I'm currently working on an Azure Logic App, and wanted to know how files/attachments appear within the JSON output of the graph api 'get incident' call. All of my test outputs so far have not contained any attachments within the emails, and I need to know how they actually appear in the JSON so as to properly process them. This is one of the outputs I have gotten (information redacted)
{
"body": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/incidents(alerts())/$entity",
"id": "REDACTED_INCIDENT_ID",
"tenantId": "REDACTED_TENANT_ID",
"status": "active",
"incidentWebUrl": "https://security.microsoft.com/incidents/REDACTED_INCIDENT_ID?tid=REDACTED_TENANT_ID",
"redirectIncidentId": null,
"displayName": "Email reported by user as malware or phish involving one user",
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"lastUpdateDateTime": "2023-07-XXTXX:XX:XX.Z",
"assignedTo": "REDACTED_TEAM",
"classification": "unknown",
"determination": "unknown",
"severity": "low",
"customTags": [],
"comments": [],
"alerts": [
{
"id": "REDACTED_ALERT_ID",
"providerAlertId": "REDACTED_PROVIDER_ALERT_ID",
"incidentId": "REDACTED_INCIDENT_ID",
"status": "resolved",
"severity": "low",
"classification": "falsePositive",
"determination": null,
"serviceSource": "microsoftDefenderForOffice365",
"detectionSource": "microsoftDefenderForOffice365",
"detectorId": "REDACTED_DETECTOR_ID",
"tenantId": "REDACTED_TENANT_ID",
"title": "Email reported by user as malware or phish",
"description": "This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3",
"recommendedActions": "",
"category": "InitialAccess",
"assignedTo": "C3 Automated Triage Engine",
"alertWebUrl": "https://security.microsoft.com/alerts/REDACTED_ALERT_ID?tid=REDACTED_TENANT_ID",
"incidentWebUrl": "https://security.microsoft.com/incidents/REDACTED_INCIDENT_ID?tid=REDACTED_TENANT_ID",
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"TECHNIQUE"
],
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"lastUpdateDateTime": "2023-07-XXTXX:XX:XX.Z",
"resolvedDateTime": "2023-07-XXTXX:XX:XX.Z",
"firstActivityDateTime": "2023-07-XXTXX:XX:XX.Z",
"lastActivityDateTime": "2023-07-XXTXX:XX:XX.Z",
"comments": [],
"evidence": [
{
"@odata.type": "#microsoft.graph.security.mailboxEvidence",
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"primaryAddress": "[email protected]",
"displayName": "REDACTED_NAME",
"userAccount": {
"accountName": "REDACTED_USERNAME",
"domainName": null,
"userSid": "REDACTED_USER_SID",
"azureAdUserId": "REDACTED_AZURE_AD_USER_ID",
"userPrincipalName": "[email protected]",
"displayName": null
}
},
{
"@odata.type": "#microsoft.graph.security.analyzedMessageEvidence",
"createdDateTime": "2023-07-XXTXX:XX:XX.Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"networkMessageId": "REDACTED_NETWORK_MESSAGE_ID",
"internetMessageId": "REDACTED_INTERNET_MESSAGE_ID",
"subject": "REDACTED_EMAIL_SUBJECT",
"language": "en",
"senderIp": null,
"recipientEmailAddress": "[email protected]",
"antiSpamDirection": null,
"deliveryAction": "delivered",
"deliveryLocation": "inbox",
"urn": "urn:MailEntity:REDACTED_URN",
"threats": [
"Phish",
"HighConfPhish"
],
"threatDetectionMethods": [
"MLModel"
],
"urls": [
"REDACTED_URL_1",
"REDACTED_URL_2",
"REDACTED_URL_3",
"REDACTED_URL_4",
"REDACTED_URL_5"
],
"urlCount": 5,
"attachmentsCount": 0,
"receivedDateTime": "2023-06-XXTXX:XX:XX.Z",
"p1Sender": {
"emailAddress": "[email protected]",
"displayName": null,
"domainName": "REDACTED_DOMAIN"
},
"p2Sender": {
"emailAddress": "[email protected]",
"displayName": "REDACTED_SENDER_NAME",
"domainName": "REDACTED_DOMAIN"
}
}
]
}
]
}
}
as you can see, this one has no attachments (attachmentsCount: 0) but as I said I need to know how they actually appear. My initial assumption was that they appear in an array similar to the URLs, but I have to be sure (especially since I do not know if they appear as their hashes or something else).
I've tried looking online for any information regarding what the HTTP call output with attachments looks like, with no luck. Microsoft documentation doesn't mention it, and I don't have access to an email/incident with attachments that I could test.
Any help would be greatly appreciated!
