Skip to main content
Update the properties of an alert object in an organization based on the specified alert id property. Supply only the values for properties that should be updated.
  • Least privileged Microsoft Graph permission to access the action via application: SecurityAlert.ReadWrite.All*.
External DocumentationTo learn more, visit the Microsoft Defender XDR documentation.

Parameters

ParameterDescription
Alert IDThe ID of the alert, can be obtained via the List Alerts action.
Assigned ToOwner of the incident, or null if no owner is assigned.
ClassificationSpecifies the classification of the alert.
DeterminationSpecifies the determination of the alert.
StatusThe status of the alert.

Example Output

{
	"@odata.context": "<string>",
	"id": "da637551227677560813_-961444813",
	"providerAlertId": "da637551227677560813_-961444813",
	"incidentId": "28282",
	"status": "inProgress",
	"severity": "low",
	"classification": "truePositive",
	"determination": "malware",
	"serviceSource": "microsoftDefenderForEndpoint",
	"detectionSource": "antivirus",
	"productName": "<string>",
	"detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756",
	"tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
	"title": "Suspicious execution of hidden file",
	"description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.",
	"recommendedActions": "Collect artifacts and determine scope\n\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs)... \n",
	"category": "DefenseEvasion",
	"assignedTo": "secAdmin@contoso.com",
	"alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
	"incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c",
	"actorDisplayName": null,
	"threatDisplayName": null,
	"threatFamilyName": null,
	"mitreTechniques": [
		"T1564.001"
	],
	"createdDateTime": "2021-04-27T12:19:27.7211305Z",
	"lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z",
	"resolvedDateTime": null,
	"firstActivityDateTime": "2021-04-26T07:45:50.116Z",
	"lastActivityDateTime": "2021-05-02T07:56:58.222Z",
	"systemTags": [],
	"alertPolicyId": null,
	"comments": [],
	"evidence": [],
	"additionalData": {
		"InvestigationState": 851
	}
}

Workflow Library Example

Update Alert with Microsoft Defender Xdr and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop