Forum Discussion
Category assignment to generated alerts
Microsoft defender for cloud apps allows to create policies which when observed in connected apps, generate alerts. These generated alerts have field named "category". I want to understand how names ...
manthan999 - you should be using the M365 Defender Alerts (aka alerts_v2) API to get more complete Microsoft Defender for Cloud alert evidence.
The property "category" exists for all M365 Defender unified alerts and is populated with "The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework." (from the MS Graph API documentation linked above).
I also recommend reading about the new M365 Defender Alert Evidence, and also using the M365 Defender Incidents API.
Thank you for your question!