malwareRiskEvent resource type


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.


The identityRiskEvents API is deprecated and will stop returning data on January 10, 2020. For details, see Deprecation of the IdentityRiskEvents API.

A risk event detected by Azure Active Directory Identity Protection where an account sign-in is attempted from a device infected with malware. Complete information about risk events can be found in the Azure AD Identity Protection documentation.


Method Return Type Description
Get malwareRiskEvent malwareRiskEvent Read properties and relationships of malwareRiskEvent object.


Property Type Description
closedDateTime dateTimeOffset The date and time that the risk event was closed
createdDateTime dateTimeOffset The date and time that the risk event was created. This is always greater than or equal to the datetime of the risk event itself. This is the correct property to use as a filter when querying risk events.
deviceInformation string Information about the device
id string Read-only
ipAddress string The IP address of the sign-in
location string The location attached to the IP address of the sign-in
malwareName string The malware associated with this login
riskEventDateTime dateTimeOffset The date and time when the risk event occurred
riskEventStatus string Possible values are: active, remediated, dismissedAsFixed, dismissedAsFalsePositive, dismissedAsIgnore, loginBlocked, closedMfaAuto, closedMultipleReasons.
riskLevel string Possible values are: low, medium, high.
riskEventType string The type of risk
userDisplayName string The name of the user at risk
userId string The id of the user at risk
userPrincipalName string The user principal name of the user at risk


Relationship Type Description
impactedUser user Read-only. Nullable.

JSON representation

Here is a JSON representation of the resource.

  "malwareName": "string",
  "closedDateTime": "String (timestamp)",
  "createdDateTime": "String (timestamp)",
  "deviceInformation": "string",
  "id": "string (identifier)",
  "ipAddress": "string",
  "location": "string",
  "riskEventDateTime": "String (timestamp)",
  "riskEventStatus": "string",
  "riskLevel": "string",
  "riskType": "string",
  "userDisplayName": "string",
  "userId": "string",
  "userPrincipalName": "string",
  "riskEventType": "string"