The display name of the node within the flows.

System-wide unique ID of the plugin instance.

Configuration option determining the type of operation to perform:

• Get Alert: Retrieves the details of an alert using the supplied Alert ID.
• Update Alert: Updates fields of an alert specified by Alert ID. Any field specified with the value of Do Not Update will not be changed.

Successful results for an action are placed in msg.payload.msgraphsecurity.[uniqueId].response.

Unique identifier for the alert being retrieved or updated.

When updating an alert, the alert life cycle status (stage). Possible values are: unknown, newAlert, inProgress, or resolved.

When updating an alert, the name of the analyst the alert is assigned to for triage, investigation, or remediation.

When updating an alert, the time at which the alert was closed. Now represents the current time. If the object referenced is a JavaScript Date, it is converted to an ISO 8601 formatted string (e.g., 2014-01-01T00:00:00Z).

When updating an alert, the analyst feedback on the alert. Possible values are: unknown, truePositive, falsePositive, or benignPositive.

When updating an alert, the analyst comments on the alert (for customer alert management). This action can update the comments field with the following values only: Closed in IPC or Closed in MCAS. This value will be converted to an array if it is not already an array.

When updating an alert, the user-definable labels that can be applied to an alert and can serve as filter conditions (for example, TAG1, TAG2). This value will be converted to an array if it is not already an array. For a string value, use a comma separated list of tags.

The display name of the node within the flows.

System-wide unique ID of the plugin instance.

Defines the repeat interval used to pull alerts. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.

Filters the list of alerts for the Azure AD tenant based on the Alerts Filter configuration. Clear the content of the Alerts Filter field to disable filtering. Learn more about filtering using the List Alerts page. The vendor names table in the List Alerts page lists the keywords for filtering on the vendorInformation/provider. For example, to filter on the Azure Active Directory Identity Protection use the following filter:

vendorInformation/provider eq 'IPC'

In addition to List Alerts filtering, the filter field uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more. However, for this node, the incoming message consists of only a timestamp.

If specified, the Alert Fields is a comma separated list of fields to load. It is recommended to return the alert id to ensure downstream nodes can operate on the alert. If left blank, all alert fields are loaded by default. Any unrecognized fields are ignored. A reasonable sample Alert Fields list value might be as follows:

id, title, status, severity, vendorInformation

This field sets the maximum number of returned alerts.

This node supports five modes for aggregating incidents.

• None: Never aggregate any incidents (default).
• Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
• Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
• Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
• Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.