Merge pull request #28593 from microsoftgraph/users/t-hareldamti/add-alert-categories

Danipocket · web-flow · commit 2d632c139fc1 · 2026-05-06T15:11:07.000-06:00
Add alert categories and deprecate category
diff --git a/api-reference/beta/resources/security-alert.md b/api-reference/beta/resources/security-alert.md
@@ -42,7 +42,7 @@ Security providers create an alert in the system when they detect a threat. Micr
 |alertPolicyId|String| The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy.|
 |alertWebUrl|String| URL for the Microsoft 365 Defender portal alert page.|
 |assignedTo|String| Owner of the **alert**, or null if no owner is assigned.|
-|category|String| The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.|
+|categories|String collection| The attack kill-chain categories that the alert belongs to. Aligned with the MITRE ATT&CK framework.|
 |classification|[microsoft.graph.security.alertClassification](#alertclassification-values)| Specifies whether the alert represents a true threat. The possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|
 |comments|[microsoft.graph.security.alertComment](security-alertComment.md) collection| Array of comments created by the Security Operations (SecOps) team during the alert management process.|
 |createdDateTime|DateTimeOffset| Time when Microsoft 365 Defender created the alert.|
@@ -72,6 +72,7 @@ Security providers create an alert in the system when they detect a threat. Micr
 |threatFamilyName|String| Threat family associated with this alert.|
 |title|String| Brief identifying string value describing the alert.|
 |systemTags|String collection| The system tags associated with the alert.|
+|category (deprecated)|String| The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. This property is in the process of being deprecated. Use the **categories** property instead.|
 
 ### alertClassification values
 
@@ -163,6 +164,7 @@ The following JSON representation shows the resource type.
   "alertWebUrl": "String",
   "assignedTo": "String",
   "category": "String",
+  "categories": ["String"],
   "classification": "String",
   "comments": [{"@odata.type": "microsoft.graph.security.alertComment"}],
   "createdDateTime": "String (timestamp)",
diff --git a/api-reference/v1.0/resources/security-alert.md b/api-reference/v1.0/resources/security-alert.md
@@ -39,7 +39,7 @@ When a security provider detects a threat, it creates an alert in the system. Mi
 |alertPolicyId|String| The ID of the policy that generated the alert, and populated when there is a specific policy that generated the alert, whether configured by a customer or a built-in policy.|
 |alertWebUrl|String|URL for the Microsoft 365 Defender portal alert page.|
 |assignedTo|String| Owner of the **alert**, or null if no owner is assigned.|
-|category|String| The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework.|
+|categories|String collection| The attack kill-chain categories that the alert belongs to. Aligned with the MITRE ATT&CK framework.|
 |classification|[microsoft.graph.security.alertClassification](#alertclassification-values)| Specifies whether the alert represents a true threat. The possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.|
 |comments|[microsoft.graph.security.alertComment](security-alertComment.md) collection| Array of comments created by the Security Operations (SecOps) team during the alert management process.|
 |createdDateTime|DateTimeOffset| Time when Microsoft 365 Defender created the alert.|
@@ -56,7 +56,7 @@ When a security provider detects a threat, it creates an alert in the system. Mi
 |investigationState|[microsoft.graph.security.investigationState](#investigationstate-values)| Information on the current status of the investigation. The possible values are: `unknown`, `terminated`, `successfullyRemediated`, `benign`, `failed`, `partiallyRemediated`, `running`, `pendingApproval`, `pendingResource`, `queued`, `innerFailure`, `preexistingAlert`, `unsupportedOs`, `unsupportedAlertType`, `suppressedAlert`, `partiallyInvestigated`, `terminatedByUser`, `terminatedBySystem`, `unknownFutureValue`.|
 |lastActivityDateTime|DateTimeOffset| The oldest activity associated with the alert.|
 |lastUpdateDateTime|DateTimeOffset| Time when the alert was last updated at Microsoft 365 Defender.|
-|mitreTechniques|Collection(Edm.String)| The attack techniques, as aligned with the MITRE ATT&CK framework.|
+|mitreTechniques|String collection| The attack techniques, as aligned with the MITRE ATT&CK framework.|
 |productName|String|The name of the product which published this alert.|
 |providerAlertId|String| The ID of the alert as it appears in the security provider product that generated the alert.|
 |recommendedActions|String| Recommended response and remediation actions to take in the event this alert was generated.|
@@ -69,6 +69,7 @@ When a security provider detects a threat, it creates an alert in the system. Mi
 |threatFamilyName|String| Threat family associated with this alert.|
 |title|String| Brief identifying string value describing the alert.|
 |systemTags|String collection| The system tags associated with the alert.|
+|category (deprecated)|String| The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework. This property is in the process of being deprecated. Use the **categories** property instead.|
 
 ### alertClassification values
 
@@ -160,6 +161,7 @@ The following JSON representation shows the resource type.
   "alertWebUrl": "String",
   "assignedTo": "String",
   "category": "String",
+  "categories": ["String"],
   "classification": "String",
   "comments": [{"@odata.type": "microsoft.graph.security.alertComment"}],
   "createdDateTime": "String (timestamp)",
diff --git a/changelog/Microsoft.M365.Defender.json b/changelog/Microsoft.M365.Defender.json
@@ -1,5 +1,57 @@
 {
   "changelog": [
+    {
+      "ChangeList": [
+        {
+          "Id": "8379ddd0-e101-4994-994f-36d29a65811d",
+          "ApiChange": "Property",
+          "ChangedApiName": "categories",
+          "ChangeType": "Addition",
+          "Description": "Added the **categories** property to the [alert](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-beta) resource.",
+          "Target": "alert"
+        },
+        {
+          "Id": "8379ddd0-e101-4994-994f-36d29a65811d",
+          "ApiChange": "Property",
+          "ChangedApiName": "category",
+          "ChangeType": "Deprecation",
+          "Description": "Deprecated the **category** property on the [alert](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-beta) resource. Use the **categories** property instead.",
+          "Target": "alert"
+        }
+      ],
+      "Id": "8379ddd0-e101-4994-994f-36d29a65811d",
+      "Cloud": "Prod",
+      "Version": "beta",
+      "CreatedDateTime": "2026-05-06T09:53:42.0329384Z",
+      "WorkloadArea": "Security",
+      "SubArea": "Alerts and incidents"
+    },
+    {
+      "ChangeList": [
+        {
+          "Id": "fecc7d38-924a-4137-a934-8d0d83035f20",
+          "ApiChange": "Property",
+          "ChangedApiName": "categories",
+          "ChangeType": "Addition",
+          "Description": "Added the **categories** property to the [alert](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) resource.",
+          "Target": "alert"
+        },
+        {
+          "Id": "fecc7d38-924a-4137-a934-8d0d83035f20",
+          "ApiChange": "Property",
+          "ChangedApiName": "category",
+          "ChangeType": "Deprecation",
+          "Description": "Deprecated the **category** property on the [alert](https://learn.microsoft.com/en-us/graph/api/resources/security-alert?view=graph-rest-1.0) resource. Use the **categories** property instead.",
+          "Target": "alert"
+        }
+      ],
+      "Id": "fecc7d38-924a-4137-a934-8d0d83035f20",
+      "Cloud": "Prod",
+      "Version": "v1.0",
+      "CreatedDateTime": "2026-05-06T09:53:42.0336216Z",
+      "WorkloadArea": "Security",
+      "SubArea": "Alerts and incidents"
+    },
     {
       "ChangeList": [
         {
diff --git a/concepts/whats-new-overview.md b/concepts/whats-new-overview.md
@@ -3,7 +3,7 @@ title: "What's new in Microsoft Graph"
 description: "Find out what's new in Microsoft Graph APIs, SDKs, documentation, and other resources."
 author: "lauragra"
 ms.localizationpriority: high
-ms.date: 05/05/2026
+ms.date: 04/28/2026
 ms.topic: whats-new
 ---
 
@@ -36,10 +36,6 @@ Use the [deviceRegistrationPolicy](/graph/api/resources/deviceregistrationpolicy
 
 ## May 2026: New in preview only
 
-### Change notifications
-
-Use the new Copilot change notifications API for meetings AI insights to subscribe to notifications for the generation of meeting AI summaries and receive a notification when the summaries are fully generated and available. For more information, see [Get change notifications for Copilot AI insights using Microsoft Graph](/microsoft-365/copilot/extensibility/api/ai-services/change-notifications/aiinsights-changenotifications).
-
 ### Identity and access | Identity and sign-in
 
 - Added the [onVerifiedIdClaimValidationCustomExtension](/graph/api/resources/onverifiedidclaimvalidationcustomextension?view=graph-rest-beta&preserve-view=true) and [onVerifiedIdClaimValidationListener](/graph/api/resources/onverifiedidclaimvalidationlistener?view=graph-rest-beta&preserve-view=true) resource types and associated methods to support custom logic for claim validation from Verified ID credential presentations during authentication flows through Microsoft Entra custom authentication extensions in External ID.
@@ -70,12 +66,16 @@ Use the **isVisible** property on [profileCardProperty](/graph/api/resources/pro
 
 ### Identity and access | Governance
 
-- Added the **processingInfo** property to the [taskProcessingResult](/graph/api/resources/identitygovernance-taskprocessingresult) resource. Use this property to get additional human-readable context about task execution outcomes, particularly for cases where the task completed successfully but the expected action wasn't performed because the target was already in the desired state.
-- Use `approverRemove` as a new supported value for the **requestType** property of the [accessPackageAssignmentRequest](/graph/api/resources/accesspackageassignmentrequest) resource. For more information, see [accessPackageAssignmentRequest](/graph/api/resources/accesspackageassignmentrequest).
+Use `approverRemove` as a new supported value for the **requestType** property of the [accessPackageAssignmentRequest](/graph/api/resources/accesspackageassignmentrequest) resource. For more information, see [accessPackageAssignmentRequest](/graph/api/resources/accesspackageassignmentrequest).
 
 ### Identity and access | Identity and sign-in
 
-- Use `riskRemediation` as part of [conditional access grant controls](/graph/api/resources/conditionalaccessgrantcontrols) to enforce a User Risk [conditional access policy](/graph/api/resources/conditionalaccesspolicy). When you select "Require risk remediation" in your policy's grant controls, Microsoft Entra ID Protection manages the appropriate remediation flow based on the threat observed and the user's authentication method. In passwordless Risky User sessions, it updates risk details with `microsoftRevokedSessions`. 
+- Use `riskRemediation` as part of [conditional access grant controls](/graph/api/resources/conditionalaccessgrantcontrols) to enforce a User Risk [conditional access policy](/graph/api/resources/conditionalaccesspolicy). When you select "Require risk remediation" in your policy's grant controls, Microsoft Entra ID Protection manages the appropriate remediation flow based on the threat observed and the user's authentication method. In passwordless Risky User sessions, it updates risk details with `microsoftRevokedSessions`.
+
+### Security | Alerts and incidents
+
+- Added the **categories** property to the [alert](/graph/api/resources/security-alert?view=graph-rest-beta&preserve-view=true) resource.
+- Deprecated the **category** property on the [alert](/graph/api/resources/security-alert?view=graph-rest-beta&preserve-view=true) resource. Use the **categories** property instead.
 
 ### Teamwork and communications | Apps
 
@@ -129,9 +129,8 @@ Added the **inheritedAppRoleAssignments** and **inheritedOauth2PermissionGrants*
 
 ### Identity and access | Governance
 
-- Added the **processingInfo** property to the [taskProcessingResult](/graph/api/resources/identitygovernance-taskprocessingresult?view=graph-rest-beta&preserve-view=true) resource. Use this property to get additional human-readable context about task execution outcomes, particularly for cases where the task completed successfully but the expected action wasn't performed because the target was already in the desired state.
-- Added the [cancelProcessing](/graph/api/identitygovernance-workflow-cancelprocessing?view=graph-rest-beta&preserve-view=true) method to the [workflow](/graph/api/resources/identitygovernance-workflow?view=graph-rest-beta&preserve-view=true) resource to cancel workflow runs that are currently in progress or queued.
 - Use `default`, `notVisible`, and `visible` as supported values for the **approverInformationVisibility** property of the [accessPackageApprovalStage](/graph/api/resources/accesspackageapprovalstage?view=graph-rest-beta&preserve-view=true) and [approvalStage](/graph/api/resources/approvalstage?view=graph-rest-beta&preserve-view=true) resources to indicate whether approver information is visible to the requestor.
+- Added the [cancelProcessing](/graph/api/identitygovernance-workflow-cancelprocessing?view=graph-rest-beta&preserve-view=true) method to the [workflow](/graph/api/resources/identitygovernance-workflow?view=graph-rest-beta&preserve-view=true) resource to cancel workflow runs that are currently in progress or queued.
 - Added the **referenceId** property and the **files** relationship to [customDataProvidedResourceUploadSession](/graph/api/resources/customdataprovidedresourceuploadsession?view=graph-rest-beta&preserve-view=true) resource to identify the context for which data is being uploaded, such as an access review instance ID, and identify files uploaded during an upload session, respectively. Also added enhanced support for query capabilities for the [List customDataProvidedResourceUploadSession objects](/graph/api/accesspackageresource-list-uploadsessions?view=graph-rest-beta&preserve-view=true) API operation.
 
 ### Identity and access | Identity and sign-in
@@ -163,6 +162,11 @@ Use the **activities**, **awards**, and **fieldsOfStudy** properties on [educati
 
 Added the [azureADPremiumLicenseInsight](/graph/api/resources/azureadpremiumlicenseinsight?view=graph-rest-beta&preserve-view=true) resource and its associated APIs for getting insights into the Microsoft Entra ID P1 and P2 premium license utilization for the tenant, including feature utilization breakdowns for P1, P2, Internet Access, and Private Access features.
 
+### Security | Alerts and incidents
+
+- Added the **categories** property to the [alert](/graph/api/resources/security-alert?view=graph-rest-beta&preserve-view=true) resource.
+- Deprecated the **category** property on the [alert](/graph/api/resources/security-alert?view=graph-rest-beta&preserve-view=true) resource. Use the **categories** property instead.
+
 ### Security | Compliance
 
 Updated the capabilities of the [auditLogQuery](/graph/api/resources/security-auditlogquery?view=graph-rest-beta&preserve-view=true) resource type and its associated methods as follows:
@@ -173,10 +177,6 @@ Updated the capabilities of the [auditLogQuery](/graph/api/resources/security-au
 
 Use the **sensorTypes** property on [sensorCandidate](/graph/api/resources/security-sensorcandidate?view=graph-rest-beta&preserve-view=true) to get the list of device types for the sensor.
 
-### Cloud communications | Call
-
-Added [meeting engagement data](/graph/api/resources/meetingengagement?view=graph-rest-beta&preserve-view=true) to capture real-time participant interaction behaviors during a meeting, including reactions (like, love, applause, and so on), hand raises, camera toggles, and microphone mute/unmute events. This data is collected as part of the attendance report.
-
 ### Teamwork and communications | Messaging
 
 - Use the targeted messages APIs to manage messages in Microsoft Teams that are visible only to specified recipients within group chats or channels:
