SecurityEvents.ReadWrite.All
Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated
Read/Write
All Resources
Allows the app to read your organization’s security events without a signed-in user. Also allows the app to update editable properties in security events.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and update your organization’s security events
Allows the app to read your organization’s security events without a signed-in user. Also allows the app to update editable properties in security events.
Permission ID:
d903a879-88e0-4c09-b0c9-82f6a1333f84
Delegated Permission
Admin consent required
Read and update your organization’s security events
Allows the app to read your organization’s security events on behalf of the signed-in user. Also allows the app to update editable properties in security events on behalf of the signed-in user.
User sees: Allows the app to read your organization’s security events on your behalf. Also allows you to update editable properties in security events.
Permission ID:
6aedf524-7e1c-45a7-bd76-ded8cab8d0fc
Properties
Microsoft Graph v1.0
mapped-docs
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
activityGroupName |
StringNullable |
Name or alias of the activity group (attacker) this alert is attributed to. |
assignedTo |
StringNullable |
Name of the analyst the alert is assigned to for triage, investigation, or remediation (supports update). |
azureSubscriptionId |
StringNullable |
Azure subscription ID, present if this alert is related to an Azure resource. |
azureTenantId |
String |
Microsoft Entra tenant ID. Required. |
category |
StringNullable |
Category of the alert (for example, credentialTheft, ransomware). |
closedDateTime |
DateTimeOffsetNullable |
Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z (supports update). |
cloudAppStates |
cloudAppSecurityState collection |
Security-related stateful information generated by the provider about the cloud application/s related to this alert. |
comments |
String collection |
Customer-provided comments on alert (for customer alert management) (supports update). |
confidence |
Int32Nullable |
Confidence of the detection logic (percentage between 1-100). |
createdDateTime |
DateTimeOffsetNullable |
Time at which the alert was created by the alert provider. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required. |
description |
StringNullable |
Alert description. |
detectionIds |
String collection |
Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record). |
eventDateTime |
DateTimeOffsetNullable |
Time at which the event or events that served as the trigger to generate the alert occurred. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Required. |
feedback |
alertFeedback |
Analyst feedback on the alert. The possible values are: unknown, truePositive, falsePositive, benignPositive. Updatable. |
fileStates |
fileSecurityState collection |
Security-related stateful information generated by the provider about the files related to this alert. |
Showing 15 of 40 properties.
JSON Representation
Microsoft Graph v1.0
mapped-docs
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
JSON representation
{
"activityGroupName": "String",
"assignedTo": "String",
"azureSubscriptionId": "String",
"azureTenantId": "String",
"category": "String",
"closedDateTime": "String (timestamp)",
"cloudAppStates": [
{
"@odata.type": "microsoft.graph.cloudAppSecurityState"
}
],
"comments": [
"String"
],
"confidence": 1024,
"createdDateTime": "String (timestamp)",
"description": "String",
"detectionIds": [
"String"
],
"eventDateTime": "String (timestamp)",
"feedback": "@odata.type: microsoft.graph.alertFeedback",
"fileStates": [
{
"@odata.type": "microsoft.graph.fileSecurityState"
}
],
"hostStates": [
{
"@odata.type": "microsoft.graph.hostSecurityState"
}
],
"id": "String (identifier)",
"incidentIds": [
"String"
],
"lastModifiedDateTime": "String (timestamp)",
"malwareStates": [
{
"@odata.type": "microsoft.graph.malwareState"
}
],
"networkConnections": [
{
"@odata.type": "microsoft.graph.networkConnection"
}
],
"processes": [
{
"@odata.type": "microsoft.graph.process"
}
],
"recommendedActions": [
"String"
],
"registryKeyStates": [
{
"@odata.type": "microsoft.graph.registryKeyState"
}
],
"securityResources": [
{
"@odata.type": "microsoft.graph.securityResource"
}
],
"severity": "@odata.type: microsoft.graph.alertSeverity",
"sourceMaterials": [
"String"
],
"status": "@odata.type: microsoft.graph.alertStatus",
"tags": [
"String"
],
"title": "String",
"triggers": [
{
"@odata.type": "microsoft.graph.alertTrigger"
}
],
"userStates": [
{
"@odata.type": "microsoft.graph.userSecurityState"
}
],
"vendorInformation": {
"@odata.type": "microsoft.graph.securityVendorInformation"
},
"vulnerabilityStates": [
{
"@odata.type": "microsoft.graph.vulnerabilityState"
}
]
}Relationships
Microsoft Graph v1.0
mapped
Relationships is shown from stable Microsoft Graph v1.0 metadata.
| Relationship | Type | Description |
|---|---|---|
alerts |
alert collection |
Security alerts in the tenant. |
secureScores |
secureScore collection |
Secure score records in the tenant. |
alertDetections |
alertDetection collection |
Related alertDetections data exposed by this resource. |
cloudAppStates |
cloudAppSecurityState collection |
Security-related stateful information generated by the provider about the cloud application/s related to this alert. |
comments |
string collection |
Customer-provided comments on alert (for customer alert management) (supports update). |
detectionIds |
string collection |
Set of alerts related to this alert entity (each alert is pushed to the SIEM as a separate record). |
fileStates |
fileSecurityState collection |
Security-related stateful information generated by the provider about the files related to this alert. |
historyStates |
alertHistoryState collection |
Related historyStates data exposed by this resource. |
hostStates |
hostSecurityState collection |
Security-related stateful information generated by the provider about the hosts related to this alert. |
incidentIds |
string collection |
IDs of incidents related to current alert. |
investigationSecurityStates |
investigationSecurityState collection |
Related investigationSecurityStates data exposed by this resource. |
malwareStates |
malwareState collection |
Threat Intelligence pertaining to malware related to this alert. |
messageSecurityStates |
messageSecurityState collection |
Related messageSecurityStates data exposed by this resource. |
networkConnections |
networkConnection collection |
Security-related stateful information generated by the provider about the network connections related to this alert. |
processes |
process collection |
Security-related stateful information generated by the provider about the process or processes related to this alert. |
recommendedActions |
string collection |
Vendor/provider recommended actions to take as a result of the alert (for example, isolate machine, enforce2FA, reimage host). |
registryKeyStates |
registryKeyState collection |
Security-related stateful information generated by the provider about the registry keys related to this alert. |
securityResources |
securityResource collection |
Resources related to current alert. For example, for some alerts this can have the Azure Resource value. |
severity |
alertSeverity |
Related severity data exposed by this resource. |
sourceMaterials |
string collection |
Hyperlinks (URIs) to the source material related to the alert, for example, provider's user interface for alerts or log search. |
status |
alertStatus |
Related status data exposed by this resource. |
tags |
string collection |
User-definable labels that can be applied to an alert and can serve as filter conditions (for example, 'HVA', 'SAW') (supports update). |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Exact Microsoft Learn PowerShell match
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
C# / .NET SDK
Update alert (deprecated)
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new Alert
{
AssignedTo = "String",
ClosedDateTime = DateTimeOffset.Parse("String (timestamp)"),
Comments = new List<string>
{
"String",
},
Feedback = AlertFeedback.Unknown,
Status = AlertStatus.Unknown,
Tags = new List<string>
{
"String",
},
VendorInformation = new SecurityVendorInformation
{
Provider = "String",
Vendor = "String",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.Alerts["{alert-id}"].PatchAsync(requestBody);
JavaScript
Update alert (deprecated)
const options = {
authProvider,
};
const client = Client.init(options);
const alert = {
assignedTo: 'String',
closedDateTime: 'String (timestamp)',
comments: [
'String'
],
feedback: '@odata.type: microsoft.graph.alertFeedback',
status: '@odata.type: microsoft.graph.alertStatus',
tags: [
'String'
],
vendorInformation: {
provider: 'String',
vendor: 'String'
}
};
await client.api('/security/alerts/{alert_id}')
.update(alert);
PowerShell
Update alert (deprecated)
Import-Module Microsoft.Graph.Security
$params = @{
assignedTo = "String"
closedDateTime = [System.DateTime]::Parse("String (timestamp)")
comments = @(
"String"
)
feedback = "@odata.type: microsoft.graph.alertFeedback"
status = "@odata.type: microsoft.graph.alertStatus"
tags = @(
"String"
)
vendorInformation = @{
provider = "String"
vendor = "String"
}
}
Update-MgSecurityAlert -AlertId $alertId -BodyParameter $params
Python
Update alert (deprecated)
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.alert import Alert
from msgraph.generated.models.alert_feedback import AlertFeedback
from msgraph.generated.models.alert_status import AlertStatus
from msgraph.generated.models.security_vendor_information import SecurityVendorInformation
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Alert(
assigned_to = "String",
closed_date_time = "String (timestamp)",
comments = [
"String",
],
feedback = AlertFeedback.Unknown,
status = AlertStatus.Unknown,
tags = [
"String",
],
vendor_information = SecurityVendorInformation(
provider = "String",
vendor = "String",
),
)
result = await graph_client.security.alerts.by_alert_id('alert-id').patch(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions or delegated permissions and search for SecurityEvents.ReadWrite.All
4
Grant Admin Consent
Application permissions always require admin consent.