| title | Update detectionRule |
|---|---|
| description | Update the properties of a custom detection rule. |
| author | mmekler |
| ms.localizationpriority | medium |
| ms.subservice | security |
| doc_type | apiPageType |
| ms.date | 06/21/2024 |
Namespace: microsoft.graph.security
[!INCLUDE beta-disclaimer]
Update the properties of a custom detection rule.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
PATCH /security/rules/detectionRules/{ruleId}| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Provide the properties of a microsoft.graph.security.detectionRule to update, and those properties only. The properties that can be updated are specified in the following table:
| Property | Type | Description |
|---|---|---|
| displayName | String | Optional. |
| isEnabled | Boolean | Optional. |
| detectionAction/alertTemplate/title | String | Optional. |
| detectionAction/alertTemplate/category | String | Optional. |
| detectionAction/alertTemplate/description | String | Optional. |
| detectionAction/alertTemplate/recommendedActions | String | Optional. Provide 'null' to delete the existing response actions |
| detectionAction/alertTemplate/severity | microsoft.graph.alertSeverity | Optional. |
| detectionAction/alertTemplate/impactedAssets | microsoft.graph.security.impactedAsset | Optional. Provide 'null' to delete the existing impacted assets. |
| detectionAction/responseActions | microsoft.graph.security.responseAction | Optional. |
| detectionAction/organizationalScope | microsoft.graph.security.organizationalScope | Optional. |
| queryCondition/queryText | String | Optional. |
| schedule/period | String | Optional. |
If successful, this method returns a 200 OK response code and an updated microsoft.graph.security.detectionRule object in the response body.
The following example shows a request.
PATCH https://graph.microsoft.com/beta/security/rules/detectionRules/35079
Content-Type: application/json
{
"schedule": {
"period": "24H"
},
"detectionAction": {
"alertTemplate": {
"title": "Different alert title"
}
}
}The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 200 OK
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.security.detectionRule",
"id": "35079",
"displayName": "Some rule name",
"isEnabled": true,
"createdBy": "MichaelMekler@winatptestlic06.ccsctp.net",
"createdDateTime": "2023-06-25T09:37:28.6149005Z",
"lastModifiedDateTime": "2023-06-25T09:38:09.5960938Z",
"lastModifiedBy": "MichaelMekler@winatptestlic06.ccsctp.net",
"detectorId": "67aa92a1-b04b-4f2a-a223-236968a3da96",
"queryCondition": {
"queryText": "DeviceProcessEvents | take 1",
"lastModifiedDateTime": null
},
"schedule": {
"period": "24H",
"nextRunDateTime": "2023-06-25T09:37:28.6149005Z"
},
"lastRunDetails": {
"lastRunDateTime": null,
"status": null,
"failureReason": null,
"errorCode": null
},
"detectionAction": {
"alertTemplate": {
"title": "Different alert title",
"description": "Some alert description",
"severity": "medium",
"category": "Execution",
"recommendedActions": null,
"mitreTechniques": [],
"impactedAssets": [
{
"@odata.type": "#microsoft.graph.security.impactedDeviceAsset",
"identifier": "deviceId"
}
]
},
"organizationalScope": null,
"responseActions": [
{
"@odata.type": "#microsoft.graph.security.isolateDeviceResponseAction",
"isolationType": "full",
"identifier": "deviceId"
}
]
}
}