alertEvidence resource type
Namespace: microsoft.graph.security
Important
APIs under the /beta
version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents evidence related to an alert.
The alertEvidence base type and its derived evidence types provide a means to organize and track rich data about each artifact involved in an alert. For example, an alert about an attacker's IP address signing in to a cloud service using a compromised user account can track the following evidence:
- IP evidence with the roles of
attacker
andsource
, remediation status ofrunning
, and verdict ofmalicious
. - Cloud application evidence with a role of
contextual
. - Mailbox evidence for the hacked user account with a role of
compromised
.
This resource is the base type for the following evidence types:
- amazonResourceEvidence
- analyzedMessageEvidence
- azureResourceEvidence
- blobContainerEvidence
- blobEvidence
- cloudApplicationEvidence
- cloudLogonRequestEvidence
- cloudLogonSessionEvidence
- containerEvidence
- containerImageEvidence
- containerRegistryEvidence
- deviceEvidence
- fileEvidence
- googleCloudResourceEvidence
- iotDeviceEvidence
- ipEvidence
- kubernetesClusterEvidence
- kubernetesControllerEvidence
- kubernetesNamespaceEvidence
- kubernetesPodEvidence
- kubernetesSecretEvidence
- kubernetesServiceEvidence
- kubernetesServiceAccountEvidence
- mailClusterEvidence
- mailboxEvidence
- nicEvidence
- oauthApplicationEvidence
- processEvidence
- registryKeyEvidence
- registryValueEvidence
- securityGroupEvidence
- urlEvidence
- userEvidence
Properties
Property | Type | Description |
---|---|---|
createdDateTime | DateTimeOffset | The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z . |
detailedRoles | String collection | Detailed description of the entity role/s in an alert. Values are free-form. |
remediationStatus | microsoft.graph.security.evidenceRemediationStatus | Status of the remediation action taken. The possible values are: none , remediated , prevented , blocked , notFound , unknownFutureValue , active , pendingApproval , declined , unremediated , running , partiallyRemediated . Note that you must use the Prefer: include-unknown-enum-members request header to get the following values from this evolvable enum: active , pendingApproval , declined , unremediated , running , partiallyRemediated . |
remediationStatusDetails | String | Details about the remediation status. |
roles | microsoft.graph.security.evidenceRole collection | The role/s that an evidence entity represents in an alert, for example, an IP address that is associated with an attacker has the evidence role Attacker. |
tags | String collection | Array of custom tags associated with an evidence instance, for example, to denote a group of devices, high-value assets, etc. |
verdict | microsoft.graph.security.evidenceVerdict | The decision reached by automated investigation. The possible values are: unknown , suspicious , malicious , noThreatsFound , unknownFutureValue . |
detectionSource values
Value | Description |
---|---|
detected | A product of the threat that executed was detected. |
blocked | The threat was remediated at run time. |
prevented | The threat was prevented from occurring (running, downloading, and so on.). |
unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
evidenceRemediationStatus values
Member | Description |
---|---|
none | No threats were found. |
remediated | Remediation action completed successfully. |
prevented | The threat was prevented from executing. |
blocked | The threat was blocked while executing. |
notFound | The evidence wasn't found. |
unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
active | Investigation is running / pending and remediation is not complete yet. |
pendingApproval | The remediation action is pending approval. |
declined | The remediation action was declined. |
unremediated | Investigation undo the remediation and the entity is recovered. |
running | The remediation action is running. |
partiallyRemediated | The threat was partially remidiated. |
evidenceRole values
Member | Description |
---|---|
unknown | The evidence role is unknown. |
contextual | An entity that arose likely benign but was reported as a side effect of an attacker's action, for example, the benign services.exe process was used to start a malicious service. |
scanned | An entity identified as a target of discovery scanning or reconnaissance actions, for example, a port scanner was used to scan a network. |
source | The entity the activity originated from, for example, device, user, IP address, etc. |
destination | The entity the activity was sent to, for example, device, user, IP address, etc. |
created | The entity was created as a result of the actions of an attacker, for example, a user account was created. |
added | The entity was added as a result of the actions of an attacker. For example, a user account was added to a permissions group. |
compromised | The entity was compromised and is under the control of an attacker. For example, a user account was compromised and used to log into a cloud service. |
edited | The entity was edited or changed by an attacker. For example, the registry key for a service was edited to point to the location of a new malicious payload. |
attacked | The entity was attacked. For example, a device was targeted in a DDoS attack. |
attacker | The entity represents the attacker. For example, the attacker`s IP address observed logging into a cloud service using a compromised user account. |
commandAndControl | The entity is being used for command and control. For example, a C2 (command and control) domain used by malware. |
loaded | The entity was loaded by a process under the control of an attacker. For example, a Dll was loaded into an attacker-controlled process. |
suspicious | The entity is suspected of being malicious or controlled by an attacker but hasn't been incriminated. |
policyViolator | The entity is a violator of a customer defined policy. |
unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
evidenceVerdict values
Member | Description |
---|---|
unknown | No verdict was determined for the evidence. |
suspicious | Recommended remediation actions awaiting approval. |
malicious | The evidence was determined to be malicious. |
noThreatsFound | No threat was detected - the evidence is benign. |
unknownFutureValue | Evolvable enumeration sentinel value. Don't use. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.alertEvidence",
"createdDateTime": "String (timestamp)",
"verdict": "String",
"remediationStatus": "String",
"remediationStatusDetails": "String",
"roles": [
"String"
],
"detailedRoles": [
"String"
],
"tags": [
"String"
]
}