cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Category assignment to generated alerts

manthan999
Copper Contributor

‎Aug 01 2022 03:34 AM

‎Aug 01 2022 03:34 AM

Category assignment to generated alerts

Microsoft defender for cloud apps allows to create policies which when observed in connected apps, generate alerts. These generated alerts have field named "category". I want to understand how names are assigned to this category field of the generated alerts. Is there predefined list of categories for default policies? For example there is default policy called "Suspicious inbox manipulation rule". If this policy triggers an alert then what will be the category for the policy in alert logs?

Labels:
797 Views
0 Likes
1 Reply
Reply
1 Reply
Michael Shalev

‎Sep 21 2022 10:32 PM

‎Sep 21 2022 10:32 PM

Re: Category assignment to generated alerts

@manthan999 - you should be using the M365 Defender Alerts (aka alerts_v2) API to get more complete Microsoft Defender for Cloud alert evidence. 
The property "category" exists for all M365 Defender unified alerts and is populated with "The attack kill-chain category that the alert belongs to. Aligned with the MITRE ATT&CK framework." (from the MS Graph API documentation linked above).
I also recommend reading about the new M365 Defender Alert Evidence, and also using the M365 Defender Incidents API.

Thank you for your question!

0 Likes
Reply