Skip to content

security-alert-movealerts.md

Latest commit

 

History

History
128 lines (98 loc) · 4.57 KB

security-alert-movealerts.md

File metadata and controls

128 lines (98 loc) · 4.57 KB
title alert: moveAlerts
description Move one or more alerts to an incident.
author HarelDamti
ms.localizationpriority medium
ms.subservice security
doc_type apiPageType
ms.date 02/24/2026

alert: moveAlerts

Namespace: microsoft.graph.security

[!INCLUDE beta-disclaimer]

Move one or more alert resources to an existing incident.

[!INCLUDE national-cloud-support]

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

[!INCLUDE permissions-table]

[!INCLUDE rbac-security-alerts-incidents-apis-write]

HTTP request

POST /security/alerts_v2/moveAlerts

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, provide a JSON object with the following parameters.

Parameter Type Description
alertIds String collection Required. The IDs of the alerts to move.
incidentId String Optional. The ID of the target incident. A request with null creates a new incident.
alertComment String Optional. A comment to add when moving the alerts.
newCorrelationReasons microsoft.graph.security.correlationReason Optional. The correlation reasons to associate with the move operation. This object is a flags enum that allows multiple values to be specified.

Response

If successful, this action returns a 200 OK response code and a microsoft.graph.security.mergeResponse object in the response body.

Examples

Example 1: Move alerts to an incident

Request

The following example moves two alerts to an existing incident.

HTTP

POST https://graph.microsoft.com/beta/security/alerts_v2/moveAlerts
Content-Type: application/json

{
  "alertIds": [
    "da637551227677560813_-961444813",
    "da637551227677560813_-961444814"
  ],
  "incidentId": "2972395",
  "alertComment": "Moving alerts for investigation consolidation",
  "newCorrelationReasons": "sameAsset, temporalProximity"
}

C#

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Go

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Java

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

JavaScript

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

PHP

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Python

[!INCLUDE sample-code] [!INCLUDE sdk-documentation]

Response

The following example shows the response.

HTTP/1.1 200 OK
Content-type: application/json

{
  "targetIncidentId": "2972395"
}