diff --git a/api-reference/beta/api/backuprestoreroot-post-serviceapps.md b/api-reference/beta/api/backuprestoreroot-post-serviceapps.md index 8c2b67aad59..8aa29225951 100644 --- a/api-reference/beta/api/backuprestoreroot-post-serviceapps.md +++ b/api-reference/beta/api/backuprestoreroot-post-serviceapps.md @@ -44,7 +44,7 @@ POST /solutions/backupRestore/serviceApps ## Request body -Do not supply a request body for this method. +In the request body, supply an empty JSON object `{}` for this method. ## Response @@ -55,7 +55,7 @@ If successful, this method returns a `201 Created` response code and a [serviceA ### Request The following example shows a request. -# [HTTP](#tab/http) + ``` http POST https://graph.microsoft.com/beta/solutions/backupRestore/serviceApps -``` - -# [C#](#tab/csharp) -[!INCLUDE [sample-code](../includes/snippets/csharp/create-serviceapp-csharp-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [CLI](#tab/cli) -[!INCLUDE [sample-code](../includes/snippets/cli/create-serviceapp-cli-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [Go](#tab/go) -[!INCLUDE [sample-code](../includes/snippets/go/create-serviceapp-go-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [Java](#tab/java) -[!INCLUDE [sample-code](../includes/snippets/java/create-serviceapp-java-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [JavaScript](#tab/javascript) -[!INCLUDE [sample-code](../includes/snippets/javascript/create-serviceapp-javascript-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] +Content-type: application/json -# [PHP](#tab/php) -[!INCLUDE [sample-code](../includes/snippets/php/create-serviceapp-php-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [Python](#tab/python) -[!INCLUDE [sample-code](../includes/snippets/python/create-serviceapp-python-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - ---- +{ +} +``` ### Response diff --git a/api-reference/beta/api/security-incident-get.md b/api-reference/beta/api/security-incident-get.md index 6eb76335d01..eac6c21899d 100644 --- a/api-reference/beta/api/security-incident-get.md +++ b/api-reference/beta/api/security-incident-get.md @@ -130,25 +130,26 @@ Content-type: application/json "status": "Active", "severity": "Medium", "customTags": [ - "Demo" + "Demo" ], "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } ], - "systemTags" : [ + "systemTags": [ "Defender Experts" ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", - "recommendedActions" : "Immediate Recommendations:  1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", - "recommendedHuntingQueries" : [ + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "recommendedActions": "Immediate Recommendations:  1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", + "recommendedHuntingQueries": [ { - "kqlText" : "AlertInfo  | where Timestamp >= datetime(2022-10-20 06:00:52.9644915)  | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId  | distinct DeviceId" + "kqlText": "AlertInfo | where Timestamp >= datetime(2022-10-20 06:00:52.9644915) | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId | distinct DeviceId" } ], - "lastModifiedBy": "DavidS@contoso.onmicrosoft.com" + "lastModifiedBy": "DavidS@contoso.onmicrosoft.com", + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." } ``` diff --git a/api-reference/beta/api/security-incident-update.md b/api-reference/beta/api/security-incident-update.md index b54286a5244..755937c2fe5 100644 --- a/api-reference/beta/api/security-incident-update.md +++ b/api-reference/beta/api/security-incident-update.md @@ -48,10 +48,10 @@ PATCH /security/incidents/{incidentId} |:---|:---|:---| |assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.| |classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.| +|customTags|String collection|Array of custom tags associated with an incident.| |determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `notMalicious`, `notEnoughDataToValidate`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.| |status|microsoft.graph.security.incidentStatus|The status of the incident. Possible values are: `active`, `resolved`, `redirected`, `unknownFutureValue`.| -|customTags|String collection|Array of custom tags associated with an incident.| - +|summary|String|The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.| ## Response @@ -144,25 +144,26 @@ Content-Type: application/json "status": "Active", "severity": "Medium", "customTags": [ - "Demo" + "Demo" ], "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } ], - "systemTags" : [ + "systemTags": [ "Defender Experts" ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", - "recommendedActions" : "Immediate Recommendations: 1. Block untrusted and unsigned processes that run from USB (ASR Rule) 2. Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", - "recommendedHuntingQueries" : [ + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "recommendedActions": "Immediate Recommendations: 1. Block untrusted and unsigned processes that run from USB (ASR Rule) 2. Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", + "recommendedHuntingQueries": [ { - "kqlText" : "//Run this query to identify the devices having Raspberry Robin worm alerts AlertInfo | where Timestamp >= datetime(2022-10-20 06:00:52.9644915) | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId | distinct DeviceId" + "kqlText": "//Run this query to identify the devices having Raspberry Robin worm alerts AlertInfo | where Timestamp >= datetime(2022-10-20 06:00:52.9644915) | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId | distinct DeviceId" } - ] + ], + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." } ``` diff --git a/api-reference/beta/api/security-list-incidents.md b/api-reference/beta/api/security-list-incidents.md index 7a6f41192ff..cca0de91a71 100644 --- a/api-reference/beta/api/security-list-incidents.md +++ b/api-reference/beta/api/security-list-incidents.md @@ -142,44 +142,45 @@ HTTP/1.1 200 OK Content-Type: application/json { - "value": [ - { - "@odata.type": "#microsoft.graph.security.incident", - "id": "2972395", - "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", - "redirectIncidentId": null, - "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", - "createdDateTime": "2021-08-13T08:43:35.5533333Z", - "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", - "assignedTo": "KaiC@contoso.com", - "classification": "TruePositive", - "determination": "MultiStagedAttack", - "status": "Active", - "severity": "Medium", - "customTags": [ - "Demo" - ], - "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } - ], - "systemTags" : [ - "Defender Experts" - ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", - "recommendedActions" : "Immediate Recommendations: 1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", - "recommendedHuntingQueries" : [ - { - "@odata.type": "#microsoft.graph.security.recommendedHuntingQuery", - "kqlText" : "AlertInfo  | where Timestamp >= datetime(2022-10-20 06:00:52.9644915)  | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId  | distinct DeviceId" - } - ] - } - ] + "value": [ + { + "@odata.type": "#microsoft.graph.security.incident", + "id": "2972395", + "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", + "redirectIncidentId": null, + "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", + "createdDateTime": "2021-08-13T08:43:35.5533333Z", + "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", + "assignedTo": "KaiC@contoso.com", + "classification": "TruePositive", + "determination": "MultiStagedAttack", + "status": "Active", + "severity": "Medium", + "customTags": [ + "Demo" + ], + "comments": [ + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } + ], + "systemTags": [ + "Defender Experts" + ], + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "recommendedActions": "Immediate Recommendations: 1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", + "recommendedHuntingQueries": [ + { + "@odata.type": "#microsoft.graph.security.recommendedHuntingQuery", + "kqlText": "AlertInfo  | where Timestamp >= datetime(2022-10-20 06:00:52.9644915)  | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId  | distinct DeviceId" + } + ], + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." + } + ] } ``` @@ -250,199 +251,200 @@ HTTP/1.1 200 OK Content-Type: application/json { - "value": [ - { - "@odata.type": "#microsoft.graph.security.incident", - "id": "2972395", - "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", - "redirectIncidentId": null, - "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", - "createdDateTime": "2021-08-13T08:43:35.5533333Z", - "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", - "assignedTo": "KaiC@contoso.com", - "classification": "truePositive", - "determination": "multiStagedAttack", - "status": "active", - "severity": "medium", - "tags": [ - "Demo" - ], - "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } - ], - "systemTags" : [ - "Defender Experts" - ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", - "recommendedActions" : "Immediate Recommendations:  1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", - "recommendedHuntingQueries" : [ - { - "@odata.type": "#microsoft.graph.security.recommendedHuntingQuery", - "kqlText" : "//Run this query to identify the devices having Raspberry Robin worm alerts AlertInfo  | where Timestamp >= datetime(2022-10-20 06:00:52.9644915)  | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId  | distinct DeviceId" - } - ], - "alerts": [ - { - "@odata.type": "#microsoft.graph.security.alert", - "id": "da637551227677560813_-961444813", - "providerAlertId": "da637551227677560813_-961444813", - "incidentId": "28282", - "status": "new", - "severity": "low", - "classification": "unknown", - "determination": "unknown", - "serviceSource": "microsoftDefenderForEndpoint", - "detectionSource": "antivirus", - "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756", - "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "title": "Suspicious execution of hidden file", - "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.", - "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.", - "category": "DefenseEvasion", - "assignedTo": null, - "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "actorDisplayName": null, - "threatDisplayName": null, - "threatFamilyName": null, - "mitreTechniques": [ - "T1564.001" - ], - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z", - "resolvedDateTime": null, - "firstActivityDateTime": "2021-04-26T07:45:50.116Z", - "lastActivityDateTime": "2021-05-02T07:56:58.222Z", - "comments": [], - "evidence": [ - { - "@odata.type": "#microsoft.graph.security.deviceEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z", - "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", - "azureAdDeviceId": null, - "deviceDnsName": "tempDns", - "osPlatform": "Windows10", - "osBuild": 22424, - "version": "Other", - "healthStatus": "active", - "riskScore": "medium", - "rbacGroupId": 75, - "rbacGroupName": "UnassignedGroup", - "onboardingStatus": "onboarded", - "defenderAvStatus": "unknown", - "ipInterfaces": [ - "1.1.1.1" - ], - "loggedOnUsers": [], - "roles": [ - "compromised" - ], - "detailedRoles": [ - "Main device" - ], - "tags": [ - "Test Machine" - ], - "vmMetadata": { - "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78", - "cloudProvider": "azure", - "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests", - "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161" - } - }, - { - "@odata.type": "#microsoft.graph.security.fileEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "detectionStatus": "detected", - "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", - "roles": [], - "detailedRoles": [ - "Referred in command line", - ], - "tags": [], - "fileDetails": { - "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", - "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", - "fileName": "MsSense.exe", - "filePath": "C:\\Program Files\\temp", - "fileSize": 6136392, - "filePublisher": "Microsoft Corporation", - "signer": null, - "issuer": null - } - }, - { - "@odata.type": "#microsoft.graph.security.processEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "processId": 4780, - "parentProcessId": 668, - "processCommandLine": "\"MsSense.exe\"", - "processCreationDateTime": "2021-08-12T12:43:19.0772577Z", - "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z", - "detectionStatus": "detected", - "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", - "roles": [], - "detailedRoles": [], - "tags": [], - "imageFile": { - "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", - "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", - "fileName": "MsSense.exe", - "filePath": "C:\\Program Files\\temp", - "fileSize": 6136392, - "filePublisher": "Microsoft Corporation", - "signer": null, - "issuer": null + "value": [ + { + "@odata.type": "#microsoft.graph.security.incident", + "id": "2972395", + "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", + "redirectIncidentId": null, + "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", + "createdDateTime": "2021-08-13T08:43:35.5533333Z", + "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", + "assignedTo": "KaiC@contoso.com", + "classification": "truePositive", + "determination": "multiStagedAttack", + "status": "active", + "severity": "medium", + "tags": [ + "Demo" + ], + "comments": [ + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } + ], + "systemTags": [ + "Defender Experts" + ], + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "recommendedActions": "Immediate Recommendations:  1.    Block untrusted and unsigned processes that run from USB (ASR Rule) 2.    Verify if the ASR rule is turned on for the devices and evaluate whether the ASR . ...", + "recommendedHuntingQueries": [ + { + "@odata.type": "#microsoft.graph.security.recommendedHuntingQuery", + "kqlText": "//Run this query to identify the devices having Raspberry Robin worm alerts AlertInfo  | where Timestamp >= datetime(2022-10-20 06:00:52.9644915)  | where Title == 'Potential Raspberry Robin worm command' | join AlertEvidence on AlertId  | distinct DeviceId" + } + ], + "alerts": [ + { + "@odata.type": "#microsoft.graph.security.alert", + "id": "da637551227677560813_-961444813", + "providerAlertId": "da637551227677560813_-961444813", + "incidentId": "28282", + "status": "new", + "severity": "low", + "classification": "unknown", + "determination": "unknown", + "serviceSource": "microsoftDefenderForEndpoint", + "detectionSource": "antivirus", + "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756", + "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "title": "Suspicious execution of hidden file", + "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.", + "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.", + "category": "DefenseEvasion", + "assignedTo": null, + "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "actorDisplayName": null, + "threatDisplayName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1564.001" + ], + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z", + "resolvedDateTime": null, + "firstActivityDateTime": "2021-04-26T07:45:50.116Z", + "lastActivityDateTime": "2021-05-02T07:56:58.222Z", + "comments": [], + "evidence": [ + { + "@odata.type": "#microsoft.graph.security.deviceEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z", + "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", + "azureAdDeviceId": null, + "deviceDnsName": "tempDns", + "osPlatform": "Windows10", + "osBuild": 22424, + "version": "Other", + "healthStatus": "active", + "riskScore": "medium", + "rbacGroupId": 75, + "rbacGroupName": "UnassignedGroup", + "onboardingStatus": "onboarded", + "defenderAvStatus": "unknown", + "ipInterfaces": [ + "1.1.1.1" + ], + "loggedOnUsers": [], + "roles": [ + "compromised" + ], + "detailedRoles": [ + "Main device" + ], + "tags": [ + "Test Machine" + ], + "vmMetadata": { + "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78", + "cloudProvider": "azure", + "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests", + "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161" + } + }, + { + "@odata.type": "#microsoft.graph.security.fileEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "detectionStatus": "detected", + "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", + "roles": [], + "detailedRoles": [ + "Referred in command line" + ], + "tags": [], + "fileDetails": { + "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", + "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", + "fileName": "MsSense.exe", + "filePath": "C:\\Program Files\\temp", + "fileSize": 6136392, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + } }, - "parentProcessImageFile": { - "sha1": null, - "sha256": null, - "fileName": "services.exe", - "filePath": "C:\\Windows\\System32", - "fileSize": 731744, - "filePublisher": "Microsoft Corporation", - "signer": null, - "issuer": null + { + "@odata.type": "#microsoft.graph.security.processEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "processId": 4780, + "parentProcessId": 668, + "processCommandLine": "\"MsSense.exe\"", + "processCreationDateTime": "2021-08-12T12:43:19.0772577Z", + "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z", + "detectionStatus": "detected", + "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", + "roles": [], + "detailedRoles": [], + "tags": [], + "imageFile": { + "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", + "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", + "fileName": "MsSense.exe", + "filePath": "C:\\Program Files\\temp", + "fileSize": 6136392, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "parentProcessImageFile": { + "sha1": null, + "sha256": null, + "fileName": "services.exe", + "filePath": "C:\\Windows\\System32", + "fileSize": 731744, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "userAccount": { + "accountName": "SYSTEM", + "domainName": "NT AUTHORITY", + "userSid": "S-1-5-18", + "azureAdUserId": null, + "userPrincipalName": null + } }, - "userAccount": { - "accountName": "SYSTEM", - "domainName": "NT AUTHORITY", - "userSid": "S-1-5-18", - "azureAdUserId": null, - "userPrincipalName": null + { + "@odata.type": "#microsoft.graph.security.registryKeyEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER", + "registryHive": "HKEY_LOCAL_MACHINE", + "roles": [], + "detailedRoles": [], + "tags": [] } - }, - { - "@odata.type": "#microsoft.graph.security.registryKeyEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER", - "registryHive": "HKEY_LOCAL_MACHINE", - "roles": [], - "detailedRoles": [], - "tags": [], - } - ] - } - ] - } - ] + ] + } + ], + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." + } + ] } ``` diff --git a/api-reference/beta/includes/sharepoint-embedded-app-driveitem-permissions.md b/api-reference/beta/includes/sharepoint-embedded-app-driveitem-permissions.md index 5849f38ccc2..3f502350e85 100644 --- a/api-reference/beta/includes/sharepoint-embedded-app-driveitem-permissions.md +++ b/api-reference/beta/includes/sharepoint-embedded-app-driveitem-permissions.md @@ -7,4 +7,4 @@ ms.topic: include > [!Note] > SharePoint Embedded requires the `FileStorageContainer.Selected` permission to access the content of the container. This permission is different from the ones mentioned previously. For more information, see [SharePoint Embedded authentication and authorization](/sharepoint/dev/embedded/concepts/app-concepts/auth#access-on-behalf-of-a-user). -> [!INCLUDE [app-permissions](../includes/sharepoint-embedded-app-permissions.md)] +> In addition to Microsoft Graph permissions, your app must have the necessary container type-level permission or permissions to call this API. For more information, see [container types](/sharepoint/dev/embedded/concepts/app-concepts/containertypes). To learn more about container type-level permissions, see [SharePoint Embedded authorization](/sharepoint/dev/embedded/concepts/app-concepts/auth#Authorization). diff --git a/api-reference/beta/includes/sharepoint-embedded-app-permissions.md b/api-reference/beta/includes/sharepoint-embedded-app-permissions.md index 7f1565cd349..1beafbf9d23 100644 --- a/api-reference/beta/includes/sharepoint-embedded-app-permissions.md +++ b/api-reference/beta/includes/sharepoint-embedded-app-permissions.md @@ -5,4 +5,5 @@ ms.subservice: "onedrive" ms.topic: include --- ->In addition to Microsoft Graph permissions, your app must have the necessary container type-level permission or permissions to call this API. For more information, see [container types](/sharepoint/dev/embedded/concepts/app-concepts/containertypes). To learn more about container type-level permissions, see [SharePoint Embedded authorization](/sharepoint/dev/embedded/concepts/app-concepts/auth#Authorization). +> [!Note] +> In addition to Microsoft Graph permissions, your app must have the necessary container type-level permission or permissions to call this API. For more information, see [container types](/sharepoint/dev/embedded/concepts/app-concepts/containertypes). To learn more about container type-level permissions, see [SharePoint Embedded authorization](/sharepoint/dev/embedded/concepts/app-concepts/auth#Authorization). diff --git a/api-reference/beta/resources/channelsummary.md b/api-reference/beta/resources/channelsummary.md index bbd3c01bdbe..b545cacbac4 100644 --- a/api-reference/beta/resources/channelsummary.md +++ b/api-reference/beta/resources/channelsummary.md @@ -2,7 +2,7 @@ title: "channelSummary resource type" description: "Contains information about a channel in Microsoft Teams, including numbers of guests, members, and owners, and whether the channel includes members from other tenants." ms.localizationpriority: medium -author: "sonalikallanimicrosoft" +author: "rupanshoo" ms.subservice: "teams" doc_type: resourcePageType --- diff --git a/api-reference/beta/resources/group.md b/api-reference/beta/resources/group.md index 6a389f72e43..77d95d056a8 100644 --- a/api-reference/beta/resources/group.md +++ b/api-reference/beta/resources/group.md @@ -57,9 +57,9 @@ This resource supports: | [Renew](../api/group-renew.md) | Boolean | Renews a group's expiration. When a group is renewed, the group expiration is extended by the number of days defined in the policy. | | [Validate properties](../api/group-validateproperties.md) | JSON | Validate a Microsoft 365 group's display name or mail nickname that complies with naming policies. | | **App role assignments** | | | -| [List app role assignments](../api/group-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles to which this group has been assigned. | -| [Add app role assignment](../api/group-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to this group. | -| [Remove app role assignment](../api/group-delete-approleassignments.md) | None. | Remove an app role assignment from this group. | +| [List](../api/group-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles to which this group has been assigned. | +| [Add](../api/group-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to this group. | +| [Remove](../api/group-delete-approleassignments.md) | None. | Remove an app role assignment from this group. | | **Calendar** | | | | [Get calendar](../api/calendar-get.md) | [calendar](calendar.md) | Get the group's calendar. | | [Update calendar](../api/calendar-update.md) | None | Update the group's calendar. | @@ -99,29 +99,29 @@ This resource supports: | [Get drive](../api/drive-get.md) | [drive](drive.md) | Retrieve the properties and relationships of a Drive resource. | | [List children](../api/driveitem-list-children.md) | [driveItem](driveitem.md) collection | Return a collection of **driveItem** objects in the children relationship of a **driveItem**. | | **Group settings** | | | -| [List settings](../api/group-list-settings.md) | [directorySetting](directorysetting.md) collection | List properties of all setting objects. | -| [Create setting](../api/group-post-settings.md) | [directorySetting](directorysetting.md) | Create a setting object based on a directorySettingTemplate. The POST request must provide settingValues for all the settings defined in the template. Only groups specific templates may be used for this operation. | -| [Get setting](../api/directorysetting-get.md) | [directorySetting](directorysetting.md) | Read properties of a specific setting object. | -| [Update setting](../api/directorysetting-update.md) | None | Update a setting object. | -| [Delete setting](../api/directorysetting-delete.md) | None | Delete a setting object. | +| [List](../api/group-list-settings.md) | [directorySetting](directorysetting.md) collection | List properties of all setting objects. | +| [Create](../api/group-post-settings.md) | [directorySetting](directorysetting.md) | Create a setting object based on a directorySettingTemplate. The POST request must provide settingValues for all the settings defined in the template. Only groups specific templates may be used for this operation. | +| [Get](../api/directorysetting-get.md) | [directorySetting](directorysetting.md) | Read properties of a specific setting object. | +| [Update](../api/directorysetting-update.md) | None | Update a setting object. | +| [Delete](../api/directorysetting-delete.md) | None | Delete a setting object. | | [List setting templates](../api/directorysettingtemplate-list.md) | None | List properties of all setting templates. | | [Get setting template](../api/directorysettingtemplate-get.md) | None | Read properties of a setting template. | | **Notes** | | | | [List notebooks](../api/onenote-list-notebooks.md) | [notebook](notebook.md) collection | Retrieve a list of notebook objects. | | [Create notebook](../api/onenote-post-notebooks.md) | [notebook](notebook.md) | Create a new OneNote notebook. | | **Password-based single sign-on credentials** | | | -| [Get credentials](../api/group-getpasswordsinglesignoncredentials.md) | [passwordSingleSignOnCredentialSet](../resources/passwordsinglesignoncredentialset.md) collection | Get the list of password-based single sign-on credentials for this group. Passwords are never returned, and instead are always returned as null. | -| [Delete credentials](../api/group-deletepasswordsinglesignoncredentials.md) | None | Delete password-based single sign-on credential for a given service principal that is associated to this group. | +| [Get](../api/group-getpasswordsinglesignoncredentials.md) | [passwordSingleSignOnCredentialSet](../resources/passwordsinglesignoncredentialset.md) collection | Get the list of password-based single sign-on credentials for this group. Passwords are never returned, and instead are always returned as null. | +| [Delete](../api/group-deletepasswordsinglesignoncredentials.md) | None | Delete password-based single sign-on credential for a given service principal that is associated to this group. | name. | -| **Photo** | | | -| [Get profile photo](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | -| [Update profile photo](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant including the signed-in user, or the specified group or contact. | -| [Delete profile photo](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant including the signed-in user or the specified group. | +| **Profile photo** | | | +| [Get](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | +| [Update](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant including the signed-in user, or the specified group or contact. | +| [Delete](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant including the signed-in user or the specified group. | | **Planner** | | | | [List plans](../api/plannergroup-list-plans.md) | [plannerPlan](plannerplan.md) collection | Get plans assigned to the group. | | **Posts** | | | -| [List posts](../api/conversationthread-list-posts.md) | [post](post.md) collection | Get posts in a conversation thread. | -| [Get post](../api/post-get.md) | [post](post.md) | Get a specific post. | +| [List](../api/conversationthread-list-posts.md) | [post](post.md) collection | Get posts in a conversation thread. | +| [Get](../api/post-get.md) | [post](post.md) | Get a specific post. | | [Reply to post](../api/post-reply.md) | None | Reply to a post. | | [Forward post](../api/post-forward.md) | None | Forward a post. | | **Other group resources** | | | diff --git a/api-reference/beta/resources/protectionpolicybase.md b/api-reference/beta/resources/protectionpolicybase.md index 5615d98f3ed..3529a10111c 100644 --- a/api-reference/beta/resources/protectionpolicybase.md +++ b/api-reference/beta/resources/protectionpolicybase.md @@ -1,5 +1,5 @@ --- -title: "protectionPolicyBase resource" +title: "protectionPolicyBase resource type" description: "Contains details about protection policies applied to Microsoft 365 data." author: "tushar20" ms.reviewer: "manikantsinghms" @@ -9,7 +9,7 @@ doc_type: resourcePageType toc.title: Protection policy --- -# protectionPolicyBase resource +# protectionPolicyBase resource type Namespace: microsoft.graph @@ -17,7 +17,7 @@ Namespace: microsoft.graph Contains details about protection policies applied to Microsoft 365 data in an organization. Protection policies are defined by the Global Admin (or the SharePoint Online Admin or Exchange Online Admin) and include what data to protect, when to protect it, and for what time period to retain the protected data for a single Microsoft 365 service. -This is the base type for [sharePointProtectionPolicy](../resources/sharepointprotectionpolicy.md), [exchangeProtectionPolicy](../resources/exchangeprotectionpolicy.md), and [onedriveForBusinessProtectionPolicy](../resources/onedriveforbusinessprotectionpolicy.md). +Base type for [sharePointProtectionPolicy](../resources/sharepointprotectionpolicy.md), [exchangeProtectionPolicy](../resources/exchangeprotectionpolicy.md), and [onedriveForBusinessProtectionPolicy](../resources/onedriveforbusinessprotectionpolicy.md). ## Methods @@ -50,7 +50,7 @@ This is the base type for [sharePointProtectionPolicy](../resources/sharepointpr |activeWithErrors | Some units are protected and others are unprotected.| |inactive | All units are unprotected.| |updating | Some or all units are in a `protectRequested`, `unprotectRequested`, or `removeRequested` state.| -|unknownFutureValue | Evolvable enumeration sentinel value. Do not use.| +|unknownFutureValue | Evolvable enumeration sentinel value. Don't use.| ## Relationships None. diff --git a/api-reference/beta/resources/protectionrulebase.md b/api-reference/beta/resources/protectionrulebase.md index 1df750dbd9d..f8bfe8e7658 100644 --- a/api-reference/beta/resources/protectionrulebase.md +++ b/api-reference/beta/resources/protectionrulebase.md @@ -9,7 +9,7 @@ doc_type: resourcePageType toc.title: Protection rule --- -# protectionRuleBase resource +# protectionRuleBase resource type Namespace: microsoft.graph @@ -77,4 +77,4 @@ The following JSON representation shows the resource type. }, "isAutoApplyEnabled": "Boolean" } -``` \ No newline at end of file +``` diff --git a/api-reference/beta/resources/security-incident.md b/api-reference/beta/resources/security-incident.md index 98075daf967..bd6d03828be 100644 --- a/api-reference/beta/resources/security-incident.md +++ b/api-reference/beta/resources/security-incident.md @@ -1,7 +1,6 @@ --- title: "incident resource type" description: "An incident in Microsoft 365 Defender is a collection of correlated alerts and associated metadata that reflects the story of an attack." -ms.date: 09/09/2021 author: "BenAlfasi" ms.localizationpriority: medium ms.subservice: "security" @@ -31,28 +30,28 @@ Because piecing the individual alerts together to gain insight into an attack ca ## Properties |Property|Type|Description| |:---|:---|:---| -|id|String|Unique identifier to represent the incident.| -|displayName|String|The incident name.| |assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.| |classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.| |comments|[microsoft.graph.security.alertComment](security-alertcomment.md) collection|Array of comments created by the Security Operations (SecOps) team when the incident is managed.| |createdDateTime|DateTimeOffset|Time when the incident was first created.| +|customTags|String collection|The collection of custom tags that are associated with an incident.| |description|String|Description of the incident.| +|description|String|A rich text String that describes the incident| |determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `clean`, `insufficientData`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.| -|tenantId|String|The Microsoft Entra tenant in which the alert was created.| +|displayName|String|The incident name.| +|id|String|Unique identifier to represent the incident.| |incidentWebUrl|String|The URL for the incident page in the Microsoft 365 Defender portal.| |lastModifiedBy|String|The identity that last modified the incident.| |lastUpdateDateTime|DateTimeOffset|Time when the incident was last updated.| +|recommendedActions|String|A rich text string that represents the actions that are reccomnded to take in order to resolve the incident. | +|recommendedHuntingQueries|Collection(microsoft.graph.security.recommendedHuntingQuery)|List of hunting Kusto Query Language (KQL) queries related to the incident.| |redirectIncidentId|String|Only populated in case an incident is grouped together with another incident, as part of the logic that processes incidents. In such a case, the **status** property is `redirected`. | +|resolvingComment|String|User input that explains the resolution of the incident and the classification choice. This property contains free editable text.| |severity|alertSeverity|Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: `unknown`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.| |status|[microsoft.graph.security.incidentStatus](#incidentstatus-values)|The status of the incident. Possible values are: `active`, `resolved`, `inProgress`, `redirected`, `unknownFutureValue`, and `awaitingAction`.| -|customTags|String collection|The collection of custom tags that are associated with an incident.| +|summary|String|The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.| |systemTags|String collection|The collection of system tags that are associated with the incident.| -|description|String|A rich text string describing the incident| -|recommendedActions|String|A rich text string that represents the actions that are reccomnded to take in order to resolve the incident | -|recommendedHuntingQueries|Collection(microsoft.graph.security.recommendedHuntingQuery)|List of hunting Kusto Query Language (KQL) queries related to the incident| -|resolvingComment|String|User input that explains the resolution of the incident and the classification choice. This property contains free editable text.| - +|tenantId|String|The Microsoft Entra tenant in which the alert was created.| ### incidentStatus values The following table lists the members of an [evolvable enumeration](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations). You must use the `Prefer: include-unknown-enum-members` request header to get the following values in this evolvable enum: `awaitingAction`. @@ -86,37 +85,27 @@ The following JSON representation shows the resource type. ``` json { "@odata.type": "#microsoft.graph.security.incident", - "id": "String (identifier)", - "incidentWebUrl": "String", - "tenantId": "String", - "redirectIncidentId": "String", - "displayName": "String", - "createdDateTime": "String (timestamp)", - "lastUpdateDateTime": "String (timestamp)", "assignedTo": "String", "classification": "String", - "determination": "String", - "status": "String", - "severity": "String", - "customTags": [ - "String" - ], - "comments": [ - { - "@odata.type": "microsoft.graph.security.alertComment" - } - ], - "systemTags" : [ - "String" - ], + "comments": [{"@odata.type": "microsoft.graph.security.alertComment"}], + "createdDateTime": "String (timestamp)", + "customTags": ["String"], "description" : "String", + "determination": "String", + "displayName": "String", + "id": "String (identifier)", + "incidentWebUrl": "String", + "lastModifiedBy": "String", + "lastUpdateDateTime": "String (timestamp)", "recommendedActions" : "String", - "recommendedHuntingQueries" : [ - { - "@odata.type": "microsoft.graph.security.recommendedHuntingQuery" - } - ], - "lastModifiedBy": "String" + "recommendedHuntingQueries" : [{"@odata.type": "microsoft.graph.security.recommendedHuntingQuery"}], + "redirectIncidentId": "String", + "resolvingComment": "String", + "severity": "String", + "status": "String", + "summary": "String", + "systemTags" : ["String"], + "tenantId": "String" } ``` diff --git a/api-reference/beta/resources/user.md b/api-reference/beta/resources/user.md index c65b0e6674e..99c23cc838e 100644 --- a/api-reference/beta/resources/user.md +++ b/api-reference/beta/resources/user.md @@ -44,9 +44,9 @@ This resource supports: | [Revoke sign-in sessions](../api/user-revokesigninsessions.md) | None | Revokes all the user's refresh and session tokens issued to applications by resetting the **signInSessionsValidFromDateTime** user property to the current date-time. This operation forces the user to sign in to those applications again. This method replaces **invalidateAllRefreshTokens**. | | [Export personal data](../api/user-exportpersonaldata.md) | None | Submits a data policy operation request made by a company administrator to export an organizational user's data. | | **App role assignments**||| -| [List app role assignments](../api/user-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles that a user has been assigned. | -| [Add app role assignment](../api/user-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to a user. | -| [Remove app role assignment](../api/user-delete-approleassignments.md) | None | Remove an app role assignment from a user. | +| [List](../api/user-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles that a user has been assigned. | +| [Add](../api/user-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to a user. | +| [Remove](../api/user-delete-approleassignments.md) | None | Remove an app role assignment from a user. | | [List appRoleAssignedResources](../api/user-list-approleassignedresources.md) | [servicePrincipal](serviceprincipal.md) collection | Get the apps that a user has an app role assignment either directly or through group membership. | | **Calendar** ||| | [List calendars](../api/user-list-calendars.md) | [Calendar](calendar.md) collection | Get a Calendar object collection. | @@ -126,31 +126,31 @@ This resource supports: | [Get supported time zones](../api/outlookuser-supportedtimezones.md) | [timeZoneInformation](timezoneinformation.md) collection | Get the list of time zones that are supported for the user, as configured on the user's mailbox server. | | [Translate Exchange IDs](../api/user-translateexchangeids.md) | [convertIdResult](convertidresult.md) collection | Translate identifiers of Outlook-related resources between formats. | | **Password-based single sign-on credentials** ||| -| [Get credentials](../api/user-getpasswordsinglesignoncredentials.md)|[passwordSingleSignOnCredentialSet](passwordsinglesignoncredentialset.md) collection|Get the list of password-based single sign-on credentials for given user. Passwords are never returned, and instead are always returned as null or empty strings.| -| [Delete credentials](../api/user-deletepasswordsinglesignoncredentials.md)|None|Delete password-based single sign-on credential for a given service principal that is associated to a given user.| +| [Get](../api/user-getpasswordsinglesignoncredentials.md)|[passwordSingleSignOnCredentialSet](passwordsinglesignoncredentialset.md) collection|Get the list of password-based single sign-on credentials for given user. Passwords are never returned, and instead are always returned as null or empty strings.| +| [Delete](../api/user-deletepasswordsinglesignoncredentials.md)|None|Delete password-based single sign-on credential for a given service principal that is associated to a given user.| | **People** ||| -| [List people](../api/user-list-people.md) | [person](person.md) | Retrieve a list of person objects ordered by their relevance to the user, which is determined by the user's communication and collaboration patterns, and business relationships. | +| [List](../api/user-list-people.md) | [person](person.md) | Retrieve a list of person objects ordered by their relevance to the user, which is determined by the user's communication and collaboration patterns, and business relationships. | | **Personal contacts**||| | [List contacts](../api/user-list-contacts.md) | [contact](contact.md) collection | Get a contact collection from the default contacts folder of the signed-in user. | | [Create contact](../api/user-post-contacts.md)| [contact](contact.md) | Create a new contact by posting to the contacts collection. | -| [List contactFolders](../api/user-list-contactfolders.md) | [contactFolder](contactfolder.md) collection | Get the contact folder collection in the default contacts folder of the signed-in user. | -| [Create contactFolder](../api/user-post-contactfolders.md) | [contactFolder](contactfolder.md) | Create a new contactFolder by posting to the contactFolders collection. | -| **Photo** ||| -| [Get profile photo](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | -| [Update profile photo](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant, including the signed-in user or the specified group or contact. | -| [Delete profile photo](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant, including the signed-in user or the specified group. | +| [List contact folders](../api/user-list-contactfolders.md) | [contactFolder](contactfolder.md) collection | Get the contact folder collection in the default contacts folder of the signed-in user. | +| [Create contact folder](../api/user-post-contactfolders.md) | [contactFolder](contactfolder.md) | Create a new contactFolder by posting to the contactFolders collection. | +| **Profile photo** ||| +| [Get](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | +| [Update](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant, including the signed-in user or the specified group or contact. | +| [Delete](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant, including the signed-in user or the specified group. | | **Planner** ||| | [List favorite plans](../api/planneruser-list-favoriteplans.md) | [plannerPlan](plannerplan.md) collection | Retrieve a list of plannerPlans that are marked as favorite by a user. | | [List recent plans](../api/planneruser-list-recentplans.md) | [plannerPlan](plannerplan.md) collection | Retrieve a list of plannerPlans recently viewed by a user. | | [List tasks](../api/planneruser-list-tasks.md) | [plannerTask](plannertask.md) collection | Get plannerTasks assigned to the user.| | [Update settings](../api/planneruser-update.md) | None | Update the properties of a plannerUser object. | | **Profile** ||| -| [Get profile](../api/profile-get.md) | [profile](profile.md) | Retrieve the properties and relationships of a profile object for a given user. | -| [Delete profile](../api/profile-delete.md) | None | Delete profile object from a user's account. | +| [Get](../api/profile-get.md) | [profile](profile.md) | Retrieve the properties and relationships of a profile object for a given user. | +| [Delete](../api/profile-delete.md) | None | Delete profile object from a user's account. | | **Sponsors** ||| -| [Assign sponsors](../api/user-post-sponsors.md) | None | Assign a user a sponsor. | -| [List sponsors](../api/user-list-sponsors.md) | [directoryObject](../resources/directoryobject.md) collection | Get the users and groups who are this user's sponsors. | -| [Remove sponsors](../api/user-delete-sponsors.md) | None | Remove a user's sponsor. | +| [Assign](../api/user-post-sponsors.md) | None | Assign a user a sponsor. | +| [List](../api/user-list-sponsors.md) | [directoryObject](../resources/directoryobject.md) collection | Get the users and groups who are this user's sponsors. | +| [Remove](../api/user-delete-sponsors.md) | None | Remove a user's sponsor. | | [List invited by](../api/user-list-invitedby.md)|[directoryObject](../resources/directoryobject.md)|Get the user or service principal that invited the specified user into the tenant.| | **Teamwork** ||| |[List apps installed for user](../api/userteamwork-list-installedapps.md) | [userScopeTeamsAppInstallation](userscopeteamsappinstallation.md) collection | Lists apps installed in the personal scope of a user.| @@ -166,8 +166,8 @@ This resource supports: |[List task lists](../api/todo-list-lists.md) | [todoTaskList](todotasklist.md) collection | Get all the task lists in the user's mailbox. | |[Create task list](../api/todo-post-lists.md) | [todoTaskList](todotasklist.md) | Create a To Do task list in the user's mailbox. | | **User settings** ||| -| [Get settings](../api/usersettings-get.md) | [userSettings](usersettings.md) | Read the user and organization settings object. | -| [Update settings](../api/usersettings-update.md) | [userSettings](usersettings.md) | Update the properties of the settings object. | +| [Get](../api/usersettings-get.md) | [userSettings](usersettings.md) | Read the user and organization settings object. | +| [Update](../api/usersettings-update.md) | [userSettings](usersettings.md) | Update the properties of the settings object. | ## Properties diff --git a/api-reference/beta/toc/backup-storage/toc.yml b/api-reference/beta/toc/backup-storage/toc.yml index 9b4534fe4a5..83198906a5f 100644 --- a/api-reference/beta/toc/backup-storage/toc.yml +++ b/api-reference/beta/toc/backup-storage/toc.yml @@ -12,14 +12,18 @@ items: href: ../../api/backuprestoreroot-enable.md - name: Protection policy items: - - name: OneDrive for Business protection policy - items: - - name: OneDrive for Business protection policy - href: ../../resources/onedriveforbusinessprotectionpolicy.md - - name: Create - href: ../../api/backuprestoreroot-post-onedriveforbusinessprotectionpolicies.md - - name: Update - href: ../../api/onedriveforbusinessprotectionpolicy-update.md + - name: Protection policy + href: ../../resources/protectionpolicybase.md + - name: List + href: ../../api/backuprestoreroot-list-protectionpolicies.md + - name: Get + href: ../../api/protectionpolicybase-get.md + - name: Delete + href: ../../api/protectionpolicybase-delete.md + - name: Activate + href: ../../api/protectionpolicybase-activate.md + - name: Deactivate + href: ../../api/protectionpolicybase-deactivate.md - name: Exchange protection policy items: - name: Exchange protection policy @@ -28,6 +32,14 @@ items: href: ../../api/backuprestoreroot-post-exchangeprotectionpolicies.md - name: Update href: ../../api/exchangeprotectionpolicy-update.md + - name: OneDrive for Business protection policy + items: + - name: OneDrive for Business protection policy + href: ../../resources/onedriveforbusinessprotectionpolicy.md + - name: Create + href: ../../api/backuprestoreroot-post-onedriveforbusinessprotectionpolicies.md + - name: Update + href: ../../api/onedriveforbusinessprotectionpolicy-update.md - name: SharePoint protection policy items: - name: SharePoint protection policy diff --git a/api-reference/beta/toc/toc.mapping.json b/api-reference/beta/toc/toc.mapping.json index 3b7b69bc7f8..895f1b2b0f0 100644 --- a/api-reference/beta/toc/toc.mapping.json +++ b/api-reference/beta/toc/toc.mapping.json @@ -111,8 +111,8 @@ { "name": "Protection policy", "resources": [ - "oneDriveForBusinessProtectionPolicy", "exchangeProtectionPolicy", + "oneDriveForBusinessProtectionPolicy", "sharePointProtectionPolicy" ] }, diff --git a/api-reference/docfx.json b/api-reference/docfx.json index bc48b169a36..74a175a5612 100644 --- a/api-reference/docfx.json +++ b/api-reference/docfx.json @@ -223,8 +223,6 @@ "globalMetadata": { "feedback_system": "Standard", "feedback_product_url": "https://developer.microsoft.com/graph/support", - "feedback_help_link_url": "https://learn.microsoft.com/en-us/answers/tags/161/ms-graph", - "feedback_help_link_type": "get-help-at-qna", "feedback_github_repo": "microsoftgraph/microsoft-graph-docs-contrib", "author": "MSGraphDocsVteam", "ms.author": "MSGraphDocsVteam", diff --git a/api-reference/v1.0/api/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest.md b/api-reference/v1.0/api/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest.md index 52dc72abed7..4f3ff644faf 100644 --- a/api-reference/v1.0/api/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest.md +++ b/api-reference/v1.0/api/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest.md @@ -58,10 +58,6 @@ Here is an example of the request. GET https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCertificate/downloadApplePushNotificationCertificateSigningRequest ``` -# [C#](#tab/csharp) -[!INCLUDE [sample-code](../includes/snippets/csharp/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-csharp-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - # [CLI](#tab/cli) [!INCLUDE [sample-code](../includes/snippets/cli/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-cli-snippets.md)] [!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] @@ -74,22 +70,10 @@ GET https://graph.microsoft.com/v1.0/deviceManagement/applePushNotificationCerti [!INCLUDE [sample-code](../includes/snippets/java/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-java-snippets.md)] [!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] -# [JavaScript](#tab/javascript) -[!INCLUDE [sample-code](../includes/snippets/javascript/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-javascript-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - # [PHP](#tab/php) [!INCLUDE [sample-code](../includes/snippets/php/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-php-snippets.md)] [!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] -# [PowerShell](#tab/powershell) -[!INCLUDE [sample-code](../includes/snippets/powershell/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-powershell-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - -# [Python](#tab/python) -[!INCLUDE [sample-code](../includes/snippets/python/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-python-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - --- ### Response diff --git a/api-reference/v1.0/api/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles.md b/api-reference/v1.0/api/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles.md index 0627fb56da8..c9dca06581d 100644 --- a/api-reference/v1.0/api/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles.md +++ b/api-reference/v1.0/api/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles.md @@ -110,18 +110,10 @@ Content-length: 278 [!INCLUDE [sample-code](../includes/snippets/java/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-java-snippets.md)] [!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] -# [JavaScript](#tab/javascript) -[!INCLUDE [sample-code](../includes/snippets/javascript/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-javascript-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - # [PHP](#tab/php) [!INCLUDE [sample-code](../includes/snippets/php/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-php-snippets.md)] [!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] -# [PowerShell](#tab/powershell) -[!INCLUDE [sample-code](../includes/snippets/powershell/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-powershell-snippets.md)] -[!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] - # [Python](#tab/python) [!INCLUDE [sample-code](../includes/snippets/python/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-python-snippets.md)] [!INCLUDE [sdk-documentation](../includes/snippets/snippets-sdk-documentation-link.md)] diff --git a/api-reference/v1.0/api/security-incident-get.md b/api-reference/v1.0/api/security-incident-get.md index 445ff0e3dbc..4da2e35bb57 100644 --- a/api-reference/v1.0/api/security-incident-get.md +++ b/api-reference/v1.0/api/security-incident-get.md @@ -128,19 +128,20 @@ Content-type: application/json "status": "Active", "severity": "Medium", "customTags": [ - "Demo" + "Demo" ], "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } ], - "systemTags" : [ + "systemTags": [ "Defender Experts" ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", - "lastModifiedBy": "DavidS@contoso.onmicrosoft.com" + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "lastModifiedBy": "DavidS@contoso.onmicrosoft.com", + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." } ``` diff --git a/api-reference/v1.0/api/security-incident-update.md b/api-reference/v1.0/api/security-incident-update.md index 0d9723e4267..848052dd13b 100644 --- a/api-reference/v1.0/api/security-incident-update.md +++ b/api-reference/v1.0/api/security-incident-update.md @@ -46,9 +46,10 @@ PATCH /security/incidents/{incidentId} |:---|:---|:---| |assignedTo|String|Owner of the incident, or null if no owner is assigned. Free editable text.| |classification|microsoft.graph.security.alertClassification|The specification for the incident. Possible values are: `unknown`, `falsePositive`, `truePositive`, `informationalExpectedActivity`, `unknownFutureValue`.| +|customTags|String collection|Array of custom tags associated with an incident.| |determination|microsoft.graph.security.alertDetermination|Specifies the determination of the incident. Possible values are: `unknown`, `apt`, `malware`, `securityPersonnel`, `securityTesting`, `unwantedSoftware`, `other`, `multiStagedAttack`, `compromisedUser`, `phishing`, `maliciousUserActivity`, `notMalicious`, `notEnoughDataToValidate`, `confirmedUserActivity`, `lineOfBusinessApplication`, `unknownFutureValue`.| |status|microsoft.graph.security.incidentStatus|The status of the incident. Possible values are: `active`, `resolved`, `redirected`, `unknownFutureValue`.| -|customTags|String collection|Array of custom tags associated with an incident.| +|summary|String|The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.| ## Response @@ -142,19 +143,20 @@ Content-Type: application/json "status": "Active", "severity": "Medium", "customTags": [ - "Demo" + "Demo" ], "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } ], - "systemTags" : [ + "systemTags": [ "Defender Experts" ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ..." + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." } ``` diff --git a/api-reference/v1.0/api/security-list-incidents.md b/api-reference/v1.0/api/security-list-incidents.md index 8f9ae77fdcd..61a0038f2c6 100644 --- a/api-reference/v1.0/api/security-list-incidents.md +++ b/api-reference/v1.0/api/security-list-incidents.md @@ -138,37 +138,38 @@ HTTP/1.1 200 OK Content-Type: application/json { - "value": [ - { - "@odata.type": "#microsoft.graph.security.incident", - "id": "2972395", - "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", - "redirectIncidentId": null, - "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", - "createdDateTime": "2021-08-13T08:43:35.5533333Z", - "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", - "assignedTo": "KaiC@contoso.com", - "classification": "TruePositive", - "determination": "MultiStagedAttack", - "status": "Active", - "severity": "Medium", - "customTags": [ - "Demo" - ], - "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } - ], - "systemTags" : [ - "Defender Experts" - ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ..." - } - ] + "value": [ + { + "@odata.type": "#microsoft.graph.security.incident", + "id": "2972395", + "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", + "redirectIncidentId": null, + "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", + "createdDateTime": "2021-08-13T08:43:35.5533333Z", + "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", + "assignedTo": "KaiC@contoso.com", + "classification": "TruePositive", + "determination": "MultiStagedAttack", + "status": "Active", + "severity": "Medium", + "customTags": [ + "Demo" + ], + "comments": [ + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } + ], + "systemTags": [ + "Defender Experts" + ], + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." + } + ] } ``` @@ -234,192 +235,193 @@ HTTP/1.1 200 OK Content-Type: application/json { - "value": [ - { - "@odata.type": "#microsoft.graph.security.incident", - "id": "2972395", - "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", - "redirectIncidentId": null, - "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", - "createdDateTime": "2021-08-13T08:43:35.5533333Z", - "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", - "assignedTo": "KaiC@contoso.com", - "classification": "truePositive", - "determination": "multiStagedAttack", - "status": "active", - "severity": "medium", - "tags": [ - "Demo" - ], - "comments": [ - { - "comment": "Demo incident", - "createdBy": "DavidS@contoso.com", - "createdTime": "2021-09-30T12:07:37.2756993Z" - } - ], - "systemTags" : [ - "Defender Experts" - ], - "description" : "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", - "alerts": [ - { - "@odata.type": "#microsoft.graph.security.alert", - "id": "da637551227677560813_-961444813", - "providerAlertId": "da637551227677560813_-961444813", - "incidentId": "28282", - "status": "new", - "severity": "low", - "classification": "unknown", - "determination": "unknown", - "serviceSource": "microsoftDefenderForEndpoint", - "detectionSource": "antivirus", - "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756", - "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "title": "Suspicious execution of hidden file", - "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.", - "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.", - "category": "DefenseEvasion", - "assignedTo": null, - "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", - "actorDisplayName": null, - "threatDisplayName": null, - "threatFamilyName": null, - "mitreTechniques": [ - "T1564.001" - ], - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z", - "resolvedDateTime": null, - "firstActivityDateTime": "2021-04-26T07:45:50.116Z", - "lastActivityDateTime": "2021-05-02T07:56:58.222Z", - "comments": [], - "evidence": [ - { - "@odata.type": "#microsoft.graph.security.deviceEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z", - "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", - "azureAdDeviceId": null, - "deviceDnsName": "tempDns", - "osPlatform": "Windows10", - "osBuild": 22424, - "version": "Other", - "healthStatus": "active", - "riskScore": "medium", - "rbacGroupId": 75, - "rbacGroupName": "UnassignedGroup", - "onboardingStatus": "onboarded", - "defenderAvStatus": "unknown", - "ipInterfaces": [ - "1.1.1.1" - ], - "loggedOnUsers": [], - "roles": [ - "compromised" - ], - "detailedRoles": [ - "Main device" - ], - "tags": [ - "Test Machine" - ], - "vmMetadata": { - "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78", - "cloudProvider": "azure", - "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests", - "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161" - } - }, - { - "@odata.type": "#microsoft.graph.security.fileEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "detectionStatus": "detected", - "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", - "roles": [], - "detailedRoles": [ - "Referred in command line", - ], - "tags": [], - "fileDetails": { - "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", - "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", - "fileName": "MsSense.exe", - "filePath": "C:\\Program Files\\temp", - "fileSize": 6136392, - "filePublisher": "Microsoft Corporation", - "signer": null, - "issuer": null - } - }, - { - "@odata.type": "#microsoft.graph.security.processEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "processId": 4780, - "parentProcessId": 668, - "processCommandLine": "\"MsSense.exe\"", - "processCreationDateTime": "2021-08-12T12:43:19.0772577Z", - "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z", - "detectionStatus": "detected", - "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", - "roles": [], - "detailedRoles": [], - "tags": [], - "imageFile": { - "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", - "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", - "fileName": "MsSense.exe", - "filePath": "C:\\Program Files\\temp", - "fileSize": 6136392, - "filePublisher": "Microsoft Corporation", - "signer": null, - "issuer": null + "value": [ + { + "@odata.type": "#microsoft.graph.security.incident", + "id": "2972395", + "incidentWebUrl": "https://security.microsoft.com/incidents/2972395?tid=12f988bf-16f1-11af-11ab-1d7cd011db47", + "redirectIncidentId": null, + "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "displayName": "Multi-stage incident involving Initial access & Command and control on multiple endpoints reported by multiple sources", + "createdDateTime": "2021-08-13T08:43:35.5533333Z", + "lastUpdateDateTime": "2021-09-30T09:35:45.1133333Z", + "assignedTo": "KaiC@contoso.com", + "classification": "truePositive", + "determination": "multiStagedAttack", + "status": "active", + "severity": "medium", + "tags": [ + "Demo" + ], + "comments": [ + { + "comment": "Demo incident", + "createdBy": "DavidS@contoso.com", + "createdTime": "2021-09-30T12:07:37.2756993Z" + } + ], + "systemTags": [ + "Defender Experts" + ], + "description": "Microsoft observed Raspberry Robin worm activity spreading through infected USB on multiple devices in your environment. From available intel, these infections could be a potential precursor activity to ransomware deployment. ...", + "alerts": [ + { + "@odata.type": "#microsoft.graph.security.alert", + "id": "da637551227677560813_-961444813", + "providerAlertId": "da637551227677560813_-961444813", + "incidentId": "28282", + "status": "new", + "severity": "low", + "classification": "unknown", + "determination": "unknown", + "serviceSource": "microsoftDefenderForEndpoint", + "detectionSource": "antivirus", + "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756", + "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "title": "Suspicious execution of hidden file", + "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.", + "recommendedActions": "Collect artifacts and determine scope\n�\tReview the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) \n�\tLook for the presence of relevant artifacts on other systems. Identify commonalities and differences between potentially compromised systems.\n�\tSubmit relevant files for deep analysis and review resulting detailed behavioral information.\n�\tSubmit undetected files to the MMPC malware portal\n\nInitiate containment & mitigation \n�\tContact the user to verify intent and initiate local remediation actions as needed.\n�\tUpdate AV signatures and run a full scan. The scan might reveal and remove previously-undetected malware components.\n�\tEnsure that the machine has the latest security updates. In particular, ensure that you have installed the latest software, web browser, and Operating System versions.\n�\tIf credential theft is suspected, reset all relevant users passwords.\n�\tBlock communication with relevant URLs or IPs at the organization�s perimeter.", + "category": "DefenseEvasion", + "assignedTo": null, + "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "actorDisplayName": null, + "threatDisplayName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1564.001" + ], + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z", + "resolvedDateTime": null, + "firstActivityDateTime": "2021-04-26T07:45:50.116Z", + "lastActivityDateTime": "2021-05-02T07:56:58.222Z", + "comments": [], + "evidence": [ + { + "@odata.type": "#microsoft.graph.security.deviceEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z", + "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", + "azureAdDeviceId": null, + "deviceDnsName": "tempDns", + "osPlatform": "Windows10", + "osBuild": 22424, + "version": "Other", + "healthStatus": "active", + "riskScore": "medium", + "rbacGroupId": 75, + "rbacGroupName": "UnassignedGroup", + "onboardingStatus": "onboarded", + "defenderAvStatus": "unknown", + "ipInterfaces": [ + "1.1.1.1" + ], + "loggedOnUsers": [], + "roles": [ + "compromised" + ], + "detailedRoles": [ + "Main device" + ], + "tags": [ + "Test Machine" + ], + "vmMetadata": { + "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78", + "cloudProvider": "azure", + "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests", + "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161" + } + }, + { + "@odata.type": "#microsoft.graph.security.fileEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "detectionStatus": "detected", + "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", + "roles": [], + "detailedRoles": [ + "Referred in command line" + ], + "tags": [], + "fileDetails": { + "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", + "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", + "fileName": "MsSense.exe", + "filePath": "C:\\Program Files\\temp", + "fileSize": 6136392, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + } }, - "parentProcessImageFile": { - "sha1": null, - "sha256": null, - "fileName": "services.exe", - "filePath": "C:\\Windows\\System32", - "fileSize": 731744, - "filePublisher": "Microsoft Corporation", - "signer": null, - "issuer": null + { + "@odata.type": "#microsoft.graph.security.processEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "processId": 4780, + "parentProcessId": 668, + "processCommandLine": "\"MsSense.exe\"", + "processCreationDateTime": "2021-08-12T12:43:19.0772577Z", + "parentProcessCreationDateTime": "2021-08-12T07:39:09.0909239Z", + "detectionStatus": "detected", + "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", + "roles": [], + "detailedRoles": [], + "tags": [], + "imageFile": { + "sha1": "5f1e8acedc065031aad553b710838eb366cfee9a", + "sha256": "8963a19fb992ad9a76576c5638fd68292cffb9aaac29eb8285f9abf6196a7dec", + "fileName": "MsSense.exe", + "filePath": "C:\\Program Files\\temp", + "fileSize": 6136392, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "parentProcessImageFile": { + "sha1": null, + "sha256": null, + "fileName": "services.exe", + "filePath": "C:\\Windows\\System32", + "fileSize": 731744, + "filePublisher": "Microsoft Corporation", + "signer": null, + "issuer": null + }, + "userAccount": { + "accountName": "SYSTEM", + "domainName": "NT AUTHORITY", + "userSid": "S-1-5-18", + "azureAdUserId": null, + "userPrincipalName": null + } }, - "userAccount": { - "accountName": "SYSTEM", - "domainName": "NT AUTHORITY", - "userSid": "S-1-5-18", - "azureAdUserId": null, - "userPrincipalName": null + { + "@odata.type": "#microsoft.graph.security.registryKeyEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER", + "registryHive": "HKEY_LOCAL_MACHINE", + "roles": [], + "detailedRoles": [], + "tags": [] } - }, - { - "@odata.type": "#microsoft.graph.security.registryKeyEvidence", - "createdDateTime": "2021-04-27T12:19:27.7211305Z", - "verdict": "unknown", - "remediationStatus": "none", - "remediationStatusDetails": null, - "registryKey": "SYSTEM\\CONTROLSET001\\CONTROL\\WMI\\AUTOLOGGER\\SENSEAUDITLOGGER", - "registryHive": "HKEY_LOCAL_MACHINE", - "roles": [], - "detailedRoles": [], - "tags": [], - } - ] - } - ] - } - ] + ] + } + ], + "summary": "Defender Experts has identified some malicious activity. This incident has been raised for your awareness and should be investigated as normal." + } + ] } ``` diff --git a/api-reference/v1.0/api/user-get.md b/api-reference/v1.0/api/user-get.md index 69d0809639d..050274e9188 100644 --- a/api-reference/v1.0/api/user-get.md +++ b/api-reference/v1.0/api/user-get.md @@ -1,5 +1,5 @@ --- -title: "Get a user" +title: "Get user" description: "Retrieve the properties and relationships of user object." author: "yyuank" ms.reviewer: "iamut" diff --git a/api-reference/v1.0/includes/snippets/csharp/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-csharp-snippets.md b/api-reference/v1.0/includes/snippets/csharp/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-csharp-snippets.md deleted file mode 100644 index 12ab0e03bed..00000000000 --- a/api-reference/v1.0/includes/snippets/csharp/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-csharp-snippets.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -description: "Automatically generated file. DO NOT MODIFY" ---- - -```csharp - -// Code snippets are only available for the latest version. Current version is 5.x - -// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp -var result = await graphClient.DeviceManagement.ApplePushNotificationCertificate.DownloadApplePushNotificationCertificateSigningRequest.GetAsDownloadApplePushNotificationCertificateSigningRequestGetResponseAsync(); - - -``` \ No newline at end of file diff --git a/api-reference/v1.0/includes/snippets/javascript/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-javascript-snippets.md b/api-reference/v1.0/includes/snippets/javascript/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-javascript-snippets.md deleted file mode 100644 index 2ea21be4649..00000000000 --- a/api-reference/v1.0/includes/snippets/javascript/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-javascript-snippets.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -description: "Automatically generated file. DO NOT MODIFY" ---- - -```javascript - -const options = { - authProvider, -}; - -const client = Client.init(options); - -let string = await client.api('/deviceManagement/applePushNotificationCertificate/downloadApplePushNotificationCertificateSigningRequest') - .get(); - -``` \ No newline at end of file diff --git a/api-reference/v1.0/includes/snippets/javascript/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-javascript-snippets.md b/api-reference/v1.0/includes/snippets/javascript/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-javascript-snippets.md deleted file mode 100644 index 1445e842bb7..00000000000 --- a/api-reference/v1.0/includes/snippets/javascript/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-javascript-snippets.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -description: "Automatically generated file. DO NOT MODIFY" ---- - -```javascript - -const options = { - authProvider, -}; - -const client = Client.init(options); - -const stream = { - name: 'Name value', - select: [ - 'Select value' - ], - search: 'Search value', - groupBy: [ - 'Group By value' - ], - orderBy: [ - 'Order By value' - ], - skip: 4, - top: 3, - sessionId: 'Session Id value', - filter: 'Filter value' -}; - -await client.api('/deviceManagement/reports/getDeviceManagementIntentPerSettingContributingProfiles') - .post(stream); - -``` \ No newline at end of file diff --git a/api-reference/v1.0/includes/snippets/powershell/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-powershell-snippets.md b/api-reference/v1.0/includes/snippets/powershell/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-powershell-snippets.md deleted file mode 100644 index 4615e23c491..00000000000 --- a/api-reference/v1.0/includes/snippets/powershell/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-powershell-snippets.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -description: "Automatically generated file. DO NOT MODIFY" ---- - -```powershell - -Import-Module Microsoft.Graph.DeviceManagement.Functions - -Invoke-MgDownloadDeviceManagementApplePushNotificationCertificateApplePushNotificationCertificateSigningRequest - -``` \ No newline at end of file diff --git a/api-reference/v1.0/includes/snippets/powershell/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-powershell-snippets.md b/api-reference/v1.0/includes/snippets/powershell/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-powershell-snippets.md deleted file mode 100644 index 9216471ce31..00000000000 --- a/api-reference/v1.0/includes/snippets/powershell/intune-reporting-devicemanagementreports-getdevicemanagementintentpersettingcontributingprofiles-getdevicemanagementintentpersettingcontributingprofiles-action-powershell-snippets.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -description: "Automatically generated file. DO NOT MODIFY" ---- - -```powershell - -Import-Module Microsoft.Graph.DeviceManagement.Actions - -$params = @{ - name = "Name value" - select = @( - "Select value" -) -search = "Search value" -groupBy = @( -"Group By value" -) -orderBy = @( -"Order By value" -) -skip = 4 -top = 3 -sessionId = "Session Id value" -filter = "Filter value" -} - -Get-MgDeviceManagementReportDeviceManagementIntentPerSettingContributingProfile -BodyParameter $params - -``` \ No newline at end of file diff --git a/api-reference/v1.0/includes/snippets/python/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-python-snippets.md b/api-reference/v1.0/includes/snippets/python/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-python-snippets.md deleted file mode 100644 index ca9b7f36ae1..00000000000 --- a/api-reference/v1.0/includes/snippets/python/intune-devices-applepushnotificationcertificate-downloadapplepushnotificationcertificatesigningrequest-downloadapplepushnotificationcertificatesigningrequest-function-python-snippets.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -description: "Automatically generated file. DO NOT MODIFY" ---- - -```python - -from msgraph import GraphServiceClient - -graph_client = GraphServiceClient(credentials, scopes) - - -result = await graph_client.device_management.apple_push_notification_certificate.download_apple_push_notification_certificate_signing_request.get() - - -``` \ No newline at end of file diff --git a/api-reference/v1.0/resources/group.md b/api-reference/v1.0/resources/group.md index da820c2fe9d..ed90ff4c722 100644 --- a/api-reference/v1.0/resources/group.md +++ b/api-reference/v1.0/resources/group.md @@ -49,9 +49,9 @@ This resource supports: | [Renew](../api/group-renew.md) | Boolean | Renews a group's expiration. Renewing extends the group expiration by the number of days defined in the policy. | | [Validate properties](../api/group-validateproperties.md) | JSON | Validate that a Microsoft 365 group's display name or mail nickname complies with naming policies. | | **App role assignments** | | | -| [List app role assignments](../api/group-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles assigned to this group. | -| [Add app role assignment](../api/group-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to this group. | -| [Remove app role assignment](../api/group-delete-approleassignments.md) | None. | Remove an app role assignment from this group. | +| [List](../api/group-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles assigned to this group. | +| [Add](../api/group-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to this group. | +| [Remove](../api/group-delete-approleassignments.md) | None. | Remove an app role assignment from this group. | | **Calendar** | | | | [Get calendar](../api/calendar-get.md) | [calendar](calendar.md) | Get the group's calendar. | | [Update calendar](../api/calendar-update.md) | None | Update the group's calendar. | @@ -91,25 +91,25 @@ This resource supports: | [Get drive](../api/drive-get.md) | [drive](drive.md) | Retrieve the properties and relationships of a Drive resource. | | [List children](../api/driveitem-list-children.md) | [DriveItems](driveitem.md) | Return a collection of DriveItems in the children relationship of a DriveItem. | | **Group settings** | | | -| [List settings](../api/group-list-settings.md) | [groupSetting](groupsetting.md) collection | List properties of all setting objects. | -| [Create setting](../api/group-post-settings.md) | [groupSetting](groupsetting.md) | Create a setting object based on a groupSettingTemplate. The POST request must provide settingValues for all the settings defined in the template. Only groups specific templates can be used for this operation. | -| [Get setting](../api/groupsetting-get.md) | [groupSetting](groupsetting.md) | Read properties of a specific setting object. | -| [Update setting](../api/groupsetting-update.md) | None | Update a setting object. | -| [Delete setting](../api/groupsetting-delete.md) | None | Delete a setting object. | +| [List](../api/group-list-settings.md) | [groupSetting](groupsetting.md) collection | List properties of all setting objects. | +| [Create](../api/group-post-settings.md) | [groupSetting](groupsetting.md) | Create a setting object based on a groupSettingTemplate. The POST request must provide settingValues for all the settings defined in the template. Only groups specific templates can be used for this operation. | +| [Get](../api/groupsetting-get.md) | [groupSetting](groupsetting.md) | Read properties of a specific setting object. | +| [Update](../api/groupsetting-update.md) | None | Update a setting object. | +| [Delete](../api/groupsetting-delete.md) | None | Delete a setting object. | | [List setting template](../api/groupsettingtemplate-list.md) | None | List properties of all setting templates. | | [Get setting template](../api/groupsettingtemplate-get.md) | None | Read properties of a setting template. | | **Notes** | | | | [List notebooks](../api/onenote-list-notebooks.md) | [notebook](notebook.md) collection | Retrieve a list of notebook objects. | | [Create notebook](../api/onenote-post-notebooks.md) | [notebook](notebook.md) | Create a new OneNote notebook. | -| **Photo** | | | -| [Get profile photo](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | -| [Update profile photo](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant including the signed-in user, or the specified group or contact. | -| [Delete profile photo](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant including the signed-in user or the specified group. | +| **Profile photo** | | | +| [Get](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | +| [Update](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant including the signed-in user, or the specified group or contact. | +| [Delete](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant including the signed-in user or the specified group. | | **Planner** | | | | [List plans](../api/plannergroup-list-plans.md) | [plannerPlan](plannerplan.md) collection | Get plans assigned to the group. | | **Posts** | | | -| [List posts](../api/conversationthread-list-posts.md) | [post](post.md) collection | Get posts in a conversation thread. | -| [Get post](../api/post-get.md) | [post](post.md) | Get a specific post. | +| [List](../api/conversationthread-list-posts.md) | [post](post.md) collection | Get posts in a conversation thread. | +| [Get](../api/post-get.md) | [post](post.md) | Get a specific post. | | [Reply to post](../api/post-reply.md) | None | Reply to a post. | | [Forward post](../api/post-forward.md) | None | Forward a post. | | **Other group resources** | | | diff --git a/api-reference/v1.0/resources/security-incident.md b/api-reference/v1.0/resources/security-incident.md index ae1b14b001c..a2298c65910 100644 --- a/api-reference/v1.0/resources/security-incident.md +++ b/api-reference/v1.0/resources/security-incident.md @@ -1,7 +1,6 @@ --- title: "incident resource type" description: "An incident in Microsoft 365 Defender is a collection of correlated alerts and associated metadata that reflects the story of an attack." -ms.date: 11/11/2022 author: "BenAlfasi" ms.localizationpriority: medium ms.subservice: "security" @@ -42,12 +41,12 @@ Because piecing the individual alerts together to gain insight into an attack ca |lastModifiedBy|String|The identity that last modified the incident.| |lastUpdateDateTime|DateTimeOffset|Time when the incident was last updated.| |redirectIncidentId|String|Only populated in case an incident is grouped with another incident, as part of the logic that processes incidents. In such a case, the **status** property is `redirected`. | +|resolvingComment|String|User input that explains the resolution of the incident and the classification choice. This property contains free editable text.| |severity|alertSeverity|Indicates the possible impact on assets. The higher the severity, the bigger the impact. Typically higher severity items require the most immediate attention. Possible values are: `unknown`, `informational`, `low`, `medium`, `high`, `unknownFutureValue`.| |status|[microsoft.graph.security.incidentStatus](#incidentstatus-values)|The status of the incident. Possible values are: `active`, `resolved`, `inProgress`, `redirected`, `unknownFutureValue`, and `awaitingAction`.| -|tenantId|String|The Microsoft Entra tenant in which the alert was created.| +|summary|String|The overview of an attack. When applicable, the summary contains details of what occurred, impacted assets, and the type of attack.| |systemTags|String collection|The system tags associated with the incident.| -|resolvingComment|String|User input that explains the resolution of the incident and the classification choice. This property contains free editable text.| - +|tenantId|String|The Microsoft Entra tenant in which the alert was created.| ### incidentStatus values The following table lists the members of an [evolvable enumeration](/graph/best-practices-concept#handling-future-members-in-evolvable-enumerations). You must use the `Prefer: include-unknown-enum-members` request header to get the following values in this evolvable enum: `awaitingAction`. @@ -81,31 +80,25 @@ The following JSON representation shows the resource type. ``` json { "@odata.type": "#microsoft.graph.security.incident", - "id": "String (identifier)", - "incidentWebUrl": "String", - "tenantId": "String", - "redirectIncidentId": "String", - "displayName": "String", - "createdDateTime": "String (timestamp)", - "lastUpdateDateTime": "String (timestamp)", "assignedTo": "String", "classification": "String", + "comments": [{"@odata.type": "microsoft.graph.security.alertComment"}], + "createdDateTime": "String (timestamp)", + "customTags": ["String"], + "description" : "String", "determination": "String", - "status": "String", + "displayName": "String", + "id": "String (identifier)", + "incidentWebUrl": "String", + "lastModifiedBy": "String", + "lastUpdateDateTime": "String (timestamp)", + "redirectIncidentId": "String", + "resolvingComment": "String", "severity": "String", - "customTags": [ - "String" - ], - "comments": [ - { - "@odata.type": "microsoft.graph.security.alertComment" - } - ], - "systemTags" : [ - "String" - ], - "description" : "String", - "lastModifiedBy": "String" + "status": "String", + "summary": "String", + "systemTags" : ["String"], + "tenantId": "String" } ``` diff --git a/api-reference/v1.0/resources/user.md b/api-reference/v1.0/resources/user.md index c9702209c76..925fc1487bf 100644 --- a/api-reference/v1.0/resources/user.md +++ b/api-reference/v1.0/resources/user.md @@ -35,9 +35,9 @@ This resource supports: | [Revoke sign-in sessions](../api/user-revokesigninsessions.md) | None | Revokes all the user's refresh and session tokens issued to applications, by resetting the **signInSessionsValidFromDateTime** user property to the current date-time. It forces the user to sign in to those applications again. | | [Export personal data](../api/user-exportpersonaldata.md) | None | Submits a data policy operation request, made by a company administrator to export an organizational user's data. | | **App role assignments** | | | -| [List app role assignments](../api/user-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles assigned to this user. | -| [Add app role assignment](../api/user-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to this user. | -| [Remove app role assignment](../api/user-delete-approleassignments.md) | None | Remove an app role assignment from this user. | +| [List](../api/user-list-approleassignments.md) | [appRoleAssignment](approleassignment.md) collection | Get the apps and app roles assigned to this user. | +| [Add](../api/user-post-approleassignments.md) | [appRoleAssignment](approleassignment.md) | Assign an app role to this user. | +| [Remove](../api/user-delete-approleassignments.md) | None | Remove an app role assignment from this user. | | **Calendar** | | | | [List calendars](../api/user-list-calendars.md) | [calendar](calendar.md) collection | Get a Calendar object collection. | | [Create calendar](../api/user-post-calendars.md) | [Calendar](calendar.md) | Create a new Calendar by posting to the calendars collection. | @@ -112,22 +112,22 @@ This resource supports: | [Get supported time zones](../api/outlookuser-supportedtimezones.md) | [timeZoneInformation](timezoneinformation.md) collection | Get the list of time zones that are supported for the user, as configured on the user's mailbox server. | | [Translate Exchange IDs](../api/user-translateexchangeids.md) | [convertIdResult](convertidresult.md) collection | Translate identifiers of Outlook-related resources between formats. | | **People** | | | -| [List people](../api/user-list-people.md) | [person](person.md) collection | Get a collection of person objects ordered by their relevance to the user. | +| [List](../api/user-list-people.md) | [person](person.md) collection | Get a collection of person objects ordered by their relevance to the user. | | **Personal contacts** | | | | [List contacts](../api/user-list-contacts.md) | [contact](contact.md) collection | Get a contact collection from the default Contacts folder of the signed-in user. | | [Create contact](../api/user-post-contacts.md) | [contact](contact.md) | Create a new Contact by posting to the contacts collection. | | [List contact folders](../api/user-list-contactfolders.md) | [contactFolder](contactfolder.md) collection | Get the contact folder collection in the default Contacts folder of the signed-in user. | | [Create contact folder](../api/user-post-contactfolders.md) | [contactFolder](contactfolder.md) | Create a new ContactFolder by posting to the contactFolders collection. | -| **Photo** | | | -| [Get profile photo](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | -| [Update profile photo](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant including the signed-in user, or the specified group or contact. | -| [Delete profile photo](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant including the signed-in user or the specified group. | +| **Profile photo** | | | +| [Get](../api/profilephoto-get.md) | [profilePhoto](profilephoto.md) | Get the specified profilePhoto or its metadata (profilePhoto properties). | +| [Update](../api/profilephoto-update.md) | None | Update the photo for any user in the tenant including the signed-in user, or the specified group or contact. | +| [Delete](../api/profilephoto-delete.md) | None | Delete the photo for any user in the tenant including the signed-in user or the specified group. | | **Planner** | | | | [List tasks](../api/planneruser-list-tasks.md) | [plannerTask](plannertask.md) collection | Get plannerTasks assigned to the user. | | **Sponsors** | | | -| [Assign sponsors](../api/user-post-sponsors.md) | None | Assign a user a sponsor. | -| [List sponsors](../api/user-list-sponsors.md) | [directoryObject](../resources/directoryobject.md) collection | Get the users and groups who are this user's sponsors. | -| [Remove sponsors](../api/user-delete-sponsors.md) | None | Remove a user's sponsor. | +| [Assign](../api/user-post-sponsors.md) | None | Assign a user a sponsor. | +| [List](../api/user-list-sponsors.md) | [directoryObject](../resources/directoryobject.md) collection | Get the users and groups who are this user's sponsors. | +| [Remove](../api/user-delete-sponsors.md) | None | Remove a user's sponsor. | | **Teamwork** | | | | [List associated teams](../api/associatedteaminfo-list.md) | [associatedTeamInfo](associatedteaminfo.md) collection | Get the list of teams in Microsoft Teams that a user is associated with. | | [List apps installed for user](../api/userteamwork-list-installedapps.md) | [userScopeTeamsAppInstallation](userscopeteamsappinstallation.md) collection | Lists apps installed in the personal scope of a user. | @@ -143,8 +143,8 @@ This resource supports: | [List task lists](../api/todo-list-lists.md) | [todoTaskList](todotasklist.md) collection | Get all the task lists in the user's mailbox. | | [Create task list](../api/todo-post-lists.md) | [todoTaskList](todotasklist.md) | Create a To Do task list in the user's mailbox. | | **User settings** | | | -| [Get settings](../api/usersettings-get.md) | [userSettings](usersettings.md) | Read the user and organization settings object. | -| [Update settings](../api/usersettings-update.md) | [userSettings](usersettings.md) | Update the properties of the settings object. | +| [Get](../api/usersettings-get.md) | [userSettings](usersettings.md) | Read the user and organization settings object. | +| [Update](../api/usersettings-update.md) | [userSettings](usersettings.md) | Update the properties of the settings object. | ## Properties diff --git a/changelog/Microsoft.M365.Defender.json b/changelog/Microsoft.M365.Defender.json index 7894e847877..c504ca3ed0d 100644 --- a/changelog/Microsoft.M365.Defender.json +++ b/changelog/Microsoft.M365.Defender.json @@ -2249,6 +2249,42 @@ "CreatedDateTime": "2024-05-23T14:25:35.9322853Z", "WorkloadArea": "Security", "SubArea": "Advanced hunting" + }, + { + "ChangeList": [ + { + "Id": "7600f0e7-8c42-444a-99c6-0be8260afdb0", + "ApiChange": "Property", + "ChangedApiName": "summary", + "ChangeType": "Addition", + "Description": "Added the **summary** property to the [incident](https://learn.microsoft.com/en-us/graph/api/resources/security-incident?view=graph-rest-beta) resource.", + "Target": "incident" + } + ], + "Id": "7600f0e7-8c42-444a-99c6-0be8260afdb0", + "Cloud": "Prod", + "Version": "beta", + "CreatedDateTime": "2024-05-26T11:35:02.5277871Z", + "WorkloadArea": "Security", + "SubArea": "Alerts and incidents" + }, + { + "ChangeList": [ + { + "Id": "658a5e0f-0f08-4d43-b63f-98b2148dbb8e", + "ApiChange": "Property", + "ChangedApiName": "summary", + "ChangeType": "Addition", + "Description": "Added the **summary** property to the [incident](https://learn.microsoft.com/en-us/graph/api/resources/security-incident?view=graph-rest-1.0) resource.", + "Target": "incident" + } + ], + "Id": "658a5e0f-0f08-4d43-b63f-98b2148dbb8e", + "Cloud": "Prod", + "Version": "v1.0", + "CreatedDateTime": "2024-05-26T11:35:02.5280165Z", + "WorkloadArea": "Security", + "SubArea": "Alerts and incidents" } ] } diff --git a/concepts/add-properties-profilecard.md b/concepts/add-properties-profilecard.md index 2a6c9f94d28..4d8a755811d 100644 --- a/concepts/add-properties-profilecard.md +++ b/concepts/add-properties-profilecard.md @@ -22,6 +22,8 @@ You can also [remove](/graph/api/profilecardproperty-delete) custom attributes f [!INCLUDE [profilecardproperty-add-remove-note](../includes/profilecardproperty-add-remove-note.md)] +[!INCLUDE [profilecardproperty-win32-apps-note](../includes/profilecardproperty-win32-apps-note.md)] + [!INCLUDE [profilecardproperty-all-clouds-note](../includes/profilecardproperty-all-clouds-note.md)] > [!NOTE] diff --git a/concepts/best-practices-graph-permission.md b/concepts/best-practices-graph-permission.md new file mode 100644 index 00000000000..11c8da78c85 --- /dev/null +++ b/concepts/best-practices-graph-permission.md @@ -0,0 +1,82 @@ +--- +title: "Best practices for using Microsoft Graph permissions" +description: "Best practices for using Microsoft Graph permissions when building a Microsoft Teams app." +ms.localizationpriority: high +author: v-sdhakshina +ms.author: v-sdhakshina +--- + +# Best practices for using Microsoft Graph permissions + +When you create a Microsoft Teams app with advanced collaboration, design it with a strong focus on customer privacy and security to ensure widespread use and adoption. + +This article describes best practices for using Microsoft Graph permissions when building a Teams app intended for distribution. + +## Implement the principle of least privilege + +Microsoft Graph offers granular permissions that allow an app to request only the permissions it requires. Microsoft Graph provides this capability because customer tenant admins might not approve apps or app features that request more permissions than they need. By requesting the fewest, least-privileged permissions required for your app, you apply the principle of least privilege, which builds trust with customer tenant admins. + +The fewer permissions an app requests, the fewer privacy concerns for customers. Therefore, reconsider features if simpler ones provide similar value while requiring fewer Graph endpoint or permissions. + +Microsoft Graph supports two types of access scenarios: delegated access and application access. In delegated access, the app calls Microsoft Graph on behalf of a signed-in user. In application access, the app calls Microsoft Graph with its own identity, without a signed in user. [Resource-specific Consent (RSC)](/microsoftteams/platform/graph-api/rsc/resource-specific-consent) permissions support both delegated and application access, but are restricted to the domain where the app is installed. For more information, see [Microsoft Graph permissions](permissions-overview.md). + +The lower the privilege of the requested permissions, the fewer privacy concerns for customers. Prefer RSC permissions because they offer a higher level of privacy. Delegated permissions allow the application to act on behalf of a signed-in user, limiting access to the data within the user’s scope. If you can't use either RSC or delegated permissions, you must use application permissions. Application permissions carry the most privacy risks as they allow access to data without a signed-in user. + +The following examples describe some scenarios that use the least privilege principle: + +* Apps that only read the signed-in user’s profile information require the `User.Read` permission, which is the least privileged permission to access the user’s details. The `User.ReadWrite` permission is unnecessary, as its over-privileges the app, which doesn't need to modify the user’s profile. + +* Apps that read tenant groups without a signed-in user require `Group.Read.All` application permission. + +* Apps that manage dynamic jobs and sync with the user’s Outlook calendar to read and update require `Calendars.ReadWrite` permission. + +* Apps published on the Teams store can use the app persistent ID instead of using `AppCatalog.Read.All` to get the app ID. + +* Apps that send messages to a chat can use `ChatMessage.Send.Chat` RSC permission instead of the `Chat.ReadWrite` delegated Microsoft Graph permission. + +For more information on applying the principle of least privilege, see [Enhance security with the principle of least privilege](/azure/active-directory/develop/secure-least-privileged-access) and [Building apps that secure identity through permissions and consent](/security/zero-trust/develop/identity). + +## Maximize app value and user experience for customers with limited permissions + +Tenant admins can block permissions on which your app relies. Anticipate this by providing alternatives to maximize your app's value. Even without certain permissions granted on a customer tenant, an app must still offer value to the user. Only the specific functionality that requires the blocked permission should be unavailable. Consider the following scenarios that show how to maximize user value when permissions are blocked: + +* **Create fallback workarounds**: Have permissionless alternatives ready for when preferred features are blocked, ensuring users still receive the best possible experience. For example, if you use `Presence.Read.All` to display the statuses of users in the app and the permission is denied, hide the presence indicator to avoid confusion from the *Unknown* status. Or, if an app creates a calendar event, use the [deep link method](/microsoftteams/platform/concepts/build-and-test/deep-link-workflow?tabs=teamsjs-v2) as a fallback to using Graph and requesting the `Calendar.ReadWrite` permission. Using a deep link allows customers to use the **Add event to my calendar** feature even if they don’t grant the permissions. +* **Implement feature management**: Use toggles or other management tools to adjust features based on the permissions granted by the customer. +* **Consider staggered permissions for user-installed apps**: For user-installed apps, consider using [staggered permissions](/samples/officedev/microsoft-teams-samples/officedev-microsoft-teams-samples-tab-staggered-permission-nodejs/) to request permissions only when necessary for a feature, aligning with user privacy policies, and potentially increasing app usage. This approach might not be suitable for admin-installed apps. + +## Manage app launches and updates with customers + +To manage new app versions with permission changes effectively, communicate with customers to maintain trust and prevent churn. Consider the following when updating your app: + +* **Group permission changes together**: Consolidate permission changes into a single release to minimize the frequency of updates and customer impacts. +* **Manage updates in advance**: Plan and communicate permission updates well in advance to allow customers to initiate their internal approval processes, avoiding any interruption in app functionality. + +## Document and share the required permission with customers + +Clearly document all permissions in a format and language that are accessible to both technical and business stakeholders. The following list provides concrete suggestions for clearly documenting the permissions choices in your app: + +* **Explain use cases**: Provide explanations that relate directly to the app’s use cases and scenarios, detailing the value added by each permission. +* **Include visuals**: Use screenshots to illustrate where permissions are needed within the app. +* **Describe impact of non-granted permissions**: For high-value scenarios, describe the impact on users if the permission isn't granted. +* **Provide clear app versions**: Create an easy-to-understand versioning system for published apps, Azure AD app registrations, and documentation. Such a versioning system enables customers to track features and approvals for each version. + +## Use recommended app installation, consent, and updates for your Teams app + +Customer tenant admins trust apps that adhere to standard procedures more than apps with custom installation and management systems. Consider the following installation best practices: + +* **Offer standard app installation**: To maintain trust, publish your app using Microsoft’s official channels and use Microsoft’s recommended process for app installation. Don't use alternative installation methods, such as links or multiple apps, because they erode customer trust. Exceptions apply in circumstances such as [limiting application permissions to specific Exchange online mailboxes](auth-limit-mailbox-access.md), missing [Outlook mailbox](/exchange/recipients-in-exchange-online/manage-user-mailboxes/manage-user-mailboxes), or [SharePoint](/sharepoint/dev/solution-guidance/security-apponly-azureacs) controls. +* **Hide apps from users for admin-installed apps**: For admin-installed apps, consider setting the `defaultBlockUntilAdminAction` parameter in the [app manifest](/microsoftteams/platform/resources/schema/manifest-schema) to **true** to hide the app from tenant users by default until an admin authorizes it. This approach might not be suitable for user-installed apps. + +## Update your publisher attestation after changing permissions + +To provide an experience that is trustworthy and is perceived as such by customers, update the [Publisher Attestation](/microsoft-365-app-certification/docs/enterprise-app-attestation-guide) to reflect permission changes for the app. If you don't, then the list of permissions on the Microsoft documentation page differs from the list of permissions requested by the app. This difference erodes customer trust and adoption. + +## Microsoft 365 certification for Teams app + +Certify your Teams app through the [Microsoft 365](/microsoft-365-app-certification/docs/enterprise-app-certification-guide) program. With Microsoft 365 certification, you affirm your dedication to adhering to security and privacy standards, which increase customer confidence and facilitate the approval process for your app and its permissions. + +## See also + +* [Overview of Microsoft Graph permissions](permissions-overview.md) +* [Microsoft Graph permissions reference](permissions-reference.md) +* [Resource-specific consent for your Teams app](/microsoftteams/platform/graph-api/rsc/resource-specific-consent) diff --git a/concepts/connecting-external-content-deploy-teams.md b/concepts/connecting-external-content-deploy-teams.md index 75ad085586e..620282f12b2 100644 --- a/concepts/connecting-external-content-deploy-teams.md +++ b/concepts/connecting-external-content-deploy-teams.md @@ -1,7 +1,7 @@ --- title: "Enable the Simplified Admin Experience for your Microsoft Graph connector in the Teams admin center" description: "Deploy your custom Graph connector in your Teams App with simplified enablement." -author: monaray +author: "monaray97" ms.localizationpriority: high doc_type: conceptualPageType ms.subservice: search diff --git a/concepts/connecting-external-content-experiences.md b/concepts/connecting-external-content-experiences.md index 0c3adbcb06a..84369ed7319 100644 --- a/concepts/connecting-external-content-experiences.md +++ b/concepts/connecting-external-content-experiences.md @@ -1,7 +1,7 @@ --- title: "Microsoft Graph connector experiences" description: "Discover the experiences that you can enable with Microsoft Graph connectors and the requirements to build those experiences." -author: monaray +author: "monaray97" ms.localizationpriority: high doc_type: conceptualPageType ms.subservice: search diff --git a/concepts/docfx.json b/concepts/docfx.json index 90576334601..88804e0c8d0 100644 --- a/concepts/docfx.json +++ b/concepts/docfx.json @@ -53,8 +53,6 @@ "globalMetadata": { "feedback_system": "Standard", "feedback_product_url": "https://developer.microsoft.com/graph/support", - "feedback_help_link_url": "https://learn.microsoft.com/en-us/answers/tags/161/ms-graph", - "feedback_help_link_type": "get-help-at-qna", "feedback_github_repo": "microsoftgraph/microsoft-graph-docs-contrib", "breadcrumb_path": "/graph/breadcrumb/toc.json", "author": "MSGraphDocsVteam", diff --git a/concepts/toc.yml b/concepts/toc.yml index 2cbcdcda873..2fb662dbc3d 100644 --- a/concepts/toc.yml +++ b/concepts/toc.yml @@ -998,6 +998,9 @@ items: - name: Microsoft Entra built-in roles displayName: Microsoft Graph permissions href: /entra/identity/role-based-access-control/permissions-reference?toc=/graph/toc.json + - name: Best practices for Teams app permissions + displayName: Best practices for using Microsoft Graph permissions to build Teams apps + href: best-practices-graph-permission.md - name: Selected permissions in OneDrive and SharePoint displayName: Selected Permissions in OneDrive and SharePoint href: permissions-selected-overview.md diff --git a/concepts/whats-new-overview.md b/concepts/whats-new-overview.md index 946d1b49e3b..da6a136058d 100644 --- a/concepts/whats-new-overview.md +++ b/concepts/whats-new-overview.md @@ -16,6 +16,18 @@ For details about previous updates to Microsoft Graph, see [Microsoft Graph what > [!IMPORTANT] > Features in _preview_ status are subject to change without notice, and might not be promoted to generally available (GA) status. Don't use preview features in production apps. +## July 2024: New and generally available + +### Security | Alerts and incidents + +Use the **summary** property to get details about what happened, impacted assets, and the type of attack on an [incident](/graph/api/resources/security-incident). + +## July 2024: New in preview only + +### Security | Alerts and incidents + +Use the **summary** property to get details about what happened, impacted assets, and the type of attack on an [incident](/graph/api/resources/security-incident?view=graph-rest-beta&preserve-view=true). + ## June 2024: New and generally available ### Change notifications diff --git a/includes/profilecardproperty-win32-apps-note.md b/includes/profilecardproperty-win32-apps-note.md new file mode 100644 index 00000000000..0d980a300dc --- /dev/null +++ b/includes/profilecardproperty-win32-apps-note.md @@ -0,0 +1,11 @@ +--- +author: rwaithera +ms.topic: include +ms.date: 04/07/2024 +ms.localizationpriority: medium +--- + + + +> [!NOTE] +> The profile card properties customizations described in this article don't apply to Win32 applications such as Outlook and Office desktop clients. To learn how to customize profile card properties in Win32 applications for your organization, see [Customize the profile card in Win32 apps using registry keys](https://support.microsoft.com/office/customize-the-profile-card-in-win32-apps-using-registry-keys-449afd21-6e5e-4b1f-8051-6515630d7537).