Freigeben über


Incidents - List Entities

Gets all entities for an incident.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities?api-version=2024-09-01

URI Parameters

Name In Required Type Description
incidentId
path True

string

Incident ID

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Responses

Name Type Description
200 OK

IncidentEntitiesResponse

OK

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Sample request

POST https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/entities?api-version=2024-09-01

Sample response

{
  "entities": [
    {
      "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/e1d3d618-e11f-478b-98e3-bb381539a8e1",
      "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1",
      "type": "Microsoft.SecurityInsights/Entities",
      "kind": "Account",
      "properties": {
        "friendlyName": "administrator",
        "accountName": "administrator",
        "ntDomain": "domain"
      }
    }
  ],
  "metaData": [
    {
      "entityKind": "Account",
      "count": 1
    }
  ]
}

Definitions

Name Description
AccountEntity

Represents an account entity.

AlertSeverity

The severity of the alert

AlertStatus

The lifecycle status of the alert.

AntispamMailDirection

The directionality of this mail message

AttackTactic

The severity for alerts created by this alert rule.

AzureResourceEntity

Represents an azure resource entity.

CloudApplicationEntity

Represents a cloud application entity.

CloudError

Error response structure.

CloudErrorBody

Error details.

ConfidenceLevel

The confidence level of this alert.

ConfidenceReasons

The confidence reasons

ConfidenceScoreStatus

The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.

createdByType

The type of identity that created the resource.

DeliveryAction

The delivery action of this mail message like Delivered, Blocked, Replaced etc

DeliveryLocation

The delivery location of this mail message like Inbox, JunkFolder etc

DnsEntity

Represents a dns entity.

ElevationToken

The elevation token associated with the process.

EntityKindEnum

The kind of the aggregated entity.

FileEntity

Represents a file entity.

FileHashAlgorithm

The hash algorithm type.

FileHashEntity

Represents a file hash entity.

GeoLocation

The geo-location context attached to the ip entity

HostEntity

Represents a host entity.

HuntingBookmark

Represents a Hunting bookmark entity.

IncidentEntitiesResponse

The incident related entities response.

IncidentEntitiesResultsMetadata

Information of a specific aggregation in the incident related entities result.

IncidentInfo

Describes related incident information for the bookmark

IncidentSeverity

The severity of the incident

IoTDeviceEntity

Represents an IoT device entity.

IpEntity

Represents an ip entity.

KillChainIntent

Holds the alert intent stage(s) mapping for this alert.

MailboxEntity

Represents a mailbox entity.

MailClusterEntity

Represents a mail cluster entity.

MailMessageEntity

Represents a mail message entity.

MalwareEntity

Represents a malware entity.

OSFamily

The operating system type.

ProcessEntity

Represents a process entity.

RegistryHive

the hive that holds the registry key.

RegistryKeyEntity

Represents a registry key entity.

RegistryValueEntity

Represents a registry value entity.

RegistryValueKind

Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.

SecurityAlert

Represents a security alert entity.

SecurityGroupEntity

Represents a security group entity.

SubmissionMailEntity

Represents a submission mail entity.

systemData

Metadata pertaining to creation and last modification of the resource.

ThreatIntelligence

ThreatIntelligence property bag.

UrlEntity

Represents a url entity.

UserInfo

User information that made some action

AccountEntity

Represents an account entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Account

The kind of the entity.

name

string

The name of the resource

properties.aadTenantId

string

The Azure Active Directory tenant id.

properties.aadUserId

string

The Azure Active Directory user id.

properties.accountName

string

The name of the account. This field should hold only the name without any domain added to it, i.e. administrator.

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.displayName

string

The display name of the account.

properties.dnsDomain

string

The fully qualified domain DNS name.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hostEntityId

string

The Host entity id that contains the account in case it is a local account (not domain joined)

properties.isDomainJoined

boolean

Determines whether this is a domain account.

properties.ntDomain

string

The NetBIOS domain name as it appears in the alert format - domain\username. Examples: NT AUTHORITY.

properties.objectGuid

string

The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory.

properties.puid

string

The Azure Active Directory Passport User ID.

properties.sid

string

The account security identifier, e.g. S-1-5-18.

properties.upnSuffix

string

The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

AlertSeverity

The severity of the alert

Name Type Description
High

string

High severity

Informational

string

Informational severity

Low

string

Low severity

Medium

string

Medium severity

AlertStatus

The lifecycle status of the alert.

Name Type Description
Dismissed

string

Alert dismissed as false positive

InProgress

string

Alert is being handled

New

string

New alert

Resolved

string

Alert closed after handling

Unknown

string

Unknown value

AntispamMailDirection

The directionality of this mail message

Name Type Description
Inbound

string

Inbound

Intraorg

string

Intraorg

Outbound

string

Outbound

Unknown

string

Unknown

AttackTactic

The severity for alerts created by this alert rule.

Name Type Description
Collection

string

CommandAndControl

string

CredentialAccess

string

DefenseEvasion

string

Discovery

string

Execution

string

Exfiltration

string

Impact

string

ImpairProcessControl

string

InhibitResponseFunction

string

InitialAccess

string

LateralMovement

string

Persistence

string

PreAttack

string

PrivilegeEscalation

string

Reconnaissance

string

ResourceDevelopment

string

AzureResourceEntity

Represents an azure resource entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

AzureResource

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.resourceId

string

The azure resource id of the resource

properties.subscriptionId

string

The subscription id of the resource

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

CloudApplicationEntity

Represents a cloud application entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

CloudApplication

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.appId

integer

The technical identifier of the application.

properties.appName

string

The name of the related cloud application.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.instanceName

string

The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

ConfidenceLevel

The confidence level of this alert.

Name Type Description
High

string

High confidence that the alert is true positive malicious

Low

string

Low confidence, meaning we have some doubts this is indeed malicious or part of an attack

Unknown

string

Unknown confidence, the is the default value

ConfidenceReasons

The confidence reasons

Name Type Description
reason

string

The reason's description

reasonType

string

The type (category) of the reason

ConfidenceScoreStatus

The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.

Name Type Description
Final

string

Final score was calculated and available

InProcess

string

No score was set yet and calculation is in progress

NotApplicable

string

Score will not be calculated for this alert as it is not supported by virtual analyst

NotFinal

string

Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

DeliveryAction

The delivery action of this mail message like Delivered, Blocked, Replaced etc

Name Type Description
Blocked

string

Blocked

Delivered

string

Delivered

DeliveredAsSpam

string

DeliveredAsSpam

Replaced

string

Replaced

Unknown

string

Unknown

DeliveryLocation

The delivery location of this mail message like Inbox, JunkFolder etc

Name Type Description
DeletedFolder

string

DeletedFolder

Dropped

string

Dropped

External

string

External

Failed

string

Failed

Forwarded

string

Forwarded

Inbox

string

Inbox

JunkFolder

string

JunkFolder

Quarantine

string

Quarantine

Unknown

string

Unknown

DnsEntity

Represents a dns entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

DnsResolution

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.dnsServerIpEntityId

string

An ip entity id for the dns server resolving the request

properties.domainName

string

The name of the dns record associated with the alert

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hostIpAddressEntityId

string

An ip entity id for the dns request client

properties.ipAddressEntityIds

string[]

Ip entity identifiers for the resolved ip address.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

ElevationToken

The elevation token associated with the process.

Name Type Description
Default

string

Default elevation token

Full

string

Full elevation token

Limited

string

Limited elevation token

EntityKindEnum

The kind of the aggregated entity.

Name Type Description
Account

string

Entity represents account in the system.

AzureResource

string

Entity represents azure resource in the system.

Bookmark

string

Entity represents bookmark in the system.

CloudApplication

string

Entity represents cloud application in the system.

DnsResolution

string

Entity represents dns resolution in the system.

File

string

Entity represents file in the system.

FileHash

string

Entity represents file hash in the system.

Host

string

Entity represents host in the system.

IoTDevice

string

Entity represents IoT device in the system.

Ip

string

Entity represents ip in the system.

MailCluster

string

Entity represents mail cluster in the system.

MailMessage

string

Entity represents mail message in the system.

Mailbox

string

Entity represents mailbox in the system.

Malware

string

Entity represents malware in the system.

Process

string

Entity represents process in the system.

RegistryKey

string

Entity represents registry key in the system.

RegistryValue

string

Entity represents registry value in the system.

SecurityAlert

string

Entity represents security alert in the system.

SecurityGroup

string

Entity represents security group in the system.

SubmissionMail

string

Entity represents submission mail in the system.

Url

string

Entity represents url in the system.

FileEntity

Represents a file entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

File

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.directory

string

The full path to the file.

properties.fileHashEntityIds

string[]

The file hash entity identifiers associated with this file

properties.fileName

string

The file name without path (some alerts might not include path).

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hostEntityId

string

The Host entity id which the file belongs to

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

FileHashAlgorithm

The hash algorithm type.

Name Type Description
MD5

string

MD5 hash type

SHA1

string

SHA1 hash type

SHA256

string

SHA256 hash type

SHA256AC

string

SHA256 Authenticode hash type

Unknown

string

Unknown hash algorithm

FileHashEntity

Represents a file hash entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

FileHash

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.algorithm

FileHashAlgorithm

The hash algorithm type.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hashValue

string

The file hash value.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

GeoLocation

The geo-location context attached to the ip entity

Name Type Description
asn

integer

Autonomous System Number

city

string

City name

countryCode

string

The country code according to ISO 3166 format

countryName

string

Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name

latitude

number

The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code.

longitude

number

The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code.

state

string

State name

HostEntity

Represents a host entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Host

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.azureID

string

The azure resource id of the VM.

properties.dnsDomain

string

The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hostName

string

The hostname without the domain suffix.

properties.isDomainJoined

boolean

Determines whether this host belongs to a domain.

properties.netBiosName

string

The host name (pre-windows2000).

properties.ntDomain

string

The NT domain that this host belongs to.

properties.omsAgentID

string

The OMS agent id, if the host has OMS agent installed.

properties.osFamily

OSFamily

The operating system type.

properties.osVersion

string

A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

HuntingBookmark

Represents a Hunting bookmark entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Bookmark

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.created

string

The time the bookmark was created

properties.createdBy

UserInfo

Describes a user that created the bookmark

properties.displayName

string

The display name of the bookmark

properties.eventTime

string

The time of the event

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.incidentInfo

IncidentInfo

Describes an incident that relates to bookmark

properties.labels

string[]

List of labels relevant to this bookmark

properties.notes

string

The notes of the bookmark

properties.query

string

The query of the bookmark.

properties.queryResult

string

The query result of the bookmark.

properties.updated

string

The last time the bookmark was updated

properties.updatedBy

UserInfo

Describes a user that updated the bookmark

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

IncidentEntitiesResponse

The incident related entities response.

Name Type Description
entities Entity[]:

Array of the incident related entities.

metaData

IncidentEntitiesResultsMetadata[]

The metadata from the incident related entities results.

IncidentEntitiesResultsMetadata

Information of a specific aggregation in the incident related entities result.

Name Type Description
count

integer

Total number of aggregations of the given kind in the incident related entities result.

entityKind

EntityKindEnum

The kind of the aggregated entity.

IncidentInfo

Describes related incident information for the bookmark

Name Type Description
incidentId

string

Incident Id

relationName

string

Relation Name

severity

IncidentSeverity

The severity of the incident

title

string

The title of the incident

IncidentSeverity

The severity of the incident

Name Type Description
High

string

High severity

Informational

string

Informational severity

Low

string

Low severity

Medium

string

Medium severity

IoTDeviceEntity

Represents an IoT device entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

IoTDevice

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.deviceId

string

The ID of the IoT Device in the IoT Hub

properties.deviceName

string

The friendly name of the device

properties.deviceType

string

The type of the device

properties.edgeId

string

The ID of the edge device

properties.firmwareVersion

string

The firmware version of the device

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hostEntityId

string

The Host entity id of this device

properties.iotHubEntityId

string

The AzureResource entity id of the IoT Hub

properties.iotSecurityAgentId

string

The ID of the security agent running on the device

properties.ipAddressEntityId

string

The IP entity if of this device

properties.macAddress

string

The MAC address of the device

properties.model

string

The model of the device

properties.operatingSystem

string

The operating system of the device

properties.protocols

string[]

A list of protocols of the IoTDevice entity.

properties.serialNumber

string

The serial number of the device

properties.source

string

The source of the device

properties.threatIntelligence

ThreatIntelligence[]

A list of TI contexts attached to the IoTDevice entity.

properties.vendor

string

The vendor of the device

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

IpEntity

Represents an ip entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Ip

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.address

string

The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6)

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.location

GeoLocation

The geo-location context attached to the ip entity

properties.threatIntelligence

ThreatIntelligence[]

A list of TI contexts attached to the ip entity.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

KillChainIntent

Holds the alert intent stage(s) mapping for this alert.

Name Type Description
Collection

string

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

CommandAndControl

string

The command and control tactic represents how adversaries communicate with systems under their control within a target network.

CredentialAccess

string

Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.

DefenseEvasion

string

Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation.

Discovery

string

Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.

Execution

string

The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.

Exfiltration

string

Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

Exploitation

string

Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.

Impact

string

The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.

LateralMovement

string

Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.

Persistence

string

Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

PrivilegeEscalation

string

Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.

Probing

string

Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.

Unknown

string

The default value.

MailboxEntity

Represents a mailbox entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Mailbox

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.displayName

string

The mailbox's display name

properties.externalDirectoryObjectId

string

The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.mailboxPrimaryAddress

string

The mailbox's primary address

properties.upn

string

The mailbox's UPN

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MailClusterEntity

Represents a mail cluster entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

MailCluster

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.clusterGroup

string

The cluster group

properties.clusterQueryEndTime

string

The cluster query end time

properties.clusterQueryStartTime

string

The cluster query start time

properties.clusterSourceIdentifier

string

The id of the cluster source

properties.clusterSourceType

string

The type of the cluster source

properties.countByDeliveryStatus

object

Count of mail messages by DeliveryStatus string representation

properties.countByProtectionStatus

object

Count of mail messages by ProtectionStatus string representation

properties.countByThreatType

object

Count of mail messages by ThreatType string representation

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.isVolumeAnomaly

boolean

Is this a volume anomaly mail cluster

properties.mailCount

integer

The number of mail messages that are part of the mail cluster

properties.networkMessageIds

string[]

The mail message IDs that are part of the mail cluster

properties.query

string

The query that was used to identify the messages of the mail cluster

properties.queryTime

string

The query time

properties.source

string

The source of the mail cluster (default is 'O365 ATP')

properties.threats

string[]

The threats of mail messages that are part of the mail cluster

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MailMessageEntity

Represents a mail message entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

MailMessage

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.antispamDirection

AntispamMailDirection

The directionality of this mail message

properties.bodyFingerprintBin1

integer

The bodyFingerprintBin1

properties.bodyFingerprintBin2

integer

The bodyFingerprintBin2

properties.bodyFingerprintBin3

integer

The bodyFingerprintBin3

properties.bodyFingerprintBin4

integer

The bodyFingerprintBin4

properties.bodyFingerprintBin5

integer

The bodyFingerprintBin5

properties.deliveryAction

DeliveryAction

The delivery action of this mail message like Delivered, Blocked, Replaced etc

properties.deliveryLocation

DeliveryLocation

The delivery location of this mail message like Inbox, JunkFolder etc

properties.fileEntityIds

string[]

The File entity ids of this mail message's attachments

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.internetMessageId

string

The internet message id of this mail message

properties.language

string

The language of this mail message

properties.networkMessageId

string

The network message id of this mail message

properties.p1Sender

string

The p1 sender's email address

properties.p1SenderDisplayName

string

The p1 sender's display name

properties.p1SenderDomain

string

The p1 sender's domain

properties.p2Sender

string

The p2 sender's email address

properties.p2SenderDisplayName

string

The p2 sender's display name

properties.p2SenderDomain

string

The p2 sender's domain

properties.receiveDate

string

The receive date of this message

properties.recipient

string

The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient

properties.senderIP

string

The sender's IP address

properties.subject

string

The subject of this mail message

properties.threatDetectionMethods

string[]

The threat detection methods

properties.threats

string[]

The threats of this mail message

properties.urls

string[]

The Urls contained in this mail message

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

MalwareEntity

Represents a malware entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Malware

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.category

string

The malware category by the vendor, e.g. Trojan

properties.fileEntityIds

string[]

List of linked file entity identifiers on which the malware was found

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.malwareName

string

The malware name by the vendor, e.g. Win32/Toga!rfn

properties.processEntityIds

string[]

List of linked process entity identifiers on which the malware was found.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

OSFamily

The operating system type.

Name Type Description
Android

string

Host with Android operating system.

IOS

string

Host with IOS operating system.

Linux

string

Host with Linux operating system.

Unknown

string

Host with Unknown operating system.

Windows

string

Host with Windows operating system.

ProcessEntity

Represents a process entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Process

The kind of the entity.

name

string

The name of the resource

properties.accountEntityId

string

The account entity id running the processes.

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.commandLine

string

The command line used to create the process

properties.creationTimeUtc

string

The time when the process started to run

properties.elevationToken

ElevationToken

The elevation token associated with the process.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hostEntityId

string

The host entity id on which the process was running

properties.hostLogonSessionEntityId

string

The session entity id in which the process was running

properties.imageFileEntityId

string

Image file entity id

properties.parentProcessEntityId

string

The parent process entity id.

properties.processId

string

The process ID

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

RegistryHive

the hive that holds the registry key.

Name Type Description
HKEY_A

string

HKEY_A

HKEY_CLASSES_ROOT

string

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

string

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

string

HKEY_CURRENT_USER

HKEY_CURRENT_USER_LOCAL_SETTINGS

string

HKEY_CURRENT_USER_LOCAL_SETTINGS

HKEY_LOCAL_MACHINE

string

HKEY_LOCAL_MACHINE

HKEY_PERFORMANCE_DATA

string

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_NLSTEXT

string

HKEY_PERFORMANCE_NLSTEXT

HKEY_PERFORMANCE_TEXT

string

HKEY_PERFORMANCE_TEXT

HKEY_USERS

string

HKEY_USERS

RegistryKeyEntity

Represents a registry key entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

RegistryKey

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.hive

RegistryHive

the hive that holds the registry key.

properties.key

string

The registry key path.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

RegistryValueEntity

Represents a registry value entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

RegistryValue

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.keyEntityId

string

The registry key entity id.

properties.valueData

string

String formatted representation of the value data.

properties.valueName

string

The registry value name.

properties.valueType

RegistryValueKind

Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

RegistryValueKind

Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.

Name Type Description
Binary

string

Binary value type

DWord

string

DWord value type

ExpandString

string

ExpandString value type

MultiString

string

MultiString value type

None

string

None

QWord

string

QWord value type

String

string

String value type

Unknown

string

Unknown value type

SecurityAlert

Represents a security alert entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

SecurityAlert

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.alertDisplayName

string

The display name of the alert.

properties.alertLink

string

The uri link of the alert.

properties.alertType

string

The type name of the alert.

properties.compromisedEntity

string

Display name of the main entity being reported on.

properties.confidenceLevel

ConfidenceLevel

The confidence level of this alert.

properties.confidenceReasons

ConfidenceReasons[]

The confidence reasons

properties.confidenceScore

number

The confidence score of the alert.

properties.confidenceScoreStatus

ConfidenceScoreStatus

The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.

properties.description

string

Alert description.

properties.endTimeUtc

string

The impact end time of the alert (the time of the last event contributing to the alert).

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.intent

KillChainIntent

Holds the alert intent stage(s) mapping for this alert.

properties.processingEndTime

string

The time the alert was made available for consumption.

properties.productComponentName

string

The name of a component inside the product which generated the alert.

properties.productName

string

The name of the product which published this alert.

properties.productVersion

string

The version of the product generating the alert.

properties.providerAlertId

string

The identifier of the alert inside the product which generated the alert.

properties.remediationSteps

string[]

Manual action items to take to remediate the alert.

properties.resourceIdentifiers

object[]

The list of resource identifiers of the alert.

properties.severity

AlertSeverity

The severity of the alert

properties.startTimeUtc

string

The impact start time of the alert (the time of the first event contributing to the alert).

properties.status

AlertStatus

The lifecycle status of the alert.

properties.systemAlertId

string

Holds the product identifier of the alert for the product.

properties.tactics

AttackTactic[]

The tactics of the alert

properties.timeGenerated

string

The time the alert was generated.

properties.vendorName

string

The name of the vendor that raise the alert.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

SecurityGroupEntity

Represents a security group entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

SecurityGroup

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.distinguishedName

string

The group distinguished name

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.objectGuid

string

A single-value attribute that is the unique identifier for the object, assigned by active directory.

properties.sid

string

The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

SubmissionMailEntity

Represents a submission mail entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

SubmissionMail

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.networkMessageId

string

The network message id of email to which submission belongs

properties.recipient

string

The recipient of the mail

properties.reportType

string

The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk.

properties.sender

string

The sender of the mail

properties.senderIp

string

The sender's IP

properties.subject

string

The subject of submission mail

properties.submissionDate

string

The submission date

properties.submissionId

string

The submission id

properties.submitter

string

The submitter

properties.timestamp

string

The Time stamp when the message is received (Mail)

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

ThreatIntelligence

ThreatIntelligence property bag.

Name Type Description
confidence

number

Confidence (must be between 0 and 1)

providerName

string

Name of the provider from whom this Threat Intelligence information was received

reportLink

string

Report link

threatDescription

string

Threat description (free text)

threatName

string

Threat name (e.g. "Jedobot malware")

threatType

string

Threat type (e.g. "Botnet")

UrlEntity

Represents a url entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

Url

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.url

string

A full URL the entity points to

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

UserInfo

User information that made some action

Name Type Description
email

string

The email of the user.

name

string

The name of the user.

objectId

string

The object id of the user.