Microsoft Graph · Schema

microsoft.graph.security.incident

Azure ADCollaborationContactsDocumentsEmailGraphIdentityMicrosoftOffice 365PresentationsProductivitySpreadsheetsT1Tasks
View JSON Schema on GitHub

JSON Schema

microsoft-graph-microsoftgraphsecurityincident-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "#/components/schemas/microsoft.graph.security.incident",
  "title": "microsoft.graph.security.incident",
  "allOf": [
    {
      "$ref": "#/components/schemas/microsoft.graph.entity"
    },
    {
      "title": "incident",
      "required": [
        "@odata.type"
      ],
      "type": "object",
      "properties": {
        "assignedTo": {
          "type": "string",
          "description": "Owner of the incident, or null if no owner is assigned. Free editable text.",
          "nullable": true
        },
        "classification": {
          "anyOf": [
            {
              "$ref": "#/components/schemas/microsoft.graph.security.alertClassification"
            },
            {
              "type": "object",
              "nullable": true
            }
          ],
          "description": "The specification for the incident. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue."
        },
        "comments": {
          "type": "array",
          "items": {
            "$ref": "#/components/schemas/microsoft.graph.security.alertComment"
          },
          "description": "Array of comments created by the Security Operations (SecOps) team when the incident is managed."
        },
        "createdDateTime": {
          "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$",
          "type": "string",
          "description": "Time when the incident was first created.",
          "format": "date-time"
        },
        "customTags": {
          "type": "array",
          "items": {
            "type": "string",
            "nullable": true
          },
          "description": "Array of custom tags associated with an incident."
        },
        "description": {
          "type": "string",
          "description": "Description of the incident.",
          "nullable": true
        },
        "determination": {
          "anyOf": [
            {
              "$ref": "#/components/schemas/microsoft.graph.security.alertDetermination"
            },
            {
              "type": "object",
              "nullable": true
            }
          ],
          "description": "Specifies the determination of the incident. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedUser, phishing, maliciousUserActivity, clean, insufficientData, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue."
        },
        "displayName": {
          "type": "string",
          "description": "The incident name.",
          "nullable": true
        },
        "incidentWebUrl": {
          "type": "string",
          "description": "The URL for the incident page in the Microsoft 365 Defender portal.",
          "nullable": true
        },
        "lastModifiedBy": {
          "type": "string",
          "description": "The identity that last modified the incident.",
          "nullable": true
        },
        "lastUpdateDateTime": {
          "pattern": "^[0-9]{4,}-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])T([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]([.][0-9]{1,12})?(Z|[+-][0-9][0-9]:[0-9][0-9])$",
          "type": "string",
          "description": "Time when the incident was last updated.",
          "format": "date-time"
        },
        "redirectIncidentId": {
          "type": "string",
          "description": "Only populated in case an incident is grouped with another incident, as part of the logic that processes incidents. In such a case, the status property is redirected.",
          "nullable": true
        },
        "resolvingComment": {
          "type": "string",
          "description": "User input that explains the resolution of the incident and the classification choice. This property contains free editable text.",
          "nullable": true
        },
        "severity": {
          "$ref": "#/components/schemas/microsoft.graph.security.alertSeverity"
        },
        "status": {
          "$ref": "#/components/schemas/microsoft.graph.security.incidentStatus"
        },
        "summary": {
          "type": "string",
          "description": "The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.",
          "nullable": true
        },
        "systemTags": {
          "type": "array",
          "items": {
            "type": "string",
            "nullable": true
          },
          "description": "The system tags associated with the incident."
        },
        "tenantId": {
          "type": "string",
          "description": "The Microsoft Entra tenant in which the alert was created.",
          "nullable": true
        },
        "alerts": {
          "type": "array",
          "items": {
            "$ref": "#/components/schemas/microsoft.graph.security.alert"
          },
          "description": "The list of related alerts. Supports $expand.",
          "x-ms-navigationProperty": true
        },
        "@odata.type": {
          "type": "string"
        }
      }
    }
  ],
  "x-ms-discriminator-value": "#microsoft.graph.security.incident"
}