Forum Discussion
Category assignment to generated alerts
Microsoft defender for cloud apps allows to create policies which when observed in connected apps, generate alerts. These generated alerts have field named "category". I want to understand how names are assigned to this category field of the generated alerts. Is there predefined list of categories for default policies? For example there is default policy called "Suspicious inbox manipulation rule". If this policy triggers an alert then what will be the category for the policy in alert logs?
- Michael Shalev
Microsoft
manthan999 - you should be using the M365 Defender Alerts (aka alerts_v2) API to get more complete Microsoft Defender for Cloud alert evidence.
The property "category" exists for all M365 Defender unified alerts and is populated with "The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework." (from the MS Graph API documentation linked above).
I also recommend reading about the new M365 Defender Alert Evidence, and also using the M365 Defender Incidents API.Thank you for your question!
