Skip to content

Commit 4841404

Browse files
authored
Merge pull request #28014 from microsoftgraph/main
Merge to publish
2 parents b62bcea + f2a0548 commit 4841404

13 files changed

Lines changed: 418 additions & 18 deletions

api-reference/beta/resources/enums-security.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,17 @@ Namespace: microsoft.graph.security
187187
|unknown|
188188
|unknownFutureValue|
189189

190+
### mailboxConfigurationType values
191+
192+
|Member|
193+
|:---|
194+
|mailForwardingRule|
195+
|owaSettings|
196+
|ewsSettings|
197+
|mailDelegation|
198+
|userInboxRule|
199+
|unknownFutureValue|
200+
190201
### logDataProvider values
191202

192203
|Member|
Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
---
2+
title: "activeDirectoryDomainEvidence resource type"
3+
description: "Represents a Active Directory Domain entity that reported as part of the security detection alert."
4+
ms.date: 05/14/2025
5+
author: "hareldamti"
6+
ms.localizationpriority: medium
7+
ms.subservice: "security"
8+
doc_type: resourcePageType
9+
---
10+
11+
12+
# activeDirectoryDomainEvidence resource type
13+
14+
Namespace: microsoft.graph.security
15+
16+
[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
17+
18+
A file that is reported in the alert as evidence.
19+
20+
Inherits from [alertEvidence](../resources/security-alertevidence.md), which represents evidence related to an [alert](security-alert.md).
21+
22+
## Properties
23+
24+
|Property|Type|Description|
25+
|:---|:---|:---|
26+
|activeDirectoryDomainName|String|The name of the Active Directory domain.|
27+
|createdDateTime|DateTimeOffset|The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
28+
|detailedRoles|String collection|Detailed roles of the evidence in the alert. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
29+
|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](../resources/security-alertevidence.md#evidenceremediationstatus-values)|The status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `active`, `pendingApproval`, `declined`, `notRemediated`, `running`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
30+
|remediationStatusDetails|String|Details about the remediation status. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
31+
|roles|[microsoft.graph.security.evidenceRole](../resources/security-alertevidence.md#evidencerole-values) collection|One or more roles that an evidence entity represents in an alert. For example, an IP address that is associated with an attacker has the evidence role `Attacker`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
32+
|tags|String collection|Array of custom tags associated with an evidence instance. For example, to denote a group of devices or high value assets. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
33+
|trustedDomains|microsoft.graph.security.activeDirectoryDomainEvidence collection|List of trusted domains.|
34+
|verdict|[microsoft.graph.security.evidenceVerdict](../resources/security-alertevidence.md#evidenceverdict-values)|The decision reached by automated investigation. The possible values are: `unknown`, `suspicious`, `malicious`, `noThreatsFound`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
35+
36+
## Relationships
37+
38+
None.
39+
40+
## JSON representation
41+
42+
The following JSON representation shows the resource type.
43+
<!-- {
44+
"blockType": "ignored",
45+
"@odata.type": "microsoft.graph.security.activeDirectoryDomainEvidence",
46+
"baseType": "microsoft.graph.security.alertEvidence"
47+
}
48+
-->
49+
``` json
50+
{
51+
"@odata.type": "#microsoft.graph.security.activeDirectoryDomainEvidence",
52+
"createdDateTime": "String (timestamp)",
53+
"verdict": "String",
54+
"remediationStatus": "String",
55+
"remediationStatusDetails": "String",
56+
"roles": [
57+
"String"
58+
],
59+
"detailedRoles": [
60+
"String"
61+
],
62+
"tags": [
63+
"String"
64+
],
65+
"activeDirectoryDomainName": "String",
66+
"trustedDomains": [{"@odata.type": "microsoft.graph.security.activeDirectoryDomainEvidence"}],
67+
}
68+
```

api-reference/beta/resources/security-alertevidence.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ The **alertEvidence** base type and its derived evidence types provide a means t
2222
- [Mailbox evidence](security-mailboxevidence.md) for the hacked user account with a role of `compromised`.
2323

2424
This resource is the base type for the following evidence types:
25+
* [activeDirectoryDomainEvidence](security-activedirectorydomainevidence.md)
2526
* [aiAgentEvidence](security-aiagentevidence.md)
2627
* [amazonResourceEvidence](security-amazonresourceevidence.md)
2728
* [analyzedMessageEvidence](security-analyzedmessageevidence.md)
@@ -46,8 +47,9 @@ This resource is the base type for the following evidence types:
4647
* [kubernetesSecretEvidence](security-kubernetessecretevidence.md)
4748
* [kubernetesServiceEvidence](security-kubernetesserviceevidence.md)
4849
* [kubernetesServiceAccountEvidence](security-kubernetesserviceaccountevidence.md)
49-
* [mailClusterEvidence](security-mailclusterevidence.md)
50+
* [mailboxConfigurationEvidence](security-mailboxconfigurationevidence.md)
5051
* [mailboxEvidence](security-mailboxevidence.md)
52+
* [mailClusterEvidence](security-mailclusterevidence.md)
5153
* [nicEvidence](security-nicevidence.md)
5254
* [oauthApplicationEvidence](security-oauthapplicationevidence.md)
5355
* [processEvidence](security-processevidence.md)

api-reference/beta/resources/security-deviceevidence.md

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ Inherits from [alertEvidence](../resources/security-alertevidence.md).
2222
|Property|Type|Description|
2323
|:---|:---|:---|
2424
|azureAdDeviceId|String|A unique identifier assigned to a device by Microsoft Entra ID when device is Microsoft Entra joined.|
25-
|defenderAvStatus|[microsoft.graph.security.defenderAvStatus](#defenderavstatus-values)|State of the Defender AntiMalware engine. The possible values are: `notReporting`, `disabled`, `notUpdated`, `updated`, `unknown`, `notSupported`, `unknownFutureValue`.|
25+
|defenderAvStatus|[microsoft.graph.security.defenderAvStatus](#defenderavstatus-values)|State of the Defender anti-malware engine. The possible values are: `notReporting`, `disabled`, `notUpdated`, `updated`, `unknown`, `notSupported`, `unknownFutureValue`.|
2626
|deviceDnsName|String|The fully qualified domain name (FQDN) for the device.|
2727
| dnsDomain | String | The DNS domain that this computer belongs to. A sequence of labels separated by dots. |
2828
|firstSeenDateTime|DateTimeOffset|The date and time when the device was first seen.|
@@ -38,19 +38,20 @@ Inherits from [alertEvidence](../resources/security-alertevidence.md).
3838
|rbacGroupId|Int32|The ID of the role-based access control device group.|
3939
|rbacGroupName|String|The name of the role-based access control device group.|
4040
|riskScore|[microsoft.graph.security.deviceRiskScore](#deviceriskscore-values)|Risk score as evaluated by Microsoft Defender for Endpoint. The possible values are: `none`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.|
41+
|resourceAccessEvents|[microsoft.graph.security.resourceAccessEvent](../resources/security-resourceaccessevent.md) collection | Information on resource access attempts made by the user account. |
4142
|version|String|The version of the operating system platform.|
4243
|vmMetadata|[microsoft.graph.security.vmMetadata](../resources/security-vmmetadata.md)|Metadata of the virtual machine (VM) on which Microsoft Defender for Endpoint is running.|
4344

4445
### defenderAvStatus values
4546

4647
| Member | Description |
4748
| :--------------------------| :------------------------------------------------------------ |
48-
| notReporting | Defender AntiMalware engine isn't reporting. |
49-
| disabled | Defender AntiMalware engine has been disabled. |
50-
| notUpdated | Defender AntiMalware engine isn't up to date. |
51-
| updated | Defender AntiMalware engine is up to date. |
52-
| unknown | State of Defender AntiMalware engine is unknown. |
53-
| notSupported | Defender AntiMalware engine isn't supported on this platform.|
49+
| notReporting | Defender anti-malware engine isn't reporting. |
50+
| disabled | Defender anti-malware engine is disabled. |
51+
| notUpdated | Defender anti-malware engine isn't up to date. |
52+
| updated | Defender anti-malware engine is up to date. |
53+
| unknown | State of Defender anti-malware engine is unknown. |
54+
| notSupported | Defender anti-malware engine isn't supported on this platform.|
5455
| unknownFutureValue | unknownFutureValue for evolvable enums pattern. |
5556

5657

@@ -124,6 +125,11 @@ The following JSON representation shows the resource type.
124125
"rbacGroupName": "String",
125126
"remediationStatus": "String",
126127
"remediationStatusDetails": "String",
128+
"resourceAccessEvents": [
129+
{
130+
"@odata.type": "microsoft.graph.security.resourceAccessEvent"
131+
}
132+
],
127133
"riskScore": "String",
128134
"roles": ["String"],
129135
"tags": ["String"],
Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
---
2+
title: "mailboxConfigurationEvidence resource type"
3+
description: "Represents a mailbox configuration entity that is reported as part of the security detection alert."
4+
ms.date: 11/19/2025
5+
author: "hareldamti"
6+
ms.localizationpriority: medium
7+
ms.subservice: "security"
8+
doc_type: resourcePageType
9+
---
10+
11+
# mailboxConfigurationEvidence resource type
12+
13+
Namespace: microsoft.graph.security
14+
15+
Represents a mailbox configuration entity that is reported as part of the security detection alert.
16+
17+
Inherits from [alertEvidence](../resources/security-alertevidence.md), which represents evidence related to an [alert](security-alert.md).
18+
19+
## Properties
20+
|Property|Type|Description|
21+
|:---|:---|:---|
22+
|configurationType|microsoft.graph.security.mailboxConfigurationType|The type of mailbox configuration. The possible values are: `mailForwardingRule`, `owaSettings`, `ewsSettings`, `mailDelegation`, `userInboxRule`, `unknownFutureValue`.|
23+
|configurationId|String|The unique identifier of the mailbox configuration.|
24+
|createdDateTime|DateTimeOffset|The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
25+
|detailedRoles|String collection|Detailed roles of the evidence in the alert. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
26+
|displayName|String|The display name of the mailbox.|
27+
|externalDirectoryObjectId|Guid|The external directory object identifier of the mailbox.|
28+
|mailboxPrimaryAddress|String|The primary email address of the mailbox.|
29+
|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](../resources/security-alertevidence.md#evidenceremediationstatus-values)|The status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `active`, `pendingApproval`, `declined`, `notRemediated`, `running`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
30+
|remediationStatusDetails|String|Details about the remediation status. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
31+
|roles|[microsoft.graph.security.evidenceRole](../resources/security-alertevidence.md#evidencerole-values) collection|One or more roles that an evidence entity represents in an alert. For example, an IP address that is associated with an attacker has the evidence role `Attacker`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
32+
|tags|String collection|Array of custom tags associated with an evidence instance. For example, to denote a group of devices or high value assets. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
33+
|upn|String|The user principal name (UPN) of the mailbox.|
34+
|verdict|[microsoft.graph.security.evidenceVerdict](../resources/security-alertevidence.md#evidenceverdict-values)|The decision reached by automated investigation. The possible values are: `unknown`, `suspicious`, `malicious`, `noThreatsFound`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
35+
36+
## Relationships
37+
None.
38+
39+
## JSON representation
40+
The following JSON representation shows the resource type.
41+
<!-- {
42+
"blockType": "resource",
43+
"@odata.type": "microsoft.graph.security.mailboxConfigurationEvidence",
44+
"baseType": "microsoft.graph.security.alertEvidence"
45+
}
46+
-->
47+
``` json
48+
{
49+
"@odata.type": "#microsoft.graph.security.mailboxConfigurationEvidence",
50+
"createdDateTime": "String (timestamp)",
51+
"verdict": "String",
52+
"remediationStatus": "String",
53+
"remediationStatusDetails": "String",
54+
"roles": [
55+
"String"
56+
],
57+
"detailedRoles": [
58+
"String"
59+
],
60+
"tags": [
61+
"String"
62+
],
63+
"configurationType": "String",
64+
"mailboxPrimaryAddress": "String",
65+
"displayName": "String",
66+
"upn": "String",
67+
"configurationId": "String",
68+
"externalDirectoryObjectId": "String"
69+
}
70+
```

api-reference/v1.0/resources/enums-security.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,16 @@ Namespace: microsoft.graph.security
184184
|unknown|
185185
|unknownFutureValue|
186186

187+
### mailboxConfigurationType values
188+
189+
|Member|
190+
|:---|
191+
|mailForwardingRule|
192+
|owaSettings|
193+
|ewsSettings|
194+
|mailDelegation|
195+
|userInboxRule|
196+
|unknownFutureValue|
187197
### logDataProvider values
188198

189199
|Member|
Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
---
2+
title: "activeDirectoryDomainEvidence resource type"
3+
description: "Represents a Active Directory Domain entity that reported as part of the security detection alert."
4+
ms.date: 05/14/2025
5+
author: "hareldamti"
6+
ms.localizationpriority: medium
7+
ms.subservice: "security"
8+
doc_type: resourcePageType
9+
---
10+
11+
12+
# activeDirectoryDomainEvidence resource type
13+
14+
Namespace: microsoft.graph.security
15+
16+
A file that is reported in the alert as evidence.
17+
18+
Inherits from [alertEvidence](../resources/security-alertevidence.md), which represents evidence related to an [alert](security-alert.md).
19+
20+
## Properties
21+
22+
|Property|Type|Description|
23+
|:---|:---|:---|
24+
|activeDirectoryDomainName|String|The name of the Active Directory domain.|
25+
|createdDateTime|DateTimeOffset|The date and time when the evidence was created and added to the alert. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
26+
|detailedRoles|String collection|Detailed roles of the evidence in the alert. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
27+
|remediationStatus|[microsoft.graph.security.evidenceRemediationStatus](../resources/security-alertevidence.md#evidenceremediationstatus-values)|The status of the remediation action taken. The possible values are: `none`, `remediated`, `prevented`, `blocked`, `notFound`, `active`, `pendingApproval`, `declined`, `notRemediated`, `running`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
28+
|remediationStatusDetails|String|Details about the remediation status. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
29+
|roles|[microsoft.graph.security.evidenceRole](../resources/security-alertevidence.md#evidencerole-values) collection|One or more roles that an evidence entity represents in an alert. For example, an IP address that is associated with an attacker has the evidence role `Attacker`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
30+
|tags|String collection|Array of custom tags associated with an evidence instance. For example, to denote a group of devices or high value assets. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
31+
|trustedDomains|microsoft.graph.security.activeDirectoryDomainEvidence collection|List of trusted domains.|
32+
|verdict|[microsoft.graph.security.evidenceVerdict](../resources/security-alertevidence.md#evidenceverdict-values)|The decision reached by automated investigation. The possible values are: `unknown`, `suspicious`, `malicious`, `noThreatsFound`, `unknownFutureValue`. Inherited from [alertEvidence](../resources/security-alertevidence.md).|
33+
34+
## Relationships
35+
36+
None.
37+
38+
## JSON representation
39+
40+
The following JSON representation shows the resource type.
41+
<!-- {
42+
"blockType": "ignored",
43+
"@odata.type": "microsoft.graph.security.activeDirectoryDomainEvidence",
44+
"baseType": "microsoft.graph.security.alertEvidence"
45+
}
46+
-->
47+
``` json
48+
{
49+
"@odata.type": "#microsoft.graph.security.activeDirectoryDomainEvidence",
50+
"createdDateTime": "String (timestamp)",
51+
"verdict": "String",
52+
"remediationStatus": "String",
53+
"remediationStatusDetails": "String",
54+
"roles": [
55+
"String"
56+
],
57+
"detailedRoles": [
58+
"String"
59+
],
60+
"tags": [
61+
"String"
62+
],
63+
"activeDirectoryDomainName": "String",
64+
"trustedDomains": [{"@odata.type": "microsoft.graph.security.activeDirectoryDomainEvidence"}],
65+
}
66+
```

api-reference/v1.0/resources/security-alertevidence.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ The **alertEvidence** base type and its derived evidence types provide a means t
2020
- [Mailbox evidence](security-mailboxevidence.md) for the hacked user account with a role of `compromised`.
2121

2222
This resource is the base type for the following evidence types:
23+
* [activeDirectoryDomainEvidence](security-activedirectorydomainevidence.md)
2324
* [aiAgentEvidence](security-aiagentevidence.md)
2425
* [amazonResourceEvidence](security-amazonresourceevidence.md)
2526
* [analyzedMessageEvidence](security-analyzedmessageevidence.md)
@@ -44,8 +45,9 @@ This resource is the base type for the following evidence types:
4445
* [kubernetesSecretEvidence](security-kubernetessecretevidence.md)
4546
* [kubernetesServiceEvidence](security-kubernetesserviceevidence.md)
4647
* [kubernetesServiceAccountEvidence](security-kubernetesserviceaccountevidence.md)
47-
* [mailClusterEvidence](security-mailclusterevidence.md)
48+
* [mailboxConfigurationEvidence](security-mailboxconfigurationevidence.md)
4849
* [mailboxEvidence](security-mailboxevidence.md)
50+
* [mailClusterEvidence](security-mailclusterevidence.md)
4951
* [nicEvidence](security-nicevidence.md)
5052
* [oauthApplicationEvidence](security-oauthapplicationevidence.md)
5153
* [processEvidence](security-processevidence.md)

0 commit comments

Comments
 (0)