Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph.security
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents a Microsoft Entra security group that is reported in an alert as evidence.
Inherits from alertEvidence.
Properties
| Property | Type | Description |
|---|---|---|
| activeDirectoryObjectGuid | Guid | The unique group identifier assigned by the on-premises Active Directory. |
| createdDateTime | DateTimeOffset | The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| detailedRoles | String collection | Detailed description of the entity role/s in an alert. Values are free-form. |
| displayName | String | The name of the security group. |
| distinguishedName | String | The distinguished name of the security group. |
| friendlyName | String | The friendly name of the security group. |
| remediationStatus | microsoft.graph.security.evidenceRemediationStatus | Status of the remediation action taken. The possible values are: none, remediated, prevented, blocked, notFound, unknownFutureValue, active, pendingApproval, declined, unremediated, running, partiallyRemediated. Use the Prefer: include-unknown-enum-members request header to get the following values from this evolvable enum: active, pendingApproval, declined, unremediated, running, partiallyRemediated. |
| remediationStatusDetails | String | Details about the remediation status. |
| roles | microsoft.graph.security.evidenceRole collection | The role/s that an evidence entity represents in an alert, for example, an IP address that is associated with an attacker has the evidence role Attacker. |
| securityGroupId | String | Unique identifier of the security group. |
| sid | String | The security identifier of the group. |
| tags | String collection | Array of custom tags associated with an evidence instance, for example, to denote a group of devices, high-value assets, etc. |
| verdict | microsoft.graph.security.evidenceVerdict | The decision reached by automated investigation. The possible values are: unknown, suspicious, malicious, noThreatsFound, unknownFutureValue. |
Relationships
None.
JSON representation
The following JSON representation shows the resource type.
{
"@odata.type": "#microsoft.graph.security.securityGroupEvidence",
"activeDirectoryObjectGuid": "Guid",
"createdDateTime": "String (timestamp)",
"detailedRoles": ["String"],
"displayName": "String",
"distinguishedName": "String",
"friendlyName": "String",
"remediationStatus": "String",
"remediationStatusDetails": "String",
"roles": ["String"],
"securityGroupId": "String",
"sid": "String",
"tags": ["String"],
"verdict": "String"
}