Update alert

Update an editable alert property within any integrated solution to keep alert status and assignments in sync across solutions. This method updates any solution that has a record of the referenced alert ID.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) SecurityEvents.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application SecurityEvents.ReadWrite.All

HTTP request

Note: You must include the alert ID as a parameter and vendorInformation containing the provider and vendor with this method.

PATCH /security/alerts/{alert_id}

Request headers

Name Description
Authorization Bearer {code}. Required.
Prefer return=representation

Request body

In the request body, supply a JSON representation of the values for relevant fields that should be updated. The body must contain the vendorInformation property with valid provider and vendor fields. The following table lists the fields that can be updated for an alert. The values for existing properties that are not included in the request body will not change. For best performance, don't include existing values that haven't changed.

Property Type Description
assignedTo String Name of the analyst the alert is assigned to for triage, investigation, or remediation.
closedDateTime DateTimeOffset Time at which the alert was closed. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: '2014-01-01T00:00:00Z'.
comments String collection Analyst comments on the alert (for customer alert management).
feedback alertFeedback Analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, benignPositive.
status alertStatus Alert lifecycle status (stage). Possible values are: unknown, newAlert, inProgress, resolved.
tags String collection User-definable labels that can be applied to an alert and can serve as filter conditions (for example, "HVA", "SAW).
vendorInformation securityVendorInformation Complex type containing details about the security product/service vendor, provider, and subprovider (for example, vendor=Microsoft; provider=Windows Defender ATP; subProvider=AppLocker). Provider and vendor fields are required.

Response

If successful, this method returns a 204 No Content response code.

If the optional request header is used, the method returns a 200 OK response code and the updated alert object in the response body.

Example 1

Request

The following is an example of the request.

PATCH https://graph.microsoft.com/v1.0/security/alerts/{alert_id}
Content-type: application/json

{
  "assignedTo": "String",
  "closedDateTime": "String (timestamp)",
  "comments": ["String"],
  "feedback": "@odata.type: microsoft.graph.alertFeedback",
  "status": "@odata.type: microsoft.graph.alertStatus",
  "tags": ["String"],
  "vendorInformation":
    {
      "provider": "String",
      "vendor": "String"
    }
}

Response

The following is an example of a successful response.

HTTP/1.1 204 No Content

Example 2

Request

The following example shows a request that includes the Prefer request header.

PATCH https://graph.microsoft.com/v1.0/security/alerts/{alert_id}
Content-type: application/json
Prefer: return=representation

{
  "assignedTo": "String",
  "closedDateTime": "String (timestamp)",
  "comments": ["String"],
  "feedback": "@odata.type: microsoft.graph.alertFeedback",
  "status": "@odata.type: microsoft.graph.alertStatus",
  "tags": ["String"],
  "vendorInformation":
    {
      "provider": "String",
      "vendor": "String"
    }
}

Response

The following is an example of the response when the optional Prefer: return=representation request header is used.

Note: The response object shown here might be shortened for readability. All the properties will be returned from an actual call.

HTTP/1.1 200 OK
Content-type: application/json

{
  "activityGroupName": "activityGroupName-value",
  "assignedTo": "assignedTo-value",
  "azureSubscriptionId": "azureSubscriptionId-value",
  "azureTenantId": "azureTenantId-value",
  "category": "category-value",
  "closedDateTime": "datetime-value"
}