Update Alert

description updates an existing alert in the microsoft graph security api using a specified alert id and provided information endpoint url /v1 0/security/alerts v2/{{alert id}} method patch inputs path parameters (object) – required path parameters alert id (string) – required id of the alert json body (object) – required json body assignedto (string) owner of the incident, or null if no owner is assigned determination (string) specifies the determination of the alert classification (string) specifies the classification of the alert customdetails (string) user defined custom fields with string values status (string) alert lifecycle status (stage) output example \[ { "status code" 200, "response headers" { "transfer encoding" "chunked", "content type" "application/json;odata metadata=minimal;odata streaming=true;ieee754compatible=false;charset=utf 8", "content encoding" "gzip", "vary" "accept encoding", "strict transport security" "max age=31536000", "request id" "3763884a 1de2 4f55 a7cd 53a5fda6a36d", "client request id" "3763884a 1de2 4f55 a7cd 53a5fda6a36d", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\"002\\",\\"roleinstance\\" \\"pn2pepf000005ba\\"}}", "odata version" "4 0", "date" "fri, 23 may 2025 10 42 13 gmt" }, "reason" "ok", "json body" { "@odata context" "https //graph microsoft com/v1 0/$metadata#security/alerts v2/$entity", "id" "maf25f0fa0 126a 4297 aff6 ae579cb984a3", "provideralertid" "f25f0fa0 126a 4297 aff6 ae579cb984a3", "incidentid" "563", "status" "new", "severity" "medium", "classification" "truepositive", "determination" null, "servicesource" "microsoftappgovernance", "detectionsource" "appgovernancedetection", "productname" "app governance", "detectorid" "b62ae531 7aa6 4bc8 91b9 49a9be960145", "tenantid" "f5d73c4c bb3d 421b 8bee 424916a4acca", "title" "dormant oauth app with no recent ms graph activity", "description" "the oauth application (windowsdefenderatpsiemconnector) was created in your tenant with high ms graph privileges and was dormant for extended period of time in the given tenant the activity is indicative of a dormant app with high scopes which maybe not in active use but has high ms graph scopes that be misused if compromised an attacker might be using this app with potential active credentials to start accessing or creating azure resources for persistence or/and further move laterally in the tenant \r\n\<a href=\\"https //security microsoft com//app?oauthappid=29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd\\">windowsdefenderatpsiemconnector\</a>", "recommendedactions" "1 contact the users or admins who have created or have granted permissions to the app verify if the any changes were intentional and if any excessive privileges are normal \r\n2 search the cloudappevents table in advanced hunting to understand app activity and identify data accessed by the app check affected azure resources and monitor for any unexpected azure resource creation , updating or deleteion\r\n3 verify whether the app is critical to your organization before considering any containment actions deactivate the app using app governance or entra id to prevent it from accessing resources \r\n4 verify whether the deployed resources are critical to the organization as the dormant app may be reused or its functionality extended as the underlying api activity is showing dormancy\r\n5 check affected accounts for suspicious activity suspend and reset passwords for all affected accounts and implement credential and account recycling for non active apps", "category" "suspiciousactivity", "assignedto" "xsoar", "alertweburl" "https //security microsoft com/alerts/maf25f0fa0 126a 4297 aff6 ae579cb984a3?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "incidentweburl" "https //security microsoft com/incident2/563/overview?tid=f5d73c4c bb3d 421b 8bee 424916a4acca", "actordisplayname" null, "threatdisplayname" null, "threatfamilyname" null, "mitretechniques" \[ "t1078", "t1078 004" ], "createddatetime" "2024 11 25t18 22 38 2566667z", "lastupdatedatetime" "2025 05 23t10 41 12 25z", "resolveddatetime" null, "firstactivitydatetime" "2024 10 25t02 53 43 273z", "lastactivitydatetime" "2024 10 25t02 56 20 776z", "systemtags" \[], "alertpolicyid" null, "comments" \[], "customdetails" {}, "evidence" \[ { "@odata type" "#microsoft graph security oauthapplicationevidence", "createddatetime" "2024 11 25t18 22 38 35z", "verdict" "unknown", "remediationstatus" "none", "remediationstatusdetails" null, "roles" \[], "detailedroles" \[], "tags" \[], "appid" "29c9ea20 6466 4ddd 8f23 bcd0b9e74bbd", "displayname" "windowsdefenderatpsiemconnector", "objectid" null, "publisher" null } ], "additionaldata" {} } } ] output parameters status code (number) reason (string) json body (object) @odata context (string) id (string) provideralertid (string) incidentid (string) status (string) severity (string) classification (string) determination (object) servicesource (string) detectionsource (string) productname (string) detectorid (string) tenantid (string) title (string) description (string) recommendedactions (string) category (string) assignedto (string) alertweburl (string) incidentweburl (string) actordisplayname (object) threatdisplayname (object) threatfamilyname (object) mitretechniques (array) createddatetime (string) lastupdatedatetime (string) resolveddatetime (object) firstactivitydatetime (string) lastactivitydatetime (string) systemtags (array) alertpolicyid (object) comments (array) customdetails (object) evidence (array) @odata type (string) createddatetime (string) verdict (string) remediationstatus (string) remediationstatusdetails (object) roles (array) detailedroles (array) tags (array) appid (string) displayname (string) objectid (object) publisher (object) additionaldata (object) response headers header type transfer encoding string content type string content encoding string vary string strict transport security string request id string client request id string x ms ags diagnostic string odata version string date string