence",
"#microsoft.graph.security.nicEvidence": "#/components/schemas/microsoft.graph.security.nicEvidence",
"#microsoft.graph.security.oauthApplicationEvidence": "#/components/schemas/microsoft.graph.security.oauthApplicationEvidence",
"#microsoft.graph.security.processEvidence": "#/components/schemas/microsoft.graph.security.processEvidence",
"#microsoft.graph.security.registryKeyEvidence": "#/components/schemas/microsoft.graph.security.registryKeyEvidence",
"#microsoft.graph.security.registryValueEvidence": "#/components/schemas/microsoft.graph.security.registryValueEvidence",
"#microsoft.graph.security.sasTokenEvidence": "#/components/schemas/microsoft.graph.security.sasTokenEvidence",
"#microsoft.graph.security.securityGroupEvidence": "#/components/schemas/microsoft.graph.security.securityGroupEvidence",
"#microsoft.graph.security.servicePrincipalEvidence": "#/components/schemas/microsoft.graph.security.servicePrincipalEvidence",
"#microsoft.graph.security.submissionMailEvidence": "#/components/schemas/microsoft.graph.security.submissionMailEvidence",
"#microsoft.graph.security.teamsMessageEvidence": "#/components/schemas/microsoft.graph.security.teamsMessageEvidence",
"#microsoft.graph.security.urlEvidence": "#/components/schemas/microsoft.graph.security.urlEvidence",
"#microsoft.graph.security.userEvidence": "#/components/schemas/microsoft.graph.security.userEvidence"
}
}
}