Microsoft Graph API Threat Intelligence

the microsoft graph api threat intelligence connector facilitates the automation of threat detection and response by integrating with microsoft's security intelligence ecosystem microsoft graph api threat intelligence is a comprehensive platform for security analysis and threat detection it enables users to retrieve detailed insights, analyze threat assessments, and manage threat intelligence indicators within microsoft graph security api by integrating with swimlane turbine, security teams can automate the ingestion and analysis of threat data, enhance security posture, and respond to incidents more efficiently, leveraging the vast intelligence capabilities of microsoft graph api without the need for manual coding configuration prerequisites to effectively utilize the microsoft graph api threat intelligence connector, ensure you have the following prerequisites client credentials and tenant id authentication with these parameters url endpoint for microsoft graph api client id application id registered in azure ad client secret key generated for the application in azure ad tenant id directory id of the azure ad tenant scope permissions required for the api access oauth 2 0 client credentials with these parameters url endpoint for microsoft graph api client id application id registered in azure ad client secret key generated for the application in azure ad token url url to retrieve the oauth token scope permissions required for the api access delegated flow authentication with these parameters url endpoint for microsoft graph api tenant id directory id of the azure ad tenant and so on authentication methods oauth 2 0 client credentials authentication with these parameters url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad token url url to retrieve the oauth token scope permissions the app requires password grant (delegated authentication) for acting on behalf of a user url endpoint for microsoft graph api tenant id directory id of the azure ad tenant oauth un user's username to authenticate oauth pwd user's password to authenticate oauth cl id application (client) id registered in azure ad oauth cl secret client secret (key) generated for the application in azure ad login url login url default value is https //login microsoftonline com (optional) scope permissions the app requires optional field (optional) asset credentials specific to your organization (microsoft graph api asset tenant id) url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad tenant id directory id of the azure ad tenant scope permissions the app requires authentication for oauth2 refresh token grant credentials for microsoft graph api authentication url endpoint for microsoft graph api client id application (client) id registered in azure ad client secret client secret (key) generated for the application in azure ad refresh token refresh token scope permissions the app requires capabilities the microsoft graph api connector gives the ability to get and update security alerts, and modify user licenses and sessions create threat intel indicator microsoft defender create threat intel indicator azure sentinel delete threat intelligence indicator get threat assessment get threat assessment list get threat intelligence indicator get threat intelligence indicators list post threat assessment email post threat assessment file post threat assessment uri post threat assessment url asset setup client credential flow authentication authentication uses azure application oauth2 you will need an admin account in azure to create the application recommended application permissions (feel free use custom permissions if you only use certain actions) user readwrite all calendars readwrite directory readwrite all directory accessasuser all securityevents read all securityevents readwrite all auditlog read all mail readbasic all securityanalyzedmessage readwrite all securityalert readwrite all user readwrite all securityincident readwrite all identityriskyuser read all in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset password flow (delegated auth) use delegated permissions, instead of application permissions, and generate client id , tenant id , and client secret as described in the above client credential flow authentication we also need an username and a password for this authentication authentication flow for oauth2 refresh token oauth 2 0 refresh token grant, which requires a refresh token , tenant id , client id and client secret use this auth with accounts which have mfa enabled to generate a refresh token please follow the instructions below in step 3 of the above mentioned setup instructions, please provide a redirect uri and select the platform as 'web', before clicking on register at the the bottom proceed with the remaining steps to generate 'client id', tenant id and client secret add the permissions in delegated permissions the swimlane team will provide a python script and instructions on how to use the script to generate the refresh token limit access to specific mailboxes administrators who want to limit app access to specific mailboxes can create an application access policy by using the new applicationaccesspolicy powershell cmdlet for more information please see the article https //docs microsoft com/en us/graph/auth limit mailbox access action setup odata filters information on the filter input formatting can be found https //docs microsoft com/en us/graph/query parameters#filter parameter keep in mind that not specifying a folder as an input will result in the query affecting all possible folders example if we want to ingest only unread emails, and we don't set the input "folder", we will ingest all unread emails from all folders, including "deleted items", "junk", etc well known folders well known folders can be used instead of folder ids for email actions all well known folder names can be found https //docs microsoft com/en us/graph/api/resources/mailfolder?view=graph rest 1 0 sites get site all the sites actions require the site id to be executed the site id can be obtained using the action sites get site, in order to run the action the site hostname and site name are needed this two values can be found in a site url https //{site hostname} sharepoint com/sites/{site name} for example if our site url is https //swimlaneintegrations sharepoint com/sites/integrationssite we should use site hostname swimlaneintegrations site name integrationssite after the action execution you can find the site id on the id output field sites create list in order to create a list with its columns, use the input columns you can find all the possible values with its configuration on the following table property name type description boolean https //docs microsoft com/en us/graph/api/resources/booleancolumn?view=graph rest 1 0 this column stores boolean values calculated https //docs microsoft com/en us/graph/api/resources/calculatedcolumn?view=graph rest 1 0 this column's data is calculated based on other columns choice https //docs microsoft com/en us/graph/api/resources/choicecolumn?view=graph rest 1 0 this column stores data from a list of choices currency https //docs microsoft com/en us/graph/api/resources/currencycolumn?view=graph rest 1 0 this column stores currency values datetime https //docs microsoft com/en us/graph/api/resources/datetimecolumn?view=graph rest 1 0 this column stores datetime values geolocation https //docs microsoft com/en us/graph/api/resources/geolocationcolumn?view=graph rest 1 0 this column stores a geolocation lookup https //docs microsoft com/en us/graph/api/resources/lookupcolumn?view=graph rest 1 0 this column's data is looked up from another source in the site number https //docs microsoft com/en us/graph/api/resources/numbercolumn?view=graph rest 1 0 this column stores number values personorgroup https //docs microsoft com/en us/graph/api/resources/personorgroupcolumn?view=graph rest 1 0 this column stores person or group values text https //docs microsoft com/en us/graph/api/resources/textcolumn?view=graph rest 1 0 this column stores text values validation https //docs microsoft com/en us/graph/api/resources/columnvalidation?view=graph rest 1 0 this column stores validation formula and message for the column hyperlinkorpicture https //docs microsoft com/en us/graph/api/resources/hyperlinkorpicturecolumn?view=graph rest 1 0 this column stores hyperlink or picture values term https //docs microsoft com/en us/graph/api/resources/termcolumn?view=graph rest 1 0 this column stores taxonomy terms thumbnail https //docs microsoft com/en us/graph/api/resources/thumbnailcolumn?view=graph rest 1 0 this column stores thumbnail values contentapprovalstatus https //docs microsoft com/en us/graph/api/resources/contentapprovalstatuscolumn?view=graph rest 1 0 this column stores content approval status for a complete version of this table please see https //docs microsoft com/en us/graph/api/resources/columndefinition?view=graph rest 1 0#properties create list column refer to the above table to get the type properties and column type input the type properties are documented within the links in the type column get list items in order to use the filter input please refer to the docid\ yarp6omkds1z dkribj1a section the column used to filter the output must be indexed, see the https //support microsoft com/en us/office/add an index to a list or library column f3f00554 b7dc 44d1 a2ed d477eac463b0?ui=en us\&rs=en us\&ad=us to add an index to a list limitations when using $filter and $orderby in the same query to get messages, make sure to specify properties in the following ways properties that appear in $orderby must also appear in $filter properties that appear in $orderby are in the same order as in $filter properties that are present in $orderby appear in $filter before any properties that aren't failing to do this results in the following error error code inefficientfilter error message the restriction or sort order is too complex for this operation the assign/remove user license requires either the disabled plans and accompanying sku ids to assign licenses or the sku id of the license you want to remove the get security alert has additional information it can return there are a large number of fields that don't relate to many alerts, so they are not mapped; you can add them if desired notes https //social technet microsoft com/wiki/contents/articles/33525 an introduction to microsoft graph api aspx https //www microsoft com/en us/security/intelligence security api https //docs microsoft com/en us/graph/api/overview?view=graph rest 1 0 https //docs microsoft com/en us/graph/query parameters https //docs microsoft com/en us/graph/api/resources/security api overview?view=graph rest beta https //docs microsoft com/en us/azure/active directory/develop/v1 protocols oauth code configurations microsoft graph api asset tenant id authenticates using client credentials and tenant id configuration parameters parameter description type required url a url to the target host string required tenant id the tenant id string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional password grant (delegated authentication) authenticates on behalf of a user using oauth 2 0 credentials configuration parameters parameter description type required url a url to the target host string required login url string optional tenant id string required oauth un the username for authentication string required oauth pwd the password for authentication string required oauth cl id the client id string required oauth cl secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url must start with https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional ms graph openid connect refresh token grant authenticates using refresh token configuration parameters parameter description type required url a url to the target host string required cl id the client id string required cl secret the client secret string required refresh token refresh token string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get threat assessment retrieve detailed insights on a specific threat by supplying an 'id' to the microsoft graph security api endpoint url /v1 0/informationprotection/threatassessmentrequests/{{id}}?$expand=results method get input argument name type required description path parameters id string required assessment id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data @odata type string response data id string unique identifier createddatetime string time value contenttype string type of the resource expectedassessment string output field expectedassessment category string output field category status string status value requestsource string output field requestsource recipientemail string output field recipientemail destinationroutingreason string response reason phrase contentdata string response data createdby object output field createdby createdby user object output field createdby user createdby user id string unique identifier createdby user displayname string name of the resource results\@odata context string response data results array result of the operation results id string unique identifier results createddatetime string result of the operation results resulttype string type of the resource results message string result of the operation output example {"@odata context" "string","@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","contenttype" "string","expectedassessment" "string","category" "string","status" "active","requestsource" "string","recipientemail" "string","destinationroutingreason" "string","contentdata" "string","createdby" {"user" {"id" "12345678 1234 1234 1234 123456789abc","displayname" "example name"}},"results\@odata context" "string","results" \[{"id" "12345678 1234 1234 1234 1234567 get threat assessment list retrieve and analyze threat assessments to enhance security posture using the microsoft graph security api endpoint url /v1 0/informationprotection/threatassessmentrequests method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value createddatetime string value for the parameter value contenttype string type of the resource value expectedassessment string value for the parameter value category string value for the parameter value status string status value value requestsource string value for the parameter value recipientemail string value for the parameter value destinationroutingreason string value for the parameter value contentdata string response data value createdby object value for the parameter value createdby user object value for the parameter output example {"@odata context" "string","value" \[{"@odata type" "string","id" "12345678 1234 1234 1234 123456789abc","createddatetime" "string","contenttype" "string","expectedassessment" "string","category" "string","status" "active","requestsource" "string","recipientemail" "string","destinationroutingreason" "string","contentdata" "string","createdby" {}}]} delete threat intelligence indicator removes a specified threat intelligence indicator from microsoft graph security api using the unique id provided endpoint url /beta/security/tiindicators/{{id}} method delete input argument name type required description path parameters id string required threat intelligence indicator id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} get threat intelligence indicator retrieves a specific threat intelligence indicator from microsoft graph security api by using the provided unique id endpoint url /beta/security/tiindicators/{{id}} method get input argument name type required description path parameters id string required threat intelligence indicator id input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier action string output field action additionalinformation object output field additionalinformation activitygroupnames array name of the resource activitygroupnames file name string name of the resource activitygroupnames file string name of the resource confidence object unique identifier description string output field description diamondmodel object output field diamondmodel emailencoding object output field emailencoding emaillanguage object output field emaillanguage emailrecipient object output field emailrecipient emailsenderaddress object output field emailsenderaddress emailsendername object name of the resource emailsourcedomain object output field emailsourcedomain emailsourceipaddress object output field emailsourceipaddress emailsubject object output field emailsubject emailxmailer object output field emailxmailer expirationdatetime string time value externalid object unique identifier filecompiledatetime object time value output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[{"file name" "example name","file" "string"}],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {}} get threat intelligence indicators list retrieve threat intelligence indicators from the microsoft graph security api for enhanced analysis and threat detection endpoint url /beta/security/tiindicators method get input argument name type required description parameters filter string optional use the filter query parameter to retrieve just a subset of a collection for guidance on using filter , see https //learn microsoft com/en us/graph/filter query parameter parameters orderby string optional use the orderby query parameter to specify the sort order of the items returned from microsoft graph parameters top number optional sets the page size of results input example {"parameters" {"filter" "string","orderby" "string","top" 123}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value id string unique identifier value azuretenantid string unique identifier value action string value for the parameter value additionalinformation object value for the parameter value activitygroupnames array name of the resource value activitygroupnames file name string name of the resource value activitygroupnames file string name of the resource value confidence object unique identifier value description string value for the parameter value diamondmodel object value for the parameter value emailencoding object value for the parameter value emaillanguage object value for the parameter value emailrecipient object value for the parameter value emailsenderaddress object value for the parameter value emailsendername object name of the resource value emailsourcedomain object value for the parameter value emailsourceipaddress object value for the parameter value emailsubject object value for the parameter value emailxmailer object value for the parameter value expirationdatetime string value for the parameter value externalid object unique identifier output example {"@odata context" "string","value" \[{"id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {},"emailsourceipaddress" {}}]} create threat intel indicator azure sentinel creates a threat intelligence indicator in azure sentinel, including threat type, target product, and tlp level endpoint url /beta/security/tiindicators method post input argument name type required description action string optional the action to apply if the indicator is matched from within the targetproduct security tool possible values are unknown , allow , block or alert activitygroupnames array optional the cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator additionalinformation string optional a catchall area into which extra data from the indicator not covered by the other tiindicator properties may be placed data placed into additionalinformation will typically not be utilized by the targetproduct security tool azuretenantid string optional stamped by the system when the indicator is ingested the azure active directory tenant id of submitting client confidence number optional an integer representing the confidence the data within the indicator accurately identifies malicious behavior acceptable values are 0 100 with 100 being the highest description string optional brief description (100 characters or less) of the threat represented by the indicator diamondmodel string optional the area of the diamond model in which this indicator exists possible values are unknown , adversary , capability , infrastructure and victim domainname string optional domain name associated with this indicator should be of the format subdomain domain topleveldomain (for example, baddomain domain net) emailencoding string optional the type of text encoding used in the email emaillanguage string optional the language of the email emailrecipient string optional email recipient address emailsenderaddress string optional email sender address emailsendername string optional email sender name emailsourcedomain string optional parameter for create threat intel indicator azure sentinel emailsourceipaddress string optional parameter for create threat intel indicator azure sentinel emailsubject string optional parameter for create threat intel indicator azure sentinel emailxmailer string optional x mailer value used in the email expirationdatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time externalid string optional unique identifier filecompiledatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filecreateddatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filehashtype string optional the type of hash stored in filehashvalue possible values are unknown , sha1 , sha256 , md5 , authenticodehash256 , lshash , ctph filehashvalue string optional value for the parameter filemutexname string optional name of the resource filename string optional name of the resource input example {"action" "string","activitygroupnames" \["string"],"additionalinformation" "string","azuretenantid" "string","confidence" 123,"description" "string","diamondmodel" "string","domainname" "example name","emailencoding" "string","emaillanguage" "string","emailrecipient" "string","emailsenderaddress" "string","emailsendername" "example name","emailsourcedomain" "string","emailsourceipaddress" "string","emailsubject" "string","emailxmailer" "string","expirationdatetime" "string","externalid" "string","filecompiledatetime" "string","filecreateddatetime" "string","filehashtype" "string","filehashvalue" "string","filemutexname" "example name","filename" "example name","filepacker" "string","filepath" "string","filesize" 123,"filetype" "string","isactive" "string","killchain" \["string"],"knownfalsepositives" "string","lastreporteddatetime" "string","malwarefamilynames" "example name","networkcidrblock" "string","networkdestinationasn" 123,"networkdestinationcidrblock" "string","networkdestinationipv4" "string","networkdestinationipv6" "string","networkdestinationport" 123,"networkipv4" "string","networkipv6" "string","networkport" 123,"networkprotocol" 123,"networksourceasn" 123,"networksourcecidrblock" "string","networksourceipv4" "string","networksourceipv6" "string","networksourceport" 123,"passiveonly" "string"} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier action string output field action additionalinformation object output field additionalinformation activitygroupnames array name of the resource activitygroupnames file name string name of the resource activitygroupnames file string name of the resource confidence object unique identifier description string output field description diamondmodel object output field diamondmodel emailencoding object output field emailencoding emaillanguage object output field emaillanguage emailrecipient object output field emailrecipient emailsenderaddress object output field emailsenderaddress emailsendername object name of the resource emailsourcedomain object output field emailsourcedomain emailsourceipaddress object output field emailsourceipaddress emailsubject object output field emailsubject emailxmailer object output field emailxmailer expirationdatetime string time value externalid object unique identifier filecompiledatetime object time value output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[{"file name" "example name","file" "string"}],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {}} create threat intel indicator microsoft defender creates a threat intelligence indicator in microsoft defender, specifying its action and active status endpoint url /beta/security/tiindicators method post input argument name type required description action string optional the action to apply if the indicator is matched from within the targetproduct security tool possible values are unknown , allow , block or alert activitygroupnames array optional the cyber threat intelligence name(s) for the parties responsible for the malicious activity covered by the threat indicator additionalinformation string optional a catchall area into which extra data from the indicator not covered by the other tiindicator properties may be placed data placed into additionalinformation will typically not be utilized by the targetproduct security tool azuretenantid string optional stamped by the system when the indicator is ingested the azure active directory tenant id of submitting client confidence number optional an integer representing the confidence the data within the indicator accurately identifies malicious behavior acceptable values are 0 100 with 100 being the highest description string optional brief description (100 characters or less) of the threat represented by the indicator diamondmodel string optional the area of the diamond model in which this indicator exists possible values are unknown , adversary , capability , infrastructure and victim domainname string optional domain name associated with this indicator should be of the format subdomain domain topleveldomain (for example, baddomain domain net) emailencoding string optional the type of text encoding used in the email emaillanguage string optional the language of the email emailrecipient string optional email recipient address emailsenderaddress string optional email sender address emailsendername string optional email sender name emailsourcedomain string optional parameter for create threat intel indicator microsoft defender emailsourceipaddress string optional parameter for create threat intel indicator microsoft defender emailsubject string optional parameter for create threat intel indicator microsoft defender emailxmailer string optional x mailer value used in the email expirationdatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time externalid string optional unique identifier filecompiledatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filecreateddatetime string optional the timestamp type represents date and time information using iso 8601 format and is always in utc time filehashtype string optional the type of hash stored in filehashvalue possible values are unknown , sha1 , sha256 , md5 , authenticodehash256 , lshash , ctph filehashvalue string optional value for the parameter filemutexname string optional name of the resource filename string optional name of the resource input example {"action" "string","activitygroupnames" \["string"],"additionalinformation" "string","azuretenantid" "string","confidence" 123,"description" "string","diamondmodel" "string","domainname" "example name","emailencoding" "string","emaillanguage" "string","emailrecipient" "string","emailsenderaddress" "string","emailsendername" "example name","emailsourcedomain" "string","emailsourceipaddress" "string","emailsubject" "string","emailxmailer" "string","expirationdatetime" "string","externalid" "string","filecompiledatetime" "string","filecreateddatetime" "string","filehashtype" "string","filehashvalue" "string","filemutexname" "example name","filename" "example name","filepacker" "string","filepath" "string","filesize" 123,"filetype" "string","isactive" "string","killchain" \["string"],"knownfalsepositives" "string","lastreporteddatetime" "string","malwarefamilynames" "example name","networkcidrblock" "string","networkdestinationasn" 123,"networkdestinationcidrblock" "string","networkdestinationipv4" "string","networkdestinationipv6" "string","networkdestinationport" 123,"networkipv4" "string","networkipv6" "string","networkport" 123,"networkprotocol" 123,"networksourceasn" 123,"networksourcecidrblock" "string","networksourceipv4" "string","networksourceipv6" "string","networksourceport" 123,"passiveonly" "string"} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier azuretenantid string unique identifier action string output field action additionalinformation object output field additionalinformation activitygroupnames array name of the resource activitygroupnames file name string name of the resource activitygroupnames file string name of the resource confidence object unique identifier description string output field description diamondmodel object output field diamondmodel emailencoding object output field emailencoding emaillanguage object output field emaillanguage emailrecipient object output field emailrecipient emailsenderaddress object output field emailsenderaddress emailsendername object name of the resource emailsourcedomain object output field emailsourcedomain emailsourceipaddress object output field emailsourceipaddress emailsubject object output field emailsubject emailxmailer object output field emailxmailer expirationdatetime string time value externalid object unique identifier filecompiledatetime object time value output example {"@odata context" "string","id" "12345678 1234 1234 1234 123456789abc","azuretenantid" "string","action" "string","additionalinformation" {},"activitygroupnames" \[{"file name" "example name","file" "string"}],"confidence" {},"description" "string","diamondmodel" {},"emailencoding" {},"emaillanguage" {},"emailrecipient" {},"emailsenderaddress" {},"emailsendername" {},"emailsourcedomain" {}} post threat assessment email submits an email to microsoft graph api for threat assessment, analyzing recipient and attachments for security risks endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description attachments array optional parameter for post threat assessment email attachments contentdata string optional response data recipientemail string optional the mail recipient whose policies are used to assess the mail expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"attachments" \[{"contentdata" "string"}],"recipientemail" "string","expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} post threat assessment file submits a file to microsoft graph api for a comprehensive security threat assessment, requiring an attachment endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description attachments array optional parameter for post threat assessment file attachments contentdata string optional response data attachments filename string optional name of the resource expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"attachments" \[{"contentdata" "string","filename" "example name"}],"expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} post threat assessment uri submits a uri to microsoft graph api for threat assessment, requiring 'messageuri' and 'recipientemail' in the json body endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description messageuri string optional the resource uri of the mail message for assessment recipientemail string optional the mail recipient whose policies are used to assess the mail expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"messageuri" "string","recipientemail" "string","expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} post threat assessment url initiates a security threat assessment for a specified url via microsoft graph api to identify potential risks requires a 'url' in the json body endpoint url /v1 0/informationprotection/threatassessmentrequests method post input argument name type required description url string optional the url string expectedassessment string optional the expected assessment from the ubmitter possible values are block , unblock category string optional the threat category possible values are spam , phishing , malware input example {"url" "https //example com/api/resource","expectedassessment" "string","category" "string"} output parameter type description status code number http status code of the response reason string response reason phrase error object error message if any error code string error message if any error message string response message error innererror object error message if any error innererror date string error message if any error innererror request id string unique identifier error innererror client request id string unique identifier output example {"error" {"code" "string","message" "string","innererror" {"date" "2024 01 01t00 00 00z","request id" "string","client request id" "string"}}} response headers header description example cache control directives for caching mechanisms client request id http response header client request id content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt location the url to redirect a page to odata version http response header odata version request id http response header request id strict transport security http response header strict transport security transfer encoding http response header transfer encoding vary http response header vary x ms ags diagnostic http response header x ms ags diagnostic