Incidents - List Entities
Gets all entities for an incident.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities?api-version=2024-09-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
incident
|
path | True |
string |
Incident ID |
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
OK |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Gets all incident related entities
Sample request
POST https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/entities?api-version=2024-09-01
Sample response
{
"entities": [
{
"id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/e1d3d618-e11f-478b-98e3-bb381539a8e1",
"name": "e1d3d618-e11f-478b-98e3-bb381539a8e1",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "Account",
"properties": {
"friendlyName": "administrator",
"accountName": "administrator",
"ntDomain": "domain"
}
}
],
"metaData": [
{
"entityKind": "Account",
"count": 1
}
]
}
Definitions
Name | Description |
---|---|
Account |
Represents an account entity. |
Alert |
The severity of the alert |
Alert |
The lifecycle status of the alert. |
Antispam |
The directionality of this mail message |
Attack |
The severity for alerts created by this alert rule. |
Azure |
Represents an azure resource entity. |
Cloud |
Represents a cloud application entity. |
Cloud |
Error response structure. |
Cloud |
Error details. |
Confidence |
The confidence level of this alert. |
Confidence |
The confidence reasons |
Confidence |
The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final. |
created |
The type of identity that created the resource. |
Delivery |
The delivery action of this mail message like Delivered, Blocked, Replaced etc |
Delivery |
The delivery location of this mail message like Inbox, JunkFolder etc |
Dns |
Represents a dns entity. |
Elevation |
The elevation token associated with the process. |
Entity |
The kind of the aggregated entity. |
File |
Represents a file entity. |
File |
The hash algorithm type. |
File |
Represents a file hash entity. |
Geo |
The geo-location context attached to the ip entity |
Host |
Represents a host entity. |
Hunting |
Represents a Hunting bookmark entity. |
Incident |
The incident related entities response. |
Incident |
Information of a specific aggregation in the incident related entities result. |
Incident |
Describes related incident information for the bookmark |
Incident |
The severity of the incident |
Io |
Represents an IoT device entity. |
Ip |
Represents an ip entity. |
Kill |
Holds the alert intent stage(s) mapping for this alert. |
Mailbox |
Represents a mailbox entity. |
Mail |
Represents a mail cluster entity. |
Mail |
Represents a mail message entity. |
Malware |
Represents a malware entity. |
OSFamily |
The operating system type. |
Process |
Represents a process entity. |
Registry |
the hive that holds the registry key. |
Registry |
Represents a registry key entity. |
Registry |
Represents a registry value entity. |
Registry |
Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry. |
Security |
Represents a security alert entity. |
Security |
Represents a security group entity. |
Submission |
Represents a submission mail entity. |
system |
Metadata pertaining to creation and last modification of the resource. |
Threat |
ThreatIntelligence property bag. |
Url |
Represents a url entity. |
User |
User information that made some action |
AccountEntity
Represents an account entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Account |
The kind of the entity. |
name |
string |
The name of the resource |
properties.aadTenantId |
string |
The Azure Active Directory tenant id. |
properties.aadUserId |
string |
The Azure Active Directory user id. |
properties.accountName |
string |
The name of the account. This field should hold only the name without any domain added to it, i.e. administrator. |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.displayName |
string |
The display name of the account. |
properties.dnsDomain |
string |
The fully qualified domain DNS name. |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hostEntityId |
string |
The Host entity id that contains the account in case it is a local account (not domain joined) |
properties.isDomainJoined |
boolean |
Determines whether this is a domain account. |
properties.ntDomain |
string |
The NetBIOS domain name as it appears in the alert format - domain\username. Examples: NT AUTHORITY. |
properties.objectGuid |
string |
The objectGUID attribute is a single-value attribute that is the unique identifier for the object, assigned by active directory. |
properties.puid |
string |
The Azure Active Directory Passport User ID. |
properties.sid |
string |
The account security identifier, e.g. S-1-5-18. |
properties.upnSuffix |
string |
The user principal name suffix for the account, in some cases it is also the domain name. Examples: contoso.com. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
AlertSeverity
The severity of the alert
Name | Type | Description |
---|---|---|
High |
string |
High severity |
Informational |
string |
Informational severity |
Low |
string |
Low severity |
Medium |
string |
Medium severity |
AlertStatus
The lifecycle status of the alert.
Name | Type | Description |
---|---|---|
Dismissed |
string |
Alert dismissed as false positive |
InProgress |
string |
Alert is being handled |
New |
string |
New alert |
Resolved |
string |
Alert closed after handling |
Unknown |
string |
Unknown value |
AntispamMailDirection
The directionality of this mail message
Name | Type | Description |
---|---|---|
Inbound |
string |
Inbound |
Intraorg |
string |
Intraorg |
Outbound |
string |
Outbound |
Unknown |
string |
Unknown |
AttackTactic
The severity for alerts created by this alert rule.
Name | Type | Description |
---|---|---|
Collection |
string |
|
CommandAndControl |
string |
|
CredentialAccess |
string |
|
DefenseEvasion |
string |
|
Discovery |
string |
|
Execution |
string |
|
Exfiltration |
string |
|
Impact |
string |
|
ImpairProcessControl |
string |
|
InhibitResponseFunction |
string |
|
InitialAccess |
string |
|
LateralMovement |
string |
|
Persistence |
string |
|
PreAttack |
string |
|
PrivilegeEscalation |
string |
|
Reconnaissance |
string |
|
ResourceDevelopment |
string |
AzureResourceEntity
Represents an azure resource entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Azure |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.resourceId |
string |
The azure resource id of the resource |
properties.subscriptionId |
string |
The subscription id of the resource |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
CloudApplicationEntity
Represents a cloud application entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Cloud |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.appId |
integer |
The technical identifier of the application. |
properties.appName |
string |
The name of the related cloud application. |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.instanceName |
string |
The user defined instance name of the cloud application. It is often used to distinguish between several applications of the same type that a customer has. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
CloudError
Error response structure.
Name | Type | Description |
---|---|---|
error |
Error data |
CloudErrorBody
Error details.
Name | Type | Description |
---|---|---|
code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
ConfidenceLevel
The confidence level of this alert.
Name | Type | Description |
---|---|---|
High |
string |
High confidence that the alert is true positive malicious |
Low |
string |
Low confidence, meaning we have some doubts this is indeed malicious or part of an attack |
Unknown |
string |
Unknown confidence, the is the default value |
ConfidenceReasons
The confidence reasons
Name | Type | Description |
---|---|---|
reason |
string |
The reason's description |
reasonType |
string |
The type (category) of the reason |
ConfidenceScoreStatus
The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.
Name | Type | Description |
---|---|---|
Final |
string |
Final score was calculated and available |
InProcess |
string |
No score was set yet and calculation is in progress |
NotApplicable |
string |
Score will not be calculated for this alert as it is not supported by virtual analyst |
NotFinal |
string |
Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
DeliveryAction
The delivery action of this mail message like Delivered, Blocked, Replaced etc
Name | Type | Description |
---|---|---|
Blocked |
string |
Blocked |
Delivered |
string |
Delivered |
DeliveredAsSpam |
string |
DeliveredAsSpam |
Replaced |
string |
Replaced |
Unknown |
string |
Unknown |
DeliveryLocation
The delivery location of this mail message like Inbox, JunkFolder etc
Name | Type | Description |
---|---|---|
DeletedFolder |
string |
DeletedFolder |
Dropped |
string |
Dropped |
External |
string |
External |
Failed |
string |
Failed |
Forwarded |
string |
Forwarded |
Inbox |
string |
Inbox |
JunkFolder |
string |
JunkFolder |
Quarantine |
string |
Quarantine |
Unknown |
string |
Unknown |
DnsEntity
Represents a dns entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Dns |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.dnsServerIpEntityId |
string |
An ip entity id for the dns server resolving the request |
properties.domainName |
string |
The name of the dns record associated with the alert |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hostIpAddressEntityId |
string |
An ip entity id for the dns request client |
properties.ipAddressEntityIds |
string[] |
Ip entity identifiers for the resolved ip address. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
ElevationToken
The elevation token associated with the process.
Name | Type | Description |
---|---|---|
Default |
string |
Default elevation token |
Full |
string |
Full elevation token |
Limited |
string |
Limited elevation token |
EntityKindEnum
The kind of the aggregated entity.
Name | Type | Description |
---|---|---|
Account |
string |
Entity represents account in the system. |
AzureResource |
string |
Entity represents azure resource in the system. |
Bookmark |
string |
Entity represents bookmark in the system. |
CloudApplication |
string |
Entity represents cloud application in the system. |
DnsResolution |
string |
Entity represents dns resolution in the system. |
File |
string |
Entity represents file in the system. |
FileHash |
string |
Entity represents file hash in the system. |
Host |
string |
Entity represents host in the system. |
IoTDevice |
string |
Entity represents IoT device in the system. |
Ip |
string |
Entity represents ip in the system. |
MailCluster |
string |
Entity represents mail cluster in the system. |
MailMessage |
string |
Entity represents mail message in the system. |
Mailbox |
string |
Entity represents mailbox in the system. |
Malware |
string |
Entity represents malware in the system. |
Process |
string |
Entity represents process in the system. |
RegistryKey |
string |
Entity represents registry key in the system. |
RegistryValue |
string |
Entity represents registry value in the system. |
SecurityAlert |
string |
Entity represents security alert in the system. |
SecurityGroup |
string |
Entity represents security group in the system. |
SubmissionMail |
string |
Entity represents submission mail in the system. |
Url |
string |
Entity represents url in the system. |
FileEntity
Represents a file entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
File |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.directory |
string |
The full path to the file. |
properties.fileHashEntityIds |
string[] |
The file hash entity identifiers associated with this file |
properties.fileName |
string |
The file name without path (some alerts might not include path). |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hostEntityId |
string |
The Host entity id which the file belongs to |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
FileHashAlgorithm
The hash algorithm type.
Name | Type | Description |
---|---|---|
MD5 |
string |
MD5 hash type |
SHA1 |
string |
SHA1 hash type |
SHA256 |
string |
SHA256 hash type |
SHA256AC |
string |
SHA256 Authenticode hash type |
Unknown |
string |
Unknown hash algorithm |
FileHashEntity
Represents a file hash entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
File |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.algorithm |
The hash algorithm type. |
|
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hashValue |
string |
The file hash value. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
GeoLocation
The geo-location context attached to the ip entity
Name | Type | Description |
---|---|---|
asn |
integer |
Autonomous System Number |
city |
string |
City name |
countryCode |
string |
The country code according to ISO 3166 format |
countryName |
string |
Country name according to ISO 3166 Alpha 2: the lowercase of the English Short Name |
latitude |
number |
The longitude of the identified location, expressed as a floating point number with range of -180 to 180, with positive numbers representing East and negative numbers representing West. Latitude and longitude are derived from the city or postal code. |
longitude |
number |
The latitude of the identified location, expressed as a floating point number with range of - 90 to 90, with positive numbers representing North and negative numbers representing South. Latitude and longitude are derived from the city or postal code. |
state |
string |
State name |
HostEntity
Represents a host entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Host |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.azureID |
string |
The azure resource id of the VM. |
properties.dnsDomain |
string |
The DNS domain that this host belongs to. Should contain the compete DNS suffix for the domain |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hostName |
string |
The hostname without the domain suffix. |
properties.isDomainJoined |
boolean |
Determines whether this host belongs to a domain. |
properties.netBiosName |
string |
The host name (pre-windows2000). |
properties.ntDomain |
string |
The NT domain that this host belongs to. |
properties.omsAgentID |
string |
The OMS agent id, if the host has OMS agent installed. |
properties.osFamily |
The operating system type. |
|
properties.osVersion |
string |
A free text representation of the operating system. This field is meant to hold specific versions the are more fine grained than OSFamily or future values not supported by OSFamily enumeration |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
HuntingBookmark
Represents a Hunting bookmark entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Bookmark |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.created |
string |
The time the bookmark was created |
properties.createdBy |
Describes a user that created the bookmark |
|
properties.displayName |
string |
The display name of the bookmark |
properties.eventTime |
string |
The time of the event |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.incidentInfo |
Describes an incident that relates to bookmark |
|
properties.labels |
string[] |
List of labels relevant to this bookmark |
properties.notes |
string |
The notes of the bookmark |
properties.query |
string |
The query of the bookmark. |
properties.queryResult |
string |
The query result of the bookmark. |
properties.updated |
string |
The last time the bookmark was updated |
properties.updatedBy |
Describes a user that updated the bookmark |
|
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
IncidentEntitiesResponse
The incident related entities response.
Name | Type | Description |
---|---|---|
entities |
Entity[]:
|
Array of the incident related entities. |
metaData |
The metadata from the incident related entities results. |
IncidentEntitiesResultsMetadata
Information of a specific aggregation in the incident related entities result.
Name | Type | Description |
---|---|---|
count |
integer |
Total number of aggregations of the given kind in the incident related entities result. |
entityKind |
The kind of the aggregated entity. |
IncidentInfo
Describes related incident information for the bookmark
Name | Type | Description |
---|---|---|
incidentId |
string |
Incident Id |
relationName |
string |
Relation Name |
severity |
The severity of the incident |
|
title |
string |
The title of the incident |
IncidentSeverity
The severity of the incident
Name | Type | Description |
---|---|---|
High |
string |
High severity |
Informational |
string |
Informational severity |
Low |
string |
Low severity |
Medium |
string |
Medium severity |
IoTDeviceEntity
Represents an IoT device entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Io |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.deviceId |
string |
The ID of the IoT Device in the IoT Hub |
properties.deviceName |
string |
The friendly name of the device |
properties.deviceType |
string |
The type of the device |
properties.edgeId |
string |
The ID of the edge device |
properties.firmwareVersion |
string |
The firmware version of the device |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hostEntityId |
string |
The Host entity id of this device |
properties.iotHubEntityId |
string |
The AzureResource entity id of the IoT Hub |
properties.iotSecurityAgentId |
string |
The ID of the security agent running on the device |
properties.ipAddressEntityId |
string |
The IP entity if of this device |
properties.macAddress |
string |
The MAC address of the device |
properties.model |
string |
The model of the device |
properties.operatingSystem |
string |
The operating system of the device |
properties.protocols |
string[] |
A list of protocols of the IoTDevice entity. |
properties.serialNumber |
string |
The serial number of the device |
properties.source |
string |
The source of the device |
properties.threatIntelligence |
A list of TI contexts attached to the IoTDevice entity. |
|
properties.vendor |
string |
The vendor of the device |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
IpEntity
Represents an ip entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Ip |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.address |
string |
The IP address as string, e.g. 127.0.0.1 (either in Ipv4 or Ipv6) |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.location |
The geo-location context attached to the ip entity |
|
properties.threatIntelligence |
A list of TI contexts attached to the ip entity. |
|
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
KillChainIntent
Holds the alert intent stage(s) mapping for this alert.
Name | Type | Description |
---|---|---|
Collection |
string |
Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. |
CommandAndControl |
string |
The command and control tactic represents how adversaries communicate with systems under their control within a target network. |
CredentialAccess |
string |
Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment. |
DefenseEvasion |
string |
Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. |
Discovery |
string |
Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase. |
Execution |
string |
The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network. |
Exfiltration |
string |
Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. |
Exploitation |
string |
Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage. |
Impact |
string |
The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others. |
LateralMovement |
string |
Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect. |
Persistence |
string |
Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access. |
PrivilegeEscalation |
string |
Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege. |
Probing |
string |
Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in. |
Unknown |
string |
The default value. |
MailboxEntity
Represents a mailbox entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Mailbox |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.displayName |
string |
The mailbox's display name |
properties.externalDirectoryObjectId |
string |
The AzureAD identifier of mailbox. Similar to AadUserId in account entity but this property is specific to mailbox object on office side |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.mailboxPrimaryAddress |
string |
The mailbox's primary address |
properties.upn |
string |
The mailbox's UPN |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MailClusterEntity
Represents a mail cluster entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Mail |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.clusterGroup |
string |
The cluster group |
properties.clusterQueryEndTime |
string |
The cluster query end time |
properties.clusterQueryStartTime |
string |
The cluster query start time |
properties.clusterSourceIdentifier |
string |
The id of the cluster source |
properties.clusterSourceType |
string |
The type of the cluster source |
properties.countByDeliveryStatus |
object |
Count of mail messages by DeliveryStatus string representation |
properties.countByProtectionStatus |
object |
Count of mail messages by ProtectionStatus string representation |
properties.countByThreatType |
object |
Count of mail messages by ThreatType string representation |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.isVolumeAnomaly |
boolean |
Is this a volume anomaly mail cluster |
properties.mailCount |
integer |
The number of mail messages that are part of the mail cluster |
properties.networkMessageIds |
string[] |
The mail message IDs that are part of the mail cluster |
properties.query |
string |
The query that was used to identify the messages of the mail cluster |
properties.queryTime |
string |
The query time |
properties.source |
string |
The source of the mail cluster (default is 'O365 ATP') |
properties.threats |
string[] |
The threats of mail messages that are part of the mail cluster |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MailMessageEntity
Represents a mail message entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Mail |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.antispamDirection |
The directionality of this mail message |
|
properties.bodyFingerprintBin1 |
integer |
The bodyFingerprintBin1 |
properties.bodyFingerprintBin2 |
integer |
The bodyFingerprintBin2 |
properties.bodyFingerprintBin3 |
integer |
The bodyFingerprintBin3 |
properties.bodyFingerprintBin4 |
integer |
The bodyFingerprintBin4 |
properties.bodyFingerprintBin5 |
integer |
The bodyFingerprintBin5 |
properties.deliveryAction |
The delivery action of this mail message like Delivered, Blocked, Replaced etc |
|
properties.deliveryLocation |
The delivery location of this mail message like Inbox, JunkFolder etc |
|
properties.fileEntityIds |
string[] |
The File entity ids of this mail message's attachments |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.internetMessageId |
string |
The internet message id of this mail message |
properties.language |
string |
The language of this mail message |
properties.networkMessageId |
string |
The network message id of this mail message |
properties.p1Sender |
string |
The p1 sender's email address |
properties.p1SenderDisplayName |
string |
The p1 sender's display name |
properties.p1SenderDomain |
string |
The p1 sender's domain |
properties.p2Sender |
string |
The p2 sender's email address |
properties.p2SenderDisplayName |
string |
The p2 sender's display name |
properties.p2SenderDomain |
string |
The p2 sender's domain |
properties.receiveDate |
string |
The receive date of this message |
properties.recipient |
string |
The recipient of this mail message. Note that in case of multiple recipients the mail message is forked and each copy has one recipient |
properties.senderIP |
string |
The sender's IP address |
properties.subject |
string |
The subject of this mail message |
properties.threatDetectionMethods |
string[] |
The threat detection methods |
properties.threats |
string[] |
The threats of this mail message |
properties.urls |
string[] |
The Urls contained in this mail message |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
MalwareEntity
Represents a malware entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Malware |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.category |
string |
The malware category by the vendor, e.g. Trojan |
properties.fileEntityIds |
string[] |
List of linked file entity identifiers on which the malware was found |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.malwareName |
string |
The malware name by the vendor, e.g. Win32/Toga!rfn |
properties.processEntityIds |
string[] |
List of linked process entity identifiers on which the malware was found. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
OSFamily
The operating system type.
Name | Type | Description |
---|---|---|
Android |
string |
Host with Android operating system. |
IOS |
string |
Host with IOS operating system. |
Linux |
string |
Host with Linux operating system. |
Unknown |
string |
Host with Unknown operating system. |
Windows |
string |
Host with Windows operating system. |
ProcessEntity
Represents a process entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Process |
The kind of the entity. |
name |
string |
The name of the resource |
properties.accountEntityId |
string |
The account entity id running the processes. |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.commandLine |
string |
The command line used to create the process |
properties.creationTimeUtc |
string |
The time when the process started to run |
properties.elevationToken |
The elevation token associated with the process. |
|
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hostEntityId |
string |
The host entity id on which the process was running |
properties.hostLogonSessionEntityId |
string |
The session entity id in which the process was running |
properties.imageFileEntityId |
string |
Image file entity id |
properties.parentProcessEntityId |
string |
The parent process entity id. |
properties.processId |
string |
The process ID |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
RegistryHive
the hive that holds the registry key.
Name | Type | Description |
---|---|---|
HKEY_A |
string |
HKEY_A |
HKEY_CLASSES_ROOT |
string |
HKEY_CLASSES_ROOT |
HKEY_CURRENT_CONFIG |
string |
HKEY_CURRENT_CONFIG |
HKEY_CURRENT_USER |
string |
HKEY_CURRENT_USER |
HKEY_CURRENT_USER_LOCAL_SETTINGS |
string |
HKEY_CURRENT_USER_LOCAL_SETTINGS |
HKEY_LOCAL_MACHINE |
string |
HKEY_LOCAL_MACHINE |
HKEY_PERFORMANCE_DATA |
string |
HKEY_PERFORMANCE_DATA |
HKEY_PERFORMANCE_NLSTEXT |
string |
HKEY_PERFORMANCE_NLSTEXT |
HKEY_PERFORMANCE_TEXT |
string |
HKEY_PERFORMANCE_TEXT |
HKEY_USERS |
string |
HKEY_USERS |
RegistryKeyEntity
Represents a registry key entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Registry |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.hive |
the hive that holds the registry key. |
|
properties.key |
string |
The registry key path. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
RegistryValueEntity
Represents a registry value entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Registry |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.keyEntityId |
string |
The registry key entity id. |
properties.valueData |
string |
String formatted representation of the value data. |
properties.valueName |
string |
The registry value name. |
properties.valueType |
Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry. |
|
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
RegistryValueKind
Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.
Name | Type | Description |
---|---|---|
Binary |
string |
Binary value type |
DWord |
string |
DWord value type |
ExpandString |
string |
ExpandString value type |
MultiString |
string |
MultiString value type |
None |
string |
None |
QWord |
string |
QWord value type |
String |
string |
String value type |
Unknown |
string |
Unknown value type |
SecurityAlert
Represents a security alert entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind | string: |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.alertDisplayName |
string |
The display name of the alert. |
properties.alertLink |
string |
The uri link of the alert. |
properties.alertType |
string |
The type name of the alert. |
properties.compromisedEntity |
string |
Display name of the main entity being reported on. |
properties.confidenceLevel |
The confidence level of this alert. |
|
properties.confidenceReasons |
The confidence reasons |
|
properties.confidenceScore |
number |
The confidence score of the alert. |
properties.confidenceScoreStatus |
The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final. |
|
properties.description |
string |
Alert description. |
properties.endTimeUtc |
string |
The impact end time of the alert (the time of the last event contributing to the alert). |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.intent |
Holds the alert intent stage(s) mapping for this alert. |
|
properties.processingEndTime |
string |
The time the alert was made available for consumption. |
properties.productComponentName |
string |
The name of a component inside the product which generated the alert. |
properties.productName |
string |
The name of the product which published this alert. |
properties.productVersion |
string |
The version of the product generating the alert. |
properties.providerAlertId |
string |
The identifier of the alert inside the product which generated the alert. |
properties.remediationSteps |
string[] |
Manual action items to take to remediate the alert. |
properties.resourceIdentifiers |
object[] |
The list of resource identifiers of the alert. |
properties.severity |
The severity of the alert |
|
properties.startTimeUtc |
string |
The impact start time of the alert (the time of the first event contributing to the alert). |
properties.status |
The lifecycle status of the alert. |
|
properties.systemAlertId |
string |
Holds the product identifier of the alert for the product. |
properties.tactics |
The tactics of the alert |
|
properties.timeGenerated |
string |
The time the alert was generated. |
properties.vendorName |
string |
The name of the vendor that raise the alert. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
SecurityGroupEntity
Represents a security group entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Security |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.distinguishedName |
string |
The group distinguished name |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.objectGuid |
string |
A single-value attribute that is the unique identifier for the object, assigned by active directory. |
properties.sid |
string |
The SID attribute is a single-value attribute that specifies the security identifier (SID) of the group |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
SubmissionMailEntity
Represents a submission mail entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Submission |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.networkMessageId |
string |
The network message id of email to which submission belongs |
properties.recipient |
string |
The recipient of the mail |
properties.reportType |
string |
The submission type for the given instance. This maps to Junk, Phish, Malware or NotJunk. |
properties.sender |
string |
The sender of the mail |
properties.senderIp |
string |
The sender's IP |
properties.subject |
string |
The subject of submission mail |
properties.submissionDate |
string |
The submission date |
properties.submissionId |
string |
The submission id |
properties.submitter |
string |
The submitter |
properties.timestamp |
string |
The Time stamp when the message is received (Mail) |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |
ThreatIntelligence
ThreatIntelligence property bag.
Name | Type | Description |
---|---|---|
confidence |
number |
Confidence (must be between 0 and 1) |
providerName |
string |
Name of the provider from whom this Threat Intelligence information was received |
reportLink |
string |
Report link |
threatDescription |
string |
Threat description (free text) |
threatName |
string |
Threat name (e.g. "Jedobot malware") |
threatType |
string |
Threat type (e.g. "Botnet") |
UrlEntity
Represents a url entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind |
string:
Url |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.url |
string |
A full URL the entity points to |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
UserInfo
User information that made some action
Name | Type | Description |
---|---|---|
string |
The email of the user. |
|
name |
string |
The name of the user. |
objectId |
string |
The object id of the user. |