SecurityEvents.Read.All | Graph Permissions

Permission Details

Application Permission

Read your organization’s security events

Allows the app to read your organization’s security events without a signed-in user.

Permission ID: bf394140-e372-4bf9-a898-299cfc7564e5

Delegated Permission

Read your organization’s security events

Allows the app to read your organization’s security events on behalf of the signed-in user.

Permission ID: 64733abd-851e-478a-bffb-e47a14b18235

Properties

Microsoft Graph v1.0 mapped-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property	Type	Description
`activityGroupName`	`String`Nullable	Name or alias of the activity group (attacker) this alert is attributed to.
`assignedTo`	`String`Nullable	Name of the analyst the alert is assigned to for triage, investigation, or remediation (supports update).
`azureSubscriptionId`	`String`Nullable	Azure subscription ID, present if this alert is related to an Azure resource.
`azureTenantId`	`String`	Microsoft Entra tenant ID. Required.
`category`	`String`Nullable	Category of the alert (for example, credentialTheft, ransomware).
`closedDateTime`	`DateTimeOffset`Nullable	Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z (supports update).
`cloudAppStates`	`cloudAppSecurityState collection`	Security-related stateful information generated by the provider about the cloud application/s related to this alert.
`comments`	`String collection`	Customer-provided comments on alert (for customer alert management) (supports update).
`confidence`	`Int32`Nullable	Confidence of the detection logic (percentage between 1-100).
`createdDateTime`	`DateTimeOffset`Nullable	Time at which the alert was created by the alert provider. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.
`description`	`String`Nullable	Alert description.
`detectionIds`	`String collection`	Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record).
`eventDateTime`	`DateTimeOffset`Nullable	Time at which the event or events that served as the trigger to generate the alert occurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required.
`feedback`	`alertFeedback`	Analyst feedback on the alert. The possible values are: unknown, truePositive, falsePositive, benignPositive. Updatable.
`fileStates`	`fileSecurityState collection`	Security-related stateful information generated by the provider about the files related to this alert.

Showing 15 of 40 properties.

JSON Representation

Microsoft Graph v1.0 mapped-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation

{
  "activityGroupName": "String",
  "assignedTo": "String",
  "azureSubscriptionId": "String",
  "azureTenantId": "String",
  "category": "String",
  "closedDateTime": "String (timestamp)",
  "cloudAppStates": [
    {
      "@odata.type": "microsoft.graph.cloudAppSecurityState"
    }
  ],
  "comments": [
    "String"
  ],
  "confidence": 1024,
  "createdDateTime": "String (timestamp)",
  "description": "String",
  "detectionIds": [
    "String"
  ],
  "eventDateTime": "String (timestamp)",
  "feedback": "@odata.type: microsoft.graph.alertFeedback",
  "fileStates": [
    {
      "@odata.type": "microsoft.graph.fileSecurityState"
    }
  ],
  "hostStates": [
    {
      "@odata.type": "microsoft.graph.hostSecurityState"
    }
  ],
  "id": "String (identifier)",
  "incidentIds": [
    "String"
  ],
  "lastModifiedDateTime": "String (timestamp)",
  "malwareStates": [
    {
      "@odata.type": "microsoft.graph.malwareState"
    }
  ],
  "networkConnections": [
    {
      "@odata.type": "microsoft.graph.networkConnection"
    }
  ],
  "processes": [
    {
      "@odata.type": "microsoft.graph.process"
    }
  ],
  "recommendedActions": [
    "String"
  ],
  "registryKeyStates": [
    {
      "@odata.type": "microsoft.graph.registryKeyState"
    }
  ],
  "securityResources": [
    {
      "@odata.type": "microsoft.graph.securityResource"
    }
  ],
  "severity": "@odata.type: microsoft.graph.alertSeverity",
  "sourceMaterials": [
    "String"
  ],
  "status": "@odata.type: microsoft.graph.alertStatus",
  "tags": [
    "String"
  ],
  "title": "String",
  "triggers": [
    {
      "@odata.type": "microsoft.graph.alertTrigger"
    }
  ],
  "userStates": [
    {
      "@odata.type": "microsoft.graph.userSecurityState"
    }
  ],
  "vendorInformation": {
    "@odata.type": "microsoft.graph.securityVendorInformation"
  },
  "vulnerabilityStates": [
    {
      "@odata.type": "microsoft.graph.vulnerabilityState"
    }
  ]
}

Relationships

Microsoft Graph v1.0 mapped

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship	Type	Description
`alerts`	`alert collection`	Security alerts in the tenant.
`secureScores`	`secureScore collection`	Secure score records in the tenant.
`alertDetections`	`alertDetection collection`	Related alertDetections data exposed by this resource.
`cloudAppStates`	`cloudAppSecurityState collection`	Security-related stateful information generated by the provider about the cloud application/s related to this alert.
`comments`	`string collection`	Customer-provided comments on alert (for customer alert management) (supports update).
`detectionIds`	`string collection`	Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record).
`fileStates`	`fileSecurityState collection`	Security-related stateful information generated by the provider about the files related to this alert.
`historyStates`	`alertHistoryState collection`	Related historyStates data exposed by this resource.
`hostStates`	`hostSecurityState collection`	Security-related stateful information generated by the provider about the hosts related to this alert.
`incidentIds`	`string collection`	IDs of incidents related to current alert.
`investigationSecurityStates`	`investigationSecurityState collection`	Related investigationSecurityStates data exposed by this resource.
`malwareStates`	`malwareState collection`	Threat Intelligence pertaining to malware related to this alert.
`messageSecurityStates`	`messageSecurityState collection`	Related messageSecurityStates data exposed by this resource.
`networkConnections`	`networkConnection collection`	Security-related stateful information generated by the provider about the network connections related to this alert.
`processes`	`process collection`	Security-related stateful information generated by the provider about the process or processes related to this alert.
`recommendedActions`	`string collection`	Vendor/provider recommended actions to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host).
`registryKeyStates`	`registryKeyState collection`	Security-related stateful information generated by the provider about the registry keys related to this alert.
`securityResources`	`securityResource collection`	Resources related to current alert. For example, for some alerts this can have the Azure Resource value.
`severity`	`alertSeverity`	Related severity data exposed by this resource.
`sourceMaterials`	`string collection`	Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search.
`status`	`alertStatus`	Related status data exposed by this resource.
`tags`	`string collection`	User-definable labels that can be applied to an alert and can serve as filter conditions (for example, 'HVA', 'SAW') (supports update).

Graph Methods

Delegated access App-only access

Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/security/alerts`
GET `/security/alerts?$filter={property} eq '{property-value}'`
GET `/security/alerts?$filter={property} eq '{property-value}' and {property} eq '{property-value}'`
GET `/security/alerts?$filter={property} eq '{property-value}'&$top=5`
GET `/security/alerts?$top=1`
GET `/security/alerts/{alertid}`
GET `/security/secureScoreControlProfiles`
GET `/security/secureScoreControlProfiles?$filter={property} eq '{property-value}'`
GET `/security/secureScoreControlProfiles?$top=1`
GET `/security/secureScoreControlProfiles/{id}`
GET `/security/secureScores`
GET `/security/secureScores?$filter={property} eq '{property-value}'`
GET `/security/secureScores?$top=1`
GET `/security/secureScores?$top=1&$skip=7`
GET `/security/secureScores/{id}`

Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET `/security/alerts`
GET `/security/alerts?$filter={property} eq '{property-value}'`
GET `/security/alerts?$filter={property} eq '{property-value}'&{property} eq '{property-value}'`
GET `/security/alerts?$filter={property} eq '{property-value}'&$top=5`
GET `/security/alerts?$top=1`
GET `/security/alerts/{id}`
GET `/security/secureScoreControlProfiles`
GET `/security/secureScores`

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgSecurityAlert` /security/alerts List alerts (deprecated)
`Get-MgSecurityAlert` /security/alerts/{alertid} Get alert (deprecated)
`Get-MgSecuritySecureScore` /security/secureScores List secureScores
`Get-MgSecuritySecureScore` /security/secureScores/{id} Get secureScore
`Get-MgSecuritySecureScoreControlProfile` /security/secureScoreControlProfiles List secureScoreControlProfiles
`Get-MgSecuritySecureScoreControlProfile` /security/secureScoreControlProfiles/{id} Get secureScoreControlProfile

Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
`Get-MgBetaSecurityAlert` /security/alerts List alerts (deprecated)
`Get-MgBetaSecurityAlert` /security/alerts/{id} Get alert (deprecated)
`Get-MgBetaSecuritySecureScore` /security/secureScores List secureScores
`Get-MgBetaSecuritySecureScoreControlProfile` /security/secureScoreControlProfiles List secureScoreControlProfiles

Code Examples

C# / .NET SDK

Get alert (deprecated)

View official example on Microsoft Learn

// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Alerts["{alert-id}"].GetAsync();

JavaScript

Get alert (deprecated)

View official example on Microsoft Learn

const options = {
	authProvider,
};

const client = Client.init(options);

let alert = await client.api('/security/alerts/{alert_id}')
	.get();

PowerShell

Get alert (deprecated)

View official example on Microsoft Learn

Import-Module Microsoft.Graph.Security

Get-MgSecurityAlert -AlertId $alertId

Python

Get alert (deprecated)

View official example on Microsoft Learn

# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.security.alerts.by_alert_id('alert-id').get()

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for SecurityEvents.Read.All

4

Grant Admin Consent

Application permissions always require admin consent.