| title | Update alert (deprecated) |
|---|---|
| description | Update an editable alert property within any integrated solution to keep alert status and assignments in sync across solutions. |
| ms.localizationpriority | medium |
| author | preetikr |
| ms.subservice | security |
| doc_type | apiPageType |
| ms.date | 04/05/2024 |
| ROBOTS | NOINDEX |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
[!INCLUDE security-alerts-v1-deprecation]
Update an editable alert property within any integrated solution to keep alert status and assignments in sync across solutions. This method updates any solution that has a record of the referenced alert ID.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
Note: You must include the alert ID as a parameter and vendorInformation containing the
providerandvendorwith this method.
PATCH /security/alerts/{alert_id}| Name | Description |
|---|---|
| Authorization | Bearer {code}. Required. |
| Prefer | return=representation. Optional. |
[!INCLUDE table-intro]
| Property | Type | Description |
|---|---|---|
| assignedTo | String | Name of the analyst the alert is assigned to for triage, investigation, or remediation. |
| closedDateTime | DateTimeOffset | Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| comments | String collection | Analyst comments on the alert (for customer alert management). This method can update the comments field with the following values only: Closed in IPC, Closed in MCAS. |
| feedback | alertFeedback enum | Analyst feedback on the alert. The possible values are: unknown, truePositive, falsePositive, benignPositive. |
| status | alertStatus enum | Alert life cycle status (stage). The possible values are: unknown, newAlert, inProgress, resolved. |
| tags | String collection | User-definable labels that can be applied to an alert and can serve as filter conditions (for example, "HVA", "SAW"). |
| vendorInformation | securityVendorInformation | Complex type that contains details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker). Provider and vendor fields are required. |
If successful, this method returns a 204 No Content response code.
If the optional request header is used, the method returns a 200 OK response code and an updated alert object in the response body.
The following example shows a request without the Prefer header.
PATCH https://graph.microsoft.com/beta/security/alerts/{alert_id}
Content-type: application/json
{
"assignedTo": "String",
"closedDateTime": "String (timestamp)",
"comments": ["String"],
"feedback": "@odata.type: microsoft.graph.alertFeedback",
"status": "@odata.type: microsoft.graph.alertStatus",
"tags": ["String"],
"vendorInformation":
{
"provider": "String",
"vendor": "String"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows a successful response.
HTTP/1.1 204 No ContentThe following example shows a request that includes the Prefer request header.
PATCH https://graph.microsoft.com/beta/security/alerts/{alert_id}
Content-type: application/json
Prefer: return=representation
{
"assignedTo": "String",
"closedDateTime": "String (timestamp)",
"comments": ["String"],
"feedback": "@odata.type: microsoft.graph.alertFeedback",
"status": "@odata.type: microsoft.graph.alertStatus",
"tags": ["String"],
"vendorInformation":
{
"provider": "String",
"vendor": "String"
}
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows a response when the optional Prefer: return=representation request header is used.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-type: application/json
{
"activityGroupName": "activityGroupName-value",
"assignedTo": "assignedTo-value",
"azureSubscriptionId": "azureSubscriptionId-value",
"azureTenantId": "azureTenantId-value",
"category": "category-value",
"closedDateTime": "datetime-value"
}