SecurityAlert.Create.All
Allows the app to create security alerts, without a signed-in user.
Permission Details
Create security alerts
Allows the app to create security alerts, without a signed-in user.
06870c4c-7370-4a2a-ad10-239a337af816
Create security alerts
Allows the app to create security alerts, on behalf of the signed-in user.
7417b8c6-a088-4c4c-99c7-bca9ab3eb9ba
Properties
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
actorDisplayName |
StringNullable |
The adversary or activity group that is associated with this alert. |
additionalData |
security.dictionary |
A collection of other alert properties, including user-defined properties. Any custom details defined in the alert, and any dynamic content in the alert details, are stored here. |
alertPolicyId |
StringNullable |
The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy. |
alertWebUrl |
StringNullable |
URL for the Microsoft 365 Defender portal alert page. |
assignedTo |
StringNullable |
Owner of the alert, or null if no owner is assigned. |
categories |
String collection |
The attack kill-chain categories that the alert belongs to. Aligned with the MITRE ATT&CK framework. |
classification |
security.alertClassification |
Specifies whether the alert represents a true threat. The possible values are: unknown, falsePositive, truePositive, informationalExpectedActivity, unknownFutureValue. |
comments |
security.alertComment collection |
Array of comments created by the Security Operations (SecOps) team during the alert management process. |
createdDateTime |
DateTimeOffsetNullable |
Time when Microsoft 365 Defender created the alert. |
customDetails |
security.dictionary |
User defined custom fields with string values. |
description |
StringNullable |
String value describing each alert. |
detectionSource |
security.detectionSource |
Detection technology or sensor that identified the notable component or activity. |
detectorId |
StringNullable |
The ID of the detector that triggered the alert. |
determination |
security.alertDetermination |
Specifies the result of the investigation, whether the alert represents a true attack and if so, the nature of the attack. The possible values are: unknown, apt, malware, securityPersonnel, securityTesting, unwantedSoftware, other, multiStagedAttack, compromisedAccount, phishing, maliciousUserActivity, notMalicious, notEnoughDataToValidate, confirmedUserActivity, lineOfBusinessApplication, unknownFutureValue. |
evidence |
security.alertEvidence collection |
Collection of evidence related to the alert. |
Showing 15 of 37 properties.
JSON Representation
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
{
"@odata.type": "#microsoft.graph.security.alert",
"actorDisplayName": "String",
"additionalData": {
"@odata.type": "microsoft.graph.security.dictionary"
},
"alertWebUrl": "String",
"assignedTo": "String",
"category": "String",
"categories": [
"String"
],
"classification": "String",
"comments": [
{
"@odata.type": "microsoft.graph.security.alertComment"
}
],
"createdDateTime": "String (timestamp)",
"customDetails": {
"@odata.type": "microsoft.graph.security.dictionary"
},
"description": "String",
"detectionSource": "String",
"detectorId": "String",
"determination": "String",
"evidence": [
{
"@odata.type": "microsoft.graph.security.alertEvidence"
}
],
"firstActivityDateTime": "String (timestamp)",
"id": "String (identifier)",
"incidentId": "String",
"incidentWebUrl": "String",
"investigationState": "String",
"lastActivityDateTime": "String (timestamp)",
"lastUpdateDateTime": "String (timestamp)",
"mitreTechniques": [
"String"
],
"productName": "String",
"providerAlertId": "String",
"recommendedActions": "String",
"resolvedDateTime": "String (timestamp)",
"serviceSource": "String",
"severity": "String",
"status": "String",
"systemTags": [
"String"
],
"tenantId": "String",
"threatDisplayName": "String",
"threatFamilyName": "String",
"title": "String"
}
Relationships
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
categories |
string collection |
The attack kill-chain categories that the alert belongs to. Aligned with the MITRE ATT&CK framework. |
comments |
security.alertComment collection |
Array of comments created by the Security Operations (SecOps) team during the alert management process. |
evidence |
security.alertEvidence collection |
Collection of evidence related to the alert. |
mitreTechniques |
string collection |
The attack techniques, as aligned with the MITRE ATT&CK framework. |
serviceSource |
security.serviceSource |
Related serviceSource data exposed by this resource. |
severity |
security.alertSeverity |
Related severity data exposed by this resource. |
status |
security.alertStatus |
Related status data exposed by this resource. |
systemTags |
string collection |
The system tags associated with the alert. |
Graph Methods
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
No API methods available for this version.
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
| Methods |
|---|
POST
/security/alertsv2
|
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docsCode Examples
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models.Security;
using Microsoft.Kiota.Abstractions.Serialization;
var requestBody = new Alert
{
OdataType = "#microsoft.graph.security.manualAlert",
Title = "Suspicious login from TOR exit node",
Description = "User account showed login activity from known TOR exit node. Manual investigation revealed potential account compromise.",
Category = "InitialAccess",
Severity = AlertSeverity.High,
RecommendedActions = "Reset user credentials, enable MFA, review recent user activity",
MitreTechniques = new List<string>
{
"T1078",
},
AdditionalData = new Dictionary<string, object>
{
{
"entityDefinitions" , new List<object>
{
new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"entityType", new UntypedString("user")
},
{
"entityIdentifier", new UntypedString("userPrincipalName")
},
{
"identifierValue", new UntypedString("[email protected]")
},
{
"role", new UntypedString("impacted")
},
}),
new UntypedObject(new Dictionary<string, UntypedNode>
{
{
"entityType", new UntypedString("ip")
},
{
"entityIdentifier", new UntypedString("address")
},
{
"identifierValue", new UntypedString("185.220.101.50")
},
{
"role", new UntypedString("related")
},
}),
}
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Alerts_v2.PostAsync(requestBody);
const options = {
authProvider,
};
const client = Client.init(options);
const alert = {
'@odata.type': '#microsoft.graph.security.manualAlert',
title: 'Suspicious login from TOR exit node',
description: 'User account showed login activity from known TOR exit node. Manual investigation revealed potential account compromise.',
category: 'InitialAccess',
severity: 'high',
recommendedActions: 'Reset user credentials, enable MFA, review recent user activity',
mitreTechniques: ['T1078'],
entityDefinitions: [
{
entityType: 'user',
entityIdentifier: 'userPrincipalName',
identifierValue: '[email protected]',
role: 'impacted'
},
{
entityType: 'ip',
entityIdentifier: 'address',
identifierValue: '185.220.101.50',
role: 'related'
}
]
};
await client.api('/security/alerts_v2')
.version('beta')
.post(alert);
Import-Module Microsoft.Graph.Beta.Security
$params = @{
"@odata.type" = "#microsoft.graph.security.manualAlert"
title = "Suspicious login from TOR exit node"
description = "User account showed login activity from known TOR exit node. Manual investigation revealed potential account compromise."
category = "InitialAccess"
severity = "high"
recommendedActions = "Reset user credentials, enable MFA, review recent user activity"
mitreTechniques = @(
"T1078"
)
entityDefinitions = @(
@{
entityType = "user"
entityIdentifier = "userPrincipalName"
identifierValue = "[email protected]"
role = "impacted"
}
@{
entityType = "ip"
entityIdentifier = "address"
identifierValue = "185.220.101.50"
role = "related"
}
)
}
New-MgBetaSecurityAlertV2 -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.security.alert import Alert
from msgraph_beta.generated.models.alert_severity import AlertSeverity
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Alert(
odata_type = "#microsoft.graph.security.manualAlert",
title = "Suspicious login from TOR exit node",
description = "User account showed login activity from known TOR exit node. Manual investigation revealed potential account compromise.",
category = "InitialAccess",
severity = AlertSeverity.High,
recommended_actions = "Reset user credentials, enable MFA, review recent user activity",
mitre_techniques = [
"T1078",
],
additional_data = {
"entity_definitions" : [
{
"entity_type" : "user",
"entity_identifier" : "userPrincipalName",
"identifier_value" : "[email protected]",
"role" : "impacted",
},
{
"entity_type" : "ip",
"entity_identifier" : "address",
"identifier_value" : "185.220.101.50",
"role" : "related",
},
],
}
)
result = await graph_client.security.alerts_v2.post(request_body)
App Registration
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
Select Permission Type
Choose Application permissions or delegated permissions and search for SecurityAlert.Create.All
Grant Admin Consent
Application permissions always require admin consent.